kern.securelevel: 0 -> 1 creating runtime link editor directory cache. preserving editor files. starting network daemons: sshd. starting local daemons:. Tue Apr 2 17:00:41 PDT 2019 OpenBSD/amd64 (ci-openbsd-setuid-1.c.syzkaller.internal) (tty00) Warning: Permanently added '10.128.0.156' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program login: witness: lock order reversal: 1st 0xfffffd807f00bcc0 vmmaplk (&map->lock) @ /syzkaller/managers/setuid/kernel/sys/uvm/uvm_fault.c:1444 2nd 0xfffffd807ecf04e0 inode (&ip->i_lock) @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547 lock order "&ip->i_lock"(rrwlock) -> "&map->lock"(rwlock) first seen at: #0 witness_checkorder+0x6cd #1 _rw_enter+0xd5 #2 vm_map_lock_ln+0x164 #3 uvm_map+0x2fb #4 km_alloc+0x1b7 #5 pool_multi_alloc_ni+0xe8 #6 pool_p_alloc+0x74 #7 pool_do_get+0x12b #8 pool_get+0x106 #9 ufsdirhash_build+0x420 #10 ufs_lookup+0x2c1 #11 VOP_LOOKUP+0x67 #12 vfs_lookup+0x556 #13 namei+0x4b2 #14 start_init+0xec #15 proc_trampoline+0x1c lock order "&map->lock"(rwlock) -> "&ip->i_lock"(rrwlock) first seen at: #0 witness_checkorder+0x6cd #1 _rw_enter+0xd5 #2 _rrw_enter+0x60 #3 VOP_LOCK+0x57 #4 vn_lock+0x6e #5 uvn_io+0x2fc #6 uvn_get+0x236 #7 uvm_fault+0x1312 #8 uvm_fault_wire+0x70 #9 uvm_map_pageable_wire+0x31d #10 sys_mlock+0x18b #11 syscall+0x5b8 #12 Xsyscall+0x128 Stopped at db_enter+0x18: addq $0x8,%rsp ddb{1}> ddb{1}> set $lines = 0 ddb{1}> set $maxwidth = 0 ddb{1}> show panic the kernel did not panic ddb{1}> trace db_enter() at db_enter+0x18 witness_checkorder(fffffd807ecf04e0,9,ffffffff81f40027,60b,0) at witness_checkorder+0x12ff _rw_enter(fffffd807ecf04d0,81,ffffffff81f40027,60b) at _rw_enter+0xd5 _rrw_enter(fffffd807ecf04d0,81,ffffffff81f40027,60b) at _rrw_enter+0x60 VOP_LOCK(fffffd8074ca4e80,81) at VOP_LOCK+0x57 vn_lock(fffffd8074ca4e80,81) at vn_lock+0x6e uvn_io(fffffd8074875e20,ffff800020bd8f00,1,2,0) at uvn_io+0x2fc uvn_get(fffffd8074875e20,3000,ffff800020bd9020,ffff800020bd9034,0,1) at uvn_get+0x236 uvm_fault(fffffd807f00bca8,20003000,2,3) at uvm_fault+0x1312 uvm_fault_wire(fffffd807f00bca8,20003000,20004000,3) at uvm_fault_wire+0x70 uvm_map_pageable_wire(fffffd807f00bca8,fffffd806d3c2390,fffffd806d3c2c18,0,0,0) at uvm_map_pageable_wire+0x31d sys_mlock(ffff800020b15520,ffff800020bd93b8,ffff800020bd93a0) at sys_mlock+0x18b syscall(ffff800020bd9450) at syscall+0x5b8 Xsyscall(6,0,6ce75c8d288,0,6ce75c8d268,6ce75c8d260) at Xsyscall+0x128 end of kernel end trace frame: 0x6d115493790, count: -14 ddb{1}> show registers rdi 0x3 rsi 0xffffffff8219cce0 __sancov_gen_cov_switch_values.127 rbp 0xffff800020bd8b30 rbx 0x3 rdx 0x8b rcx 0x3 rax 0x3 r8 0xffffffff812a5a28 witness_checkorder+0x12d8 r9 0x5 r10 0x8951ad9bbd72a389 r11 0x1ef497fe77d0869d r12 0xffffffff81f40027 cmd0646_9_tim_udma+0x336db r13 0xfffffd8002640c30 r14 0xffffffff822e7ff0 w_lodata+0x4e3f0 r15 0xfffffd80026488e0 rip 0xffffffff818c8cf8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020bd8b20 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor6841) pid=19707 stat=onproc flags process=10 proc=4000000 pri=86, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff800020b14710,0xffff800020b14270 process=0xffff800020b3a9e8 user=0xffff800020bd4000, vmspace=0xfffffd807f00bca8 estcpu=36, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb{1}>