./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4104273652 <...> Warning: Permanently added '10.128.0.133' (ED25519) to the list of known hosts. execve("./syz-executor4104273652", ["./syz-executor4104273652"], 0x7ffc535b4fa0 /* 10 vars */) = 0 brk(NULL) = 0x5555602a6000 brk(0x5555602a6d40) = 0x5555602a6d40 arch_prctl(ARCH_SET_FS, 0x5555602a63c0) = 0 set_tid_address(0x5555602a6690) = 5805 set_robust_list(0x5555602a66a0, 24) = 0 rseq(0x5555602a6ce0, 0x20, 0, 0x53053053) = 0 prlimit64(0, RLIMIT_STACK, NULL, {rlim_cur=8192*1024, rlim_max=RLIM64_INFINITY}) = 0 readlink("/proc/self/exe", "/root/syz-executor4104273652", 4096) = 28 getrandom("\xe0\x64\xd8\x25\x1e\xfe\x6d\x00", 8, GRND_NONBLOCK) = 8 brk(NULL) = 0x5555602a6d40 brk(0x5555602c7d40) = 0x5555602c7d40 brk(0x5555602c8000) = 0x5555602c8000 mprotect(0x7f7589fe1000, 16384, PROT_READ) = 0 mmap(0x1ffffffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffffffff000 mmap(0x200000000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200000000000 mmap(0x200001000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x200001000000 socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE) = 3 socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC) = 4 sendto(4, [{nlmsg_len=36, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x03\x00\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=864, nlmsg_type=nlctrl, nlmsg_flags=0, nlmsg_seq=0, nlmsg_pid=5805}, "\x01\x02\x00\x00\x0d\x00\x02\x00\x6e\x6c\x38\x30\x32\x31\x35\x34\x00\x00\x00\x00\x06\x00\x01\x00\x1d\x00\x00\x00\x08\x00\x03\x00\x01\x00\x00\x00\x08\x00\x04\x00\x00\x00\x00\x00\x08\x00\x05\x00\x30\x00\x00\x00\xe8\x02\x06\x00\x14\x00\x01\x00\x08\x00\x01\x00\x01\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x02\x00\x08\x00\x01\x00\x05\x00\x00\x00\x08\x00\x02\x00\x0e\x00\x00\x00\x14\x00\x03\x00"...], 4096, 0, NULL, NULL) = 864 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5805}, {error=0, msg={nlmsg_len=36, nlmsg_type=nlctrl, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0b\x00\x00\x00\x06\x00\x0a\x00\xa0\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5805}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan0", ifr_ifindex=11}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=0x10 /* NLMSG_??? */, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x0c\x00\x01\x00\x02\x00\xaa\xaa\xaa\xaa\xaa\xaa"], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5805}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 sendto(3, [{nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=0, ifi_flags=0, ifi_change=0}, [[{nla_len=11, nla_type=IFLA_IFNAME}, "lowpan0"...], [{nla_len=16, nla_type=IFLA_LINKINFO}, [{nla_len=10, nla_type=IFLA_INFO_KIND}, "lowpan"...]], [{nla_len=8, nla_type=IFLA_LINK}, 11]]], 68, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 68 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5805}, {error=0, msg={nlmsg_len=68, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL|NLM_F_CREATE, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(4, [{nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, "\x0b\x00\x00\x00\x08\x00\x03\x00\x0c\x00\x00\x00\x06\x00\x0a\x00\xa1\xaa\x00\x00"], 36, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 36 recvfrom(4, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5805}, {error=0, msg={nlmsg_len=36, nlmsg_type=nl802154, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 5 ioctl(5, SIOCGIFINDEX, {ifr_name="wpan1", ifr_ifindex=12}) = 0 close(5) = 0 sendto(3, [{nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}, {ifi_family=AF_UNSPEC, ifi_type=ARPHRD_NETROM, ifi_index=if_nametoindex("wpan1"), ifi_flags=IFF_UP, ifi_change=0x1}, [{nla_len=12, nla_type=IFLA_ADDRESS}, 02:01:aa:aa:aa:aa:aa]], 44, 0, {sa_family=AF_NETLINK, nl_pid=0, nl_groups=00000000}, 12) = 44 recvfrom(3, [{nlmsg_len=36, nlmsg_type=NLMSG_ERROR, nlmsg_flags=NLM_F_CAPPED, nlmsg_seq=0, nlmsg_pid=5805}, {error=0, msg={nlmsg_len=44, nlmsg_type=RTM_NEWLINK, nlmsg_flags=NLM_F_REQUEST|NLM_F_ACK, nlmsg_seq=0, nlmsg_pid=0}}], 4096, 0, NULL, NULL) = 36 close(3) = 0 close(4) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 5807 attached [pid 5807] set_robust_list(0x5555602a66a0, 24) = 0 [pid 5805] <... clone resumed>, child_tidptr=0x5555602a6690) = 5807 [pid 5807] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 5807] setpgid(0, 0) = 0 [pid 5807] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 executing program [pid 5807] write(3, "1000", 4) = 4 [pid 5807] close(3) = 0 [pid 5807] write(1, "executing program\n", 18) = 18 [pid 5807] futex(0x7f7589fe730c, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5807] rt_sigaction(SIGRT_1, {sa_handler=0x7f7589f8b710, sa_mask=[], sa_flags=SA_RESTORER|SA_ONSTACK|SA_RESTART|SA_SIGINFO, sa_restorer=0x7f7589f7d520}, NULL, 8) = 0 [pid 5807] rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0 [pid 5807] mmap(NULL, 135168, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS|MAP_STACK, -1, 0) = 0x7f7589ef5000 [pid 5807] mprotect(0x7f7589ef6000, 131072, PROT_READ|PROT_WRITE) = 0 [pid 5807] rt_sigprocmask(SIG_BLOCK, ~[], [], 8) = 0 [pid 5807] clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7f7589f15990, parent_tid=0x7f7589f15990, exit_signal=0, stack=0x7f7589ef5000, stack_size=0x20300, tls=0x7f7589f156c0}./strace-static-x86_64: Process 5808 attached [pid 5808] rseq(0x7f7589f15fe0, 0x20, 0, 0x53053053) = 0 [pid 5807] <... clone3 resumed> => {parent_tid=[5808]}, 88) = 5808 [pid 5808] set_robust_list(0x7f7589f159a0, 24 [pid 5807] rt_sigprocmask(SIG_SETMASK, [], [pid 5808] <... set_robust_list resumed>) = 0 [pid 5807] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5808] rt_sigprocmask(SIG_SETMASK, [], [pid 5807] futex(0x7f7589fe7308, FUTEX_WAKE_PRIVATE, 1000000 [pid 5808] <... rt_sigprocmask resumed>NULL, 8) = 0 [pid 5807] <... futex resumed>) = 0 [pid 5808] openat(AT_FDCWD, "/dev/comedi1", O_RDONLY|O_EXCL|O_NOCTTY|FASYNC [pid 5807] futex(0x7f7589fe730c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5808] <... openat resumed>) = 3 [pid 5808] futex(0x7f7589fe730c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5807] <... futex resumed>) = 0 [pid 5808] futex(0x7f7589fe7308, FUTEX_WAIT_PRIVATE, 0, NULL [pid 5807] futex(0x7f7589fe7308, FUTEX_WAKE_PRIVATE, 1000000 [pid 5808] <... futex resumed>) = -1 EAGAIN (Resource temporarily unavailable) [pid 5807] <... futex resumed>) = 0 [pid 5807] futex(0x7f7589fe730c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [pid 5808] ioctl(3, COMEDI_DEVCONFIG, 0x200000000300) = 0 [pid 5808] futex(0x7f7589fe730c, FUTEX_WAKE_PRIVATE, 1000000) = 1 [pid 5807] <... futex resumed>) = 0 [pid 5807] futex(0x7f7589fe7308, FUTEX_WAKE_PRIVATE, 1000000) = 0 [pid 5807] futex(0x7f7589fe730c, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=50000000} [ 217.735321][ T5808] ===================================================== [ 217.743092][ T5808] BUG: KMSAN: kernel-infoleak in _copy_to_user+0xcc/0x120 [ 217.750604][ T5808] _copy_to_user+0xcc/0x120 [ 217.755783][ T5808] do_insn_ioctl+0x59c/0x6d0 [ 217.760802][ T5808] comedi_unlocked_ioctl+0x1432/0x1e80 [ 217.766587][ T5808] __se_sys_ioctl+0x23c/0x400 [ 217.771826][ T5808] __x64_sys_ioctl+0x97/0xe0 [ 217.776769][ T5808] x64_sys_call+0x1ebe/0x3db0 [ 217.782036][ T5808] do_syscall_64+0xd9/0x210 [ 217.787333][ T5808] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 217.793745][ T5808] [ 217.796207][ T5808] Uninit was created at: [ 217.800848][ T5808] __kmalloc_noprof+0x95f/0x1310 [ 217.806248][ T5808] do_insn_ioctl+0x108/0x6d0 [ 217.811486][ T5808] comedi_unlocked_ioctl+0x1432/0x1e80 [ 217.817195][ T5808] __se_sys_ioctl+0x23c/0x400 [ 217.822426][ T5808] __x64_sys_ioctl+0x97/0xe0 [ 217.827318][ T5808] x64_sys_call+0x1ebe/0x3db0 [pid 5808] ioctl(3, COMEDI_INSN [pid 5807] <... futex resumed>) = -1 ETIMEDOUT (Connection timed out) [ 217.832605][ T5808] do_syscall_64+0xd9/0x210 [ 217.837339][ T5808] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 217.843722][ T5808] [ 217.846197][ T5808] Bytes 4-59 of 60 are uninitialized [ 217.851792][ T5808] Memory access of size 60 starts at ffff88811c38af00 [ 217.858749][ T5808] Data copied to user address 0000200000000080 [ 217.865242][ T5808] [ 217.867732][ T5808] CPU: 1 UID: 0 PID: 5808 Comm: syz-executor410 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(none) [ 217.878835][ T5808] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 217.889280][ T5808] ===================================================== [ 217.896657][ T5808] Disabling lock debugging due to kernel taint [ 217.903367][ T5808] Kernel panic - not syncing: kmsan.panic set ... [ 217.910102][ T5808] CPU: 1 UID: 0 PID: 5808 Comm: syz-executor410 Tainted: G B 6.16.0-rc7-syzkaller #0 PREEMPT(none) [ 217.922773][ T5808] Tainted: [B]=BAD_PAGE [ 217.927200][ T5808] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 [ 217.937582][ T5808] Call Trace: [ 217.941135][ T5808] [ 217.944459][ T5808] __dump_stack+0x26/0x30 [ 217.948995][ T5808] dump_stack_lvl+0x53/0x270 [ 217.953865][ T5808] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 [ 217.960042][ T5808] dump_stack+0x1e/0x25 [ 217.964421][ T5808] panic+0x4bd/0xd50 [ 217.968666][ T5808] kmsan_report+0x31c/0x320 [ 217.973344][ T5808] ? kmsan_internal_check_memory+0x1e1/0x230 [ 217.979695][ T5808] ? kmsan_copy_to_user+0xf1/0x190 [ 217.984979][ T5808] ? _copy_to_user+0xcc/0x120 [ 217.989986][ T5808] ? do_insn_ioctl+0x59c/0x6d0 [ 217.995045][ T5808] ? comedi_unlocked_ioctl+0x1432/0x1e80 [ 218.000875][ T5808] ? __se_sys_ioctl+0x23c/0x400 [ 218.006025][ T5808] ? __x64_sys_ioctl+0x97/0xe0 [ 218.011143][ T5808] ? x64_sys_call+0x1ebe/0x3db0 [ 218.016358][ T5808] ? do_syscall_64+0xd9/0x210 [ 218.021230][ T5808] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 218.027562][ T5808] ? kmsan_internal_unpoison_memory+0x14/0x20 [ 218.033936][ T5808] ? _raw_spin_unlock_irqrestore+0x3f/0x60 [ 218.040053][ T5808] ? stack_depot_save_flags+0x60f/0x7b0 [ 218.045930][ T5808] ? kmsan_get_metadata+0xfb/0x160 [ 218.051317][ T5808] ? kmsan_get_metadata+0xfb/0x160 [ 218.056669][ T5808] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 [ 218.062747][ T5808] ? kmsan_get_metadata+0xfb/0x160 [ 218.068201][ T5808] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 [ 218.074379][ T5808] ? kmsan_get_metadata+0xfb/0x160 [ 218.079738][ T5808] ? kmsan_get_shadow_origin_ptr+0x4a/0xb0 [ 218.085816][ T5808] kmsan_internal_check_memory+0x1e1/0x230 [ 218.091948][ T5808] kmsan_copy_to_user+0xf1/0x190 [ 218.097109][ T5808] _copy_to_user+0xcc/0x120 [ 218.101886][ T5808] do_insn_ioctl+0x59c/0x6d0 [ 218.106804][ T5808] comedi_unlocked_ioctl+0x1432/0x1e80 [ 218.112527][ T5808] ? kmsan_get_metadata+0xfb/0x160 [ 218.117931][ T5808] ? __pfx_comedi_unlocked_ioctl+0x10/0x10 [ 218.124037][ T5808] __se_sys_ioctl+0x23c/0x400 [ 218.129006][ T5808] __x64_sys_ioctl+0x97/0xe0 [ 218.133979][ T5808] x64_sys_call+0x1ebe/0x3db0 [ 218.138923][ T5808] do_syscall_64+0xd9/0x210 [ 218.143670][ T5808] ? irqentry_exit+0x16/0x60 [ 218.148467][ T5808] ? clear_bhb_loop+0x40/0x90 [ 218.153384][ T5808] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 218.159510][ T5808] RIP: 0033:0x7f7589f643d9 [ 218.164120][ T5808] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 e1 1c 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 [ 218.184068][ T5808] RSP: 002b:00007f7589f15218 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 218.192870][ T5808] RAX: ffffffffffffffda RBX: 00007f7589fe7308 RCX: 00007f7589f643d9 [ 218.201042][ T5808] RDX: 0000200000000000 RSI: 000000008028640c RDI: 0000000000000003 [ 218.209201][ T5808] RBP: 00007f7589fe7300 R08: 0000000000000000 R09: 0000000000000000 [ 218.217355][ T5808] R10: 0000000000000000 R11: 0000000000000246 R12: 0000200000000300 [ 218.225553][ T5808] R13: 0000200000000080 R14: 0000200000000008 R15: 0000200000000000 [ 218.233785][ T5808] [ 218.237239][ T5808] Kernel Offset: disabled [ 218.241671][ T5808] Rebooting in 86400 seconds..