./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4244676959 <...> Warning: Permanently added '10.128.1.189' (ED25519) to the list of known hosts. execve("./syz-executor4244676959", ["./syz-executor4244676959"], 0x7ffef2071b00 /* 10 vars */) = 0 brk(NULL) = 0x55556ee23000 brk(0x55556ee23d40) = 0x55556ee23d40 arch_prctl(ARCH_SET_FS, 0x55556ee233c0) = 0 set_tid_address(0x55556ee23690) = 5047 set_robust_list(0x55556ee236a0, 24) = 0 rseq(0x55556ee23ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor4244676959", 4096) = 28 getrandom("\xf1\x60\xf4\xe2\xf7\xea\x86\xcd", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x55556ee23d40 brk(0x55556ee44d40) = 0x55556ee44d40 brk(0x55556ee45000) = 0x55556ee45000 mprotect(0x7fb3fa232000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x55556ee23690) = 5048 ./strace-static-x86_64: Process 5048 attached [pid 5048] set_robust_list(0x55556ee236a0, 24) = 0 [pid 5048] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5048] setpgid(0, 0) = 0 [pid 5048] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 executing program [pid 5048] write(3, "1000", 4) = 4 [pid 5048] close(3) = 0 [pid 5048] write(1, "executing program\n", 18) = 18 [pid 5048] futex(0x7fb3fa23836c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5048] rt_sigaction(SIGRT_1, {sa_handler=0x7fb3fa1d45b0, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7fb3fa1c5c30}, NULL, 8) = 0 [pid 5048] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5048] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb3fa148000 [pid 5048] mprotect(0x7fb3fa149000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5048] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5048] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fb3fa168990, parent_tid=0x7fb3fa168990, exit_signal=0, stack=0x7fb3fa148000, stack_size=0x20300, tls=0x7fb3fa1686c0}./strace-static-x86_64: Process 5049 attached [pid 5049] rseq(0x7fb3fa168fe0, 0x20, 0, 0x53053053) = 0 [pid 5048] <... clone3 resumed> => {parent_tid=[5049]}, 88) = 5049 [pid 5049] set_robust_list(0x7fb3fa1689a0, 24 [pid 5048] rt_sigprocmask(SIG_SETMASK, [], [pid 5049] <... set_robust_list resumed>) = 0 [pid 5048] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5049] rt_sigprocmask(SIG_SETMASK, [], [pid 5048] futex(0x7fb3fa238368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5049] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5048] <... futex resumed>) = 0 [pid 5049] openat(AT_FDCWD, "/dev/virtual_nci", O_RDWR [pid 5048] futex(0x7fb3fa23836c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5049] <... openat resumed>) = 3 [pid 5049] futex(0x7fb3fa23836c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5048] <... futex resumed>) = 0 [pid 5048] futex(0x7fb3fa238368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5049] ioctl(3, _IOC(_IOC_NONE, 0, 0, 0) [pid 5048] <... futex resumed>) = 0 [pid 5049] <... ioctl resumed>, 0x200000c0) = 0 [pid 5048] futex(0x7fb3fa23836c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5049] futex(0x7fb3fa23836c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5048] <... futex resumed>) = 0 [pid 5048] futex(0x7fb3fa238368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5048] futex(0x7fb3fa23836c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5049] socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 [pid 5049] futex(0x7fb3fa23836c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5048] <... futex resumed>) = 0 [pid 5048] futex(0x7fb3fa238368, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5048] futex(0x7fb3fa23836c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5049] bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_UNSPEC, insn_cnt=28, insns=0x200006c0, license=NULL, log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(0, 0, 0), prog_flags=0, prog_name="", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=-1, func_info_rec_size=0, func_info=NULL, func_info_cnt=0, line_info_rec_size=0, line_info=NULL, line_info_cnt=0, attach_btf_id=0, attach_prog_fd=0, fd_array=NULL}, 144) = -1 EFAULT (Bad address) [pid 5049] futex(0x7fb3fa23836c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5048] <... futex resumed>) = 0 [pid 5048] futex(0x7fb3fa238368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5049] sendto(4, [{nlmsg_len=28, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00"], 28, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12 [pid 5048] <... futex resumed>) = 0 [pid 5049] <... sendto resumed>) = 28 [pid 5048] futex(0x7fb3fa23836c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5049] recvfrom(4, [{nlmsg_len=472, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=5048}, "\x01\x02\x00\x00\x08\x00\x02\x00\x6e\x66\x63\x00\x06\x00\x01\x00\x1e\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x1f\x00\x00\x00\x80\x01\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x02\x00\x00\x00\x08\x00\x02\x00\x0b\x00\x00\x00\x14\x00\x03\x00\x08\x00\x01\x00\x03\x00\x00\x00"...], 4096, 0, NULL, NULL) = 472 [pid 5049] recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5048}, {error=0, msg={nlmsg_len=28, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 [pid 5049] futex(0x7fb3fa23836c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5048] <... futex resumed>) = 0 [pid 5049] futex(0x7fb3fa238368, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5048] futex(0x7fb3fa238368, FUTEX_WAKE_PRIVATE, 1000000 [pid 5049] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5048] <... futex resumed>) = 0 [pid 5049] sendmsg(4, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="\x1c\x00\x00\x00\x1e\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x08\x00\x01\x00\x02\x00\x00\x00", iov_len=28}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0 [pid 5048] futex(0x7fb3fa23836c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000}) = -1 ETIMEDOUT (Connection timed out) [pid 5048] futex(0x7fb3fa23837c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5048] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7fb3fa127000 [pid 5048] mprotect(0x7fb3fa128000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5048] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5048] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7fb3fa147990, parent_tid=0x7fb3fa147990, exit_signal=0, stack=0x7fb3fa127000, stack_size=0x20300, tls=0x7fb3fa1476c0} => {parent_tid=[5054]}, 88) = 5054 ./strace-static-x86_64: Process 5054 attached [pid 5048] rt_sigprocmask(SIG_SETMASK, [], [pid 5054] rseq(0x7fb3fa147fe0, 0x20, 0, 0x53053053 [pid 5048] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5054] <... rseq resumed>) = 0 [pid 5048] futex(0x7fb3fa238378, FUTEX_WAKE_PRIVATE, 1000000 [pid 5054] set_robust_list(0x7fb3fa1479a0, 24 [pid 5048] <... futex resumed>) = 0 [pid 5048] futex(0x7fb3fa23837c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5054] <... set_robust_list resumed>) = 0 [pid 5054] rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 [pid 5054] write(3, "\x61\x05\x01\x00\x08\x00\x00\x00\xb7\x04\x00\x00\x00\x00\x00", 15) = 15 [pid 5054] futex(0x7fb3fa23837c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5054] futex(0x7fb3fa238378, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5048] <... futex resumed>) = 0 [ 159.477312][ T3730] ===================================================== [ 159.484797][ T3730] BUG: KMSAN: uninit-value in nci_ntf_packet+0x27f4/0x39c0 [ 159.494764][ T3730] nci_ntf_packet+0x27f4/0x39c0 [ 159.499843][ T3730] nci_rx_work+0x288/0x5d0 [ 159.504826][ T3730] process_scheduled_works+0xa81/0x1bd0 [ 159.510586][ T3730] worker_thread+0xea5/0x1560 [ 159.515569][ T3730] kthread+0x3e2/0x540 [ 159.519839][ T3730] ret_from_fork+0x6d/0x90 [ 159.524566][ T3730] ret_from_fork_asm+0x1a/0x30 [ 159.529581][ T3730] [ 159.532013][ T3730] Uninit was created at: [ 159.536664][ T3730] kmem_cache_alloc_node+0x622/0xc90 [ 159.542219][ T3730] kmalloc_reserve+0x13d/0x4a0 [ 159.547379][ T3730] __alloc_skb+0x35b/0x7a0 [ 159.552059][ T3730] virtual_ncidev_write+0x6d/0x290 [ 159.557442][ T3730] vfs_write+0x497/0x14d0 [ 159.562000][ T3730] ksys_write+0x20f/0x4c0 [ 159.566673][ T3730] __x64_sys_write+0x93/0xe0 [ 159.571494][ T3730] x64_sys_call+0x3062/0x3b50 [ 159.576552][ T3730] do_syscall_64+0xcf/0x1e0 [ 159.581273][ T3730] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 159.587521][ T3730] [ 159.589956][ T3730] CPU: 1 PID: 3730 Comm: kworker/u8:19 Not tainted 6.9.0-syzkaller-02707-g614da38e2f7a #0 [ 159.600205][ T3730] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 159.610659][ T3730] Workqueue: nfc2_nci_rx_wq nci_rx_work [ 159.617946][ T3730] ===================================================== [ 159.625205][ T3730] Disabling lock debugging due to kernel taint [ 159.631571][ T3730] Kernel panic - not syncing: kmsan.panic set ... [ 159.638136][ T3730] CPU: 1 PID: 3730 Comm: kworker/u8:19 Tainted: G B 6.9.0-syzkaller-02707-g614da38e2f7a #0 [ 159.649711][ T3730] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/02/2024 [ 159.659950][ T3730] Workqueue: nfc2_nci_rx_wq nci_rx_work [ 159.665711][ T3730] Call Trace: [ 159.669103][ T3730] [ 159.672162][ T3730] dump_stack_lvl+0x216/0x2d0 [pid 5048] exit_group(0 [pid 5049] <... sendmsg resumed>) = ? [pid 5048] <... exit_group resumed>) = ? [ 159.677109][ T3730] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0 [ 159.683229][ T3730] dump_stack+0x1e/0x30 [ 159.687605][ T3730] panic+0x4e2/0xcd0 [ 159.691711][ T3730] ? kmsan_get_metadata+0xf1/0x1d0 [ 159.697054][ T3730] kmsan_report+0x2d5/0x2e0 [ 159.701763][ T3730] ? kmsan_internal_chain_origin+0xb0/0xd0 [ 159.707817][ T3730] ? __msan_warning+0x95/0x120 [ 159.712771][ T3730] ? nci_ntf_packet+0x27f4/0x39c0 [ 159.717995][ T3730] ? nci_rx_work+0x288/0x5d0 [ 159.722740][ T3730] ? process_scheduled_works+0xa81/0x1bd0 [ 159.728642][ T3730] ? worker_thread+0xea5/0x1560 [ 159.733671][ T3730] ? kthread+0x3e2/0x540 [ 159.738101][ T3730] ? ret_from_fork+0x6d/0x90 [ 159.742853][ T3730] ? ret_from_fork_asm+0x1a/0x30 [ 159.747985][ T3730] ? ret_from_fork_asm+0x1a/0x30 [ 159.753120][ T3730] ? kmsan_internal_unpoison_memory+0x14/0x20 [ 159.759421][ T3730] ? kmsan_get_metadata+0x146/0x1d0 [ 159.764898][ T3730] ? kmsan_internal_set_shadow_origin+0x66/0xe0 [ 159.771369][ T3730] ? kmsan_get_metadata+0x146/0x1d0 [ 159.776776][ T3730] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0 [ 159.782826][ T3730] ? _raw_spin_unlock_irqrestore+0x3f/0x60 [ 159.788932][ T3730] ? stack_depot_save_flags+0x66d/0x6e0 [ 159.794739][ T3730] ? kmsan_get_metadata+0x146/0x1d0 [ 159.800105][ T3730] ? kmsan_internal_set_shadow_origin+0x66/0xe0 [ 159.806564][ T3730] ? kmsan_get_metadata+0x146/0x1d0 [ 159.812134][ T3730] ? kmsan_get_shadow_origin_ptr+0x4d/0xb0 [ 159.818141][ T3730] __msan_warning+0x95/0x120 [ 159.822917][ T3730] nci_ntf_packet+0x27f4/0x39c0 [ 159.828053][ T3730] ? kmsan_get_metadata+0xf0/0x1d0 [ 159.833338][ T3730] ? get_ksm_page+0xa20/0x1990 [ 159.838326][ T3730] ? kmsan_internal_unpoison_memory+0x14/0x20 [ 159.844651][ T3730] nci_rx_work+0x288/0x5d0 [ 159.849268][ T3730] ? __pfx_nci_rx_work+0x10/0x10 [ 159.854443][ T3730] process_scheduled_works+0xa81/0x1bd0 [ 159.860213][ T3730] worker_thread+0xea5/0x1560 [ 159.865237][ T3730] kthread+0x3e2/0x540 [ 159.869541][ T3730] ? __pfx_worker_thread+0x10/0x10 [ 159.874839][ T3730] ? __pfx_kthread+0x10/0x10 [ 159.879609][ T3730] ret_from_fork+0x6d/0x90 [ 159.884210][ T3730] ? __pfx_kthread+0x10/0x10 [ 159.889044][ T3730] ret_from_fork_asm+0x1a/0x30 [ 159.894013][ T3730] [ 159.897447][ T3730] Kernel Offset: disabled [ 159.901836][ T3730] Rebooting in 86400 seconds..