[   73.704468][   T26] audit: type=1804 audit(1569913768.372:46): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="init" name="/run/utmp" dev="sda1" ino=1421 res=1
[   73.727701][   T26] audit: type=1804 audit(1569913768.402:47): pid=9126 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="init" name="/run/utmp" dev="sda1" ino=1421 res=1
[   73.749446][   T26] audit: type=1804 audit(1569913768.402:48): pid=9128 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="init" name="/run/utmp" dev="sda1" ino=1421 res=1
[   73.772104][   T26] audit: type=1804 audit(1569913768.442:49): pid=9122 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="init" name="/run/utmp" dev="sda1" ino=1421 res=1
[   73.792465][   T26] audit: type=1804 audit(1569913768.442:50): pid=9124 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 op=invalid_pcr cause=ToMToU comm="init" name="/run/utmp" dev="sda1" ino=1421 res=1

Debian GNU/Linux 7 syzkaller ttyS0

syzkaller login: [  526.891244][   T26] kauditd_printk_skb: 12 callbacks suppressed
[  526.891260][   T26] audit: type=1400 audit(1569914221.562:63): avc:  denied  { map } for  pid=9145 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts.
2019/10/01 07:24:42 parsed 1 programs
[  987.591424][   T26] audit: type=1400 audit(1569914682.262:64): avc:  denied  { map } for  pid=9152 comm="syz-execprog" path="/root/syz-execprog" dev="sda1" ino=16502 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
[  987.670663][   T26] audit: type=1400 audit(1569914682.342:65): avc:  denied  { map } for  pid=9152 comm="syz-execprog" path="/sys/kernel/debug/kcov" dev="debugfs" ino=16521 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=1
2019/10/01 07:24:43 executed programs: 0
[  989.161296][ T9167] IPVS: ftp: loaded support on port[0] = 21
[  989.236780][ T9167] chnl_net:caif_netlink_parms(): no params data found
[  989.266722][ T9167] bridge0: port 1(bridge_slave_0) entered blocking state
[  989.274482][ T9167] bridge0: port 1(bridge_slave_0) entered disabled state
[  989.282678][ T9167] device bridge_slave_0 entered promiscuous mode
[  989.291180][ T9167] bridge0: port 2(bridge_slave_1) entered blocking state
[  989.298611][ T9167] bridge0: port 2(bridge_slave_1) entered disabled state
[  989.306393][ T9167] device bridge_slave_1 entered promiscuous mode
[  989.323948][ T9167] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link
[  989.335233][ T9167] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link
[  989.356442][ T9167] team0: Port device team_slave_0 added
[  989.364142][ T9167] team0: Port device team_slave_1 added
[  989.447606][ T9167] device hsr_slave_0 entered promiscuous mode
[  989.525813][ T9167] device hsr_slave_1 entered promiscuous mode
[  989.585206][ T9167] bridge0: port 2(bridge_slave_1) entered blocking state
[  989.592764][ T9167] bridge0: port 2(bridge_slave_1) entered forwarding state
[  989.600876][ T9167] bridge0: port 1(bridge_slave_0) entered blocking state
[  989.608033][ T9167] bridge0: port 1(bridge_slave_0) entered forwarding state
[  989.645942][ T9167] 8021q: adding VLAN 0 to HW filter on device bond0
[  989.659000][ T2963] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
[  989.680432][ T2963] bridge0: port 1(bridge_slave_0) entered disabled state
[  989.688745][ T2963] bridge0: port 2(bridge_slave_1) entered disabled state
[  989.697582][ T2963] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
[  989.709918][ T9167] 8021q: adding VLAN 0 to HW filter on device team0
[  989.721252][ T9171] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready
[  989.730339][ T9171] bridge0: port 1(bridge_slave_0) entered blocking state
[  989.737607][ T9171] bridge0: port 1(bridge_slave_0) entered forwarding state
[  989.750513][ T2963] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready
[  989.759838][ T2963] bridge0: port 2(bridge_slave_1) entered blocking state
[  989.766961][ T2963] bridge0: port 2(bridge_slave_1) entered forwarding state
[  989.784241][ T9171] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready
[  989.794319][ T9171] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready
[  989.807321][ T2963] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready
[  989.822321][ T9167] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network
[  989.835284][ T9167] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network
[  989.847520][ T9171] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready
[  989.858653][ T9171] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready
[  989.867713][ T9171] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready
[  989.886172][ T9167] 8021q: adding VLAN 0 to HW filter on device batadv0
[  989.927271][   T26] audit: type=1400 audit(1569914684.602:66): avc:  denied  { associate } for  pid=9167 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
[ 1153.345632][ T1064] INFO: task syz-executor.0:9184 blocked for more than 143 seconds.
[ 1153.353865][ T1064]       Not tainted 5.4.0-rc1 #0
[ 1153.359586][ T1064] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
[ 1153.368791][ T1064] syz-executor.0  D28184  9184   9167 0x00004004
[ 1153.375170][ T1064] Call Trace:
[ 1153.378745][ T1064]  __schedule+0x94f/0x1e70
[ 1153.383222][ T1064]  ? __sched_text_start+0x8/0x8
[ 1153.388333][ T1064]  ? __kasan_check_read+0x11/0x20
[ 1153.393514][ T1064]  ? __lock_acquire+0x16f2/0x4a00
[ 1153.399182][ T1064]  schedule+0xd9/0x260
[ 1153.403330][ T1064]  schedule_timeout+0x717/0xc50
[ 1153.408266][ T1064]  ? find_held_lock+0x35/0x130
[ 1153.413042][ T1064]  ? usleep_range+0x170/0x170
[ 1153.417803][ T1064]  ? lock_downgrade+0x920/0x920
[ 1153.422666][ T1064]  ? _raw_spin_unlock_irq+0x28/0x90
[ 1153.427984][ T1064]  ? wait_for_completion+0x294/0x440
[ 1153.433393][ T1064]  ? _raw_spin_unlock_irq+0x28/0x90
[ 1153.438705][ T1064]  ? lockdep_hardirqs_on+0x421/0x5e0
[ 1153.444007][ T1064]  ? trace_hardirqs_on+0x67/0x240
[ 1153.449123][ T1064]  ? __kasan_check_read+0x11/0x20
[ 1153.454164][ T1064]  wait_for_completion+0x29c/0x440
[ 1153.459349][ T1064]  ? wait_for_completion_interruptible+0x470/0x470
[ 1153.465942][ T1064]  ? wake_up_q+0xf0/0xf0
[ 1153.470189][ T1064]  ? __rcu_read_unlock+0x220/0x6b0
[ 1153.475390][ T1064]  ? __kasan_check_read+0x11/0x20
[ 1153.480421][ T1064]  __flush_work+0x508/0xa60
[ 1153.484915][ T1064]  ? queue_delayed_work_on+0x210/0x210
[ 1153.490565][ T1064]  ? init_pwq+0x360/0x360
[ 1153.494919][ T1064]  ? __cancel_work_timer+0xc4/0x540
[ 1153.500222][ T1064]  ? __cancel_work_timer+0x1e0/0x540
[ 1153.505661][ T1064]  ? cancel_work_sync+0x18/0x20
[ 1153.510577][ T1064]  ? __cancel_work_timer+0x1e0/0x540
[ 1153.516206][ T1064]  ? lockdep_hardirqs_on+0x421/0x5e0
[ 1153.521735][ T1064]  ? trace_hardirqs_on+0x67/0x240
[ 1153.527059][ T1064]  __cancel_work_timer+0x3d9/0x540
[ 1153.532268][ T1064]  ? p9_fd_close+0x29e/0x570
[ 1153.536963][ T1064]  ? mod_delayed_work_on+0x200/0x200
[ 1153.542283][ T1064]  ? lock_downgrade+0x920/0x920
[ 1153.547225][ T1064]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[ 1153.553067][ T1064]  ? p9_fd_close+0x29e/0x570
[ 1153.557740][ T1064]  ? _raw_spin_unlock_irqrestore+0x6b/0xe0
[ 1153.563607][ T1064]  ? lockdep_hardirqs_on+0x421/0x5e0
[ 1153.569013][ T1064]  ? trace_hardirqs_on+0x67/0x240
[ 1153.574185][ T1064]  ? __kasan_check_read+0x11/0x20
[ 1153.579306][ T1064]  cancel_work_sync+0x18/0x20
[ 1153.584008][ T1064]  p9_fd_close+0x329/0x570
[ 1153.588535][ T1064]  p9_client_create+0x98c/0x1430
[ 1153.593583][ T1064]  ? rcu_lockdep_current_cpu_online+0xe3/0x130
[ 1153.599851][ T1064]  ? p9_client_zc_rpc.constprop.0+0x1120/0x1120
[ 1153.606184][ T1064]  ? lockdep_init_map+0x1be/0x6d0
[ 1153.611227][ T1064]  v9fs_session_init+0x1e7/0x18c0
[ 1153.616342][ T1064]  ? v9fs_session_init+0x1e7/0x18c0
[ 1153.621559][ T1064]  ? fs_reclaim_acquire.part.0+0x30/0x30
[ 1153.628345][ T1064]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 1153.634630][ T1064]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 1153.640942][ T1064]  ? debug_smp_processor_id+0x3c/0x214
[ 1153.646500][ T1064]  ? rcu_lockdep_current_cpu_online+0xe3/0x130
[ 1153.652682][ T1064]  ? v9fs_show_options+0x7e0/0x7e0
[ 1153.658084][ T1064]  ? rcu_read_lock_sched_held+0x9c/0xd0
[ 1153.663654][ T1064]  ? rcu_read_lock_any_held.part.0+0x50/0x50
[ 1153.669843][ T1064]  ? __kasan_kmalloc.constprop.0+0xcf/0xe0
[ 1153.675769][ T1064]  ? kmem_cache_alloc_trace+0x397/0x790
[ 1153.681347][ T1064]  v9fs_mount+0x7d/0x990
[ 1153.685740][ T1064]  ? security_capable+0x95/0xc0
[ 1153.690616][ T1064]  ? v9fs_write_inode+0x70/0x70
[ 1153.695543][ T1064]  legacy_get_tree+0x108/0x220
[ 1153.700321][ T1064]  vfs_get_tree+0x8e/0x300
[ 1153.704745][ T1064]  do_mount+0x143d/0x1d10
[ 1153.709164][ T1064]  ? copy_mount_string+0x40/0x40
[ 1153.714128][ T1064]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 1153.720610][ T1064]  ? copy_mount_options+0x2e8/0x3f0
[ 1153.725928][ T1064]  ksys_mount+0xdb/0x150
[ 1153.730195][ T1064]  __x64_sys_mount+0xbe/0x150
[ 1153.734860][ T1064]  do_syscall_64+0xfa/0x760
[ 1153.739458][ T1064]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1153.745563][ T1064] RIP: 0033:0x459a29
[ 1153.749654][ T1064] Code: Bad RIP value.
[ 1153.753826][ T1064] RSP: 002b:00007ffbe7420c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
[ 1153.762587][ T1064] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000459a29
[ 1153.770852][ T1064] RDX: 0000000020000140 RSI: 0000000020000000 RDI: 0000000000000000
[ 1153.778978][ T1064] RBP: 000000000075c118 R08: 00000000200005c0 R09: 0000000000000000
[ 1153.787197][ T1064] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffbe74216d4
[ 1153.795170][ T1064] R13: 00000000004c5fdb R14: 00000000004dacd8 R15: 00000000ffffffff
[ 1153.804197][ T1064] 
[ 1153.804197][ T1064] Showing all locks held in the system:
[ 1153.812011][ T1064] 1 lock held by khungtaskd/1064:
[ 1153.817083][ T1064]  #0: ffffffff88faad00 (rcu_read_lock){....}, at: debug_show_all_locks+0x5f/0x27e
[ 1153.826487][ T1064] 1 lock held by rsyslogd/9000:
[ 1153.831329][ T1064]  #0: ffff8880942ce3e0 (&f->f_pos_lock){+.+.}, at: __fdget_pos+0xee/0x110
[ 1153.839991][ T1064] 2 locks held by getty/9122:
[ 1153.844659][ T1064]  #0: ffff88808aaa6d90 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x33/0x40
[ 1153.853736][ T1064]  #1: ffffc90005f592e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x232/0x1c10
[ 1153.863548][ T1064] 2 locks held by getty/9123:
[ 1153.868309][ T1064]  #0: ffff88808c9a15d0 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x33/0x40
[ 1153.877354][ T1064]  #1: ffffc90005f512e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x232/0x1c10
[ 1153.886999][ T1064] 2 locks held by getty/9124:
[ 1153.891671][ T1064]  #0: ffff8880a7ee6dd0 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x33/0x40
[ 1153.900789][ T1064]  #1: ffffc90005f5d2e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x232/0x1c10
[ 1153.910476][ T1064] 2 locks held by getty/9125:
[ 1153.915159][ T1064]  #0: ffff8880a38e6150 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x33/0x40
[ 1153.924203][ T1064]  #1: ffffc90005f492e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x232/0x1c10
[ 1153.933863][ T1064] 2 locks held by getty/9126:
[ 1153.938727][ T1064]  #0: ffff8880a4a02d10 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x33/0x40
[ 1153.947923][ T1064]  #1: ffffc90005f4d2e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x232/0x1c10
[ 1153.957566][ T1064] 2 locks held by getty/9127:
[ 1153.962330][ T1064]  #0: ffff8880a7bfe290 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x33/0x40
[ 1153.971433][ T1064]  #1: ffffc90005f352e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x232/0x1c10
[ 1153.981114][ T1064] 2 locks held by getty/9128:
[ 1153.985927][ T1064]  #0: ffff88809c5fac10 (&tty->ldisc_sem){++++}, at: ldsem_down_read+0x33/0x40
[ 1153.995041][ T1064]  #1: ffffc90005f2d2e0 (&ldata->atomic_read_lock){+.+.}, at: n_tty_read+0x232/0x1c10
[ 1154.004907][ T1064] 2 locks held by kworker/1:2/9171:
[ 1154.010160][ T1064]  #0: ffff8880aa4278e8 ((wq_completion)events){+.+.}, at: process_one_work+0x88b/0x1740
[ 1154.020053][ T1064]  #1: ffff88809705fdc0 ((work_completion)(&m->wq)){+.+.}, at: process_one_work+0x8c1/0x1740
[ 1154.030300][ T1064] 
[ 1154.032613][ T1064] =============================================
[ 1154.032613][ T1064] 
[ 1154.041083][ T1064] NMI backtrace for cpu 1
[ 1154.045475][ T1064] CPU: 1 PID: 1064 Comm: khungtaskd Not tainted 5.4.0-rc1 #0
[ 1154.052825][ T1064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1154.062885][ T1064] Call Trace:
[ 1154.066245][ T1064]  dump_stack+0x172/0x1f0
[ 1154.070694][ T1064]  nmi_cpu_backtrace.cold+0x70/0xb2
[ 1154.075916][ T1064]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 1154.082567][ T1064]  ? lapic_can_unplug_cpu.cold+0x3a/0x3a
[ 1154.088269][ T1064]  nmi_trigger_cpumask_backtrace+0x23b/0x28b
[ 1154.094231][ T1064]  arch_trigger_cpumask_backtrace+0x14/0x20
[ 1154.100101][ T1064]  watchdog+0x9d0/0xef0
[ 1154.104242][ T1064]  kthread+0x361/0x430
[ 1154.108301][ T1064]  ? reset_hung_task_detector+0x30/0x30
[ 1154.113823][ T1064]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 1154.120045][ T1064]  ret_from_fork+0x24/0x30
[ 1154.124551][ T1064] Sending NMI from CPU 1 to CPUs 0:
[ 1154.129877][    C0] NMI backtrace for cpu 0 skipped: idling at native_safe_halt+0xe/0x10
[ 1154.130811][ T1064] Kernel panic - not syncing: hung_task: blocked tasks
[ 1154.145076][ T1064] CPU: 1 PID: 1064 Comm: khungtaskd Not tainted 5.4.0-rc1 #0
[ 1154.152424][ T1064] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 1154.162458][ T1064] Call Trace:
[ 1154.165815][ T1064]  dump_stack+0x172/0x1f0
[ 1154.170222][ T1064]  panic+0x2dc/0x755
[ 1154.174107][ T1064]  ? add_taint.cold+0x16/0x16
[ 1154.178779][ T1064]  ? __sanitizer_cov_trace_cmp4+0x16/0x20
[ 1154.184475][ T1064]  ? printk_safe_flush+0xf2/0x140
[ 1154.189488][ T1064]  ? __sanitizer_cov_trace_const_cmp4+0x16/0x20
[ 1154.195711][ T1064]  ? nmi_trigger_cpumask_backtrace+0x224/0x28b
[ 1154.201856][ T1064]  ? nmi_trigger_cpumask_backtrace+0x21b/0x28b
[ 1154.207995][ T1064]  watchdog+0x9e1/0xef0
[ 1154.212139][ T1064]  kthread+0x361/0x430
[ 1154.216197][ T1064]  ? reset_hung_task_detector+0x30/0x30
[ 1154.221717][ T1064]  ? kthread_cancel_delayed_work_sync+0x20/0x20
[ 1154.227934][ T1064]  ret_from_fork+0x24/0x30
[ 1154.234125][ T1064] Kernel Offset: disabled
[ 1154.238522][ T1064] Rebooting in 86400 seconds..