1st 0xfffffd806e9255c0 vmmaplk (&map->lock) @ /syzkaller/managers/setuid/kernel/sys/uvm/uvm_fault.c:1442 2nd 0xfffffd8065dd81a8 inode (&ip->i_lock) @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547 lock order "&ip->i_lock"(rrwlock) -> "&map->lock"(rwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 vm_map_lock_ln+0x14e #3 uvm_map+0x2e2 #4 km_alloc+0x19a #5 pool_multi_alloc_ni+0xe4 #6 pool_p_alloc+0x70 #7 pool_do_get+0x127 #8 pool_get+0x104 #9 ufsdirhash_build+0x40b #10 ufs_lookup+0x2a5 #11 VOP_LOOKUP+0x63 #12 vfs_lookup+0x552 #13 namei+0x4af #14 start_init+0xd6 lock order "&map->lock"(rwlock) -> "&ip->i_lock"(rrwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 _rrw_enter+0x5c #3 VOP_LOCK+0x55 #4 vn_lock+0x6e #5 uvn_io+0x2ca #6 uvn_get+0x206 #7 uvm_fault+0x12c1 #8 uvm_fault_wire+0x70 #9 uvm_map_pageable_wire+0x2fd #10 sys_mlock+0x187 #11 syscall+0x5a0 #12 Xsyscall+0x128 Stopped at db_enter+0x18: addq $0x8,%rsp ddb{1}> ddb{1}> set $lines = 0 ddb{1}> show panic the kernel did not panic ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 witness_checkorder(9c168326ce6cde4e,81,fffffd8065dd8198,fffffd8065dd8198,0) at witness_checkorder+0x12f9 witness_debugger sys/kern/subr_witness.c:2543 [inline] witness_checkorder(9c168326ce6cde4e,81,fffffd8065dd8198,fffffd8065dd8198,0) at witness_checkorder+0x12f9 sys/kern/subr_witness.c:1089 _rw_enter(9abae306fd72167d,60b,fffffd8065dd8198,ffffffff81ee1643) at _rw_enter+0xbf _rrw_enter(9a6505168f49efbc,fffffd807dcf9e80,ffffffff81c4fb70,0) at _rrw_enter+0x5c sys/kern/kern_rwlock.c:410 VOP_LOCK(3cd31b924f7c28ce,fffffd807dcf9e80) at VOP_LOCK+0x55 sys/kern/vfs_vops.c:598 vn_lock(f4005c1d8b12004d,1000) at vn_lock+0x6e sys/kern/vfs_vnops.c:549 uvn_io(d99616217b6cba30,0,0,fffffd8066f26288,0) at uvn_io+0x2ca sys/uvm/uvm_vnode.c:1188 uvn_get(313c4cb45148692e,ffffffff817d4e70,fffffd8066f26288,fffffd8067737150,0,1) at uvn_get+0x206 sys/uvm/uvm_vnode.c:1048 uvm_fault(313c4cb4514991df,20010000,0,3) at uvm_fault+0x12c1 sys/uvm/uvm_fault.c:1023 uvm_fault_wire(461e93f0edebfc2a,3,20010000,fffffd8067737150) at uvm_fault_wire+0x70 sys/uvm/uvm_fault.c:1293 uvm_map_pageable_wire(98427aab804e6ec1,20801000,20001000,800000,fffffd806e9255a8,800000) at uvm_map_pageable_wire+0x2fd sys/uvm/uvm_map.c:2258 sys_mlock(9c168326ce9f8d41,10,ffff800020be5528) at sys_mlock+0x187 sys/uvm/uvm_mmap.c:740 syscall(d4b170339a5850e9) at syscall+0x5a0 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(d4b170339a5850e9) at syscall+0x5a0 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,ffffffffffffffa1,0,2,188377b3010) at Xsyscall+0x128 end of kernel end trace frame: 0x18b1166a890, count: -14 ddb{1}> show registers rdi 0x3 rsi 0x3ffff acpi_pdirpa+0x2be67 rbp 0xffff800020c910b0 rbx 0x3 rdx 0x40000 acpi_pdirpa+0x2be68 rcx 0xffff80000374c000 rax 0xffff800001b46e40 r8 0xffffffff8142346f witness_checkorder+0x12cf r9 0x5 r10 0x15499b95d1094c4d r11 0xa449d8659d251d29 r12 0xfffffd80025cec30 r13 0xffffffff81ebc499 cmd0646_9_tim_udma+0xded3 r14 0xffffffff8226d1f0 w_lodata+0x43810 r15 0xffffffff8227f830 w_lodata+0x55e50 rip 0xffffffff81391848 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020c910a0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor0) pid=305008 stat=onproc flags process=10 proc=4000000 pri=79, usrpri=79, nice=20 forw=0xffffffffffffffff, list=0xffff800020be5c30,0xffffffff82319e38 process=0xffff800020b94010 user=0xffff800020c8c000, vmspace=0xfffffd806e9255a8 estcpu=36, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 7013 268692 2300 32767 7 0x10 syz-executor0 * 7013 305008 2300 32767 7 0x4000010 syz-executor0 10300 370496 59800 32767 3 0x90 nanosleep syz-executor1 10300 143523 59800 32767 3 0x4000090 netio syz-executor1 10300 222202 59800 32767 3 0x4000010 netlck syz-executor1 10300 252655 59800 32767 3 0x4000090 fsleep syz-executor1 2300 216200 67826 32767 3 0x90 nanosleep syz-executor0 67826 503811 24539 0 3 0x82 wait syz-executor0 59800 69640 67070 32767 3 0x90 nanosleep syz-executor1 67070 343315 24539 0 3 0x82 wait syz-executor1 21943 249013 0 0 3 0x14200 bored sosplice 24539 518897 65008 0 3 0x82 thrsleep syz-fuzzer 24539 345365 65008 0 3 0x4000082 nanosleep syz-fuzzer 24539 300351 65008 0 3 0x4000082 thrsleep syz-fuzzer 24539 54614 65008 0 3 0x4000082 thrsleep syz-fuzzer 24539 319115 65008 0 3 0x4000082 thrsleep syz-fuzzer 24539 399945 65008 0 3 0x4000082 thrsleep syz-fuzzer 24539 496655 65008 0 3 0x4000082 thrsleep syz-fuzzer 24539 23136 65008 0 3 0x4000082 thrsleep syz-fuzzer 24539 214390 65008 0 3 0x4000082 kqread syz-fuzzer 24539 365008 65008 0 3 0x4000082 thrsleep syz-fuzzer 24539 319466 65008 0 3 0x4000082 thrsleep syz-fuzzer 24539 209493 65008 0 3 0x4000082 thrsleep syz-fuzzer 65008 335926 6593 0 3 0x10008a pause ksh 6593 36502 48405 0 3 0x92 select sshd 36952 122481 1 0 3 0x100083 ttyin getty 48405 406468 1 0 3 0x80 select sshd 78459 140498 60822 73 2 0x100090 syslogd 60822 453560 1 0 3 0x100082 netio syslogd 64444 447491 1 77 3 0x100090 poll dhclient 30469 369274 1 0 3 0x80 poll dhclient 36285 377997 0 0 3 0x14200 pgzero zerothread 41382 128898 0 0 3 0x14200 aiodoned aiodoned 12601 465053 0 0 3 0x14200 syncer update 12908 466284 0 0 3 0x14200 cleaner cleaner 25711 519245 0 0 3 0x14200 reaper reaper 29659 20613 0 0 3 0x14200 pgdaemon pagedaemon 55935 438084 0 0 3 0x14200 bored crynlk 59306 46074 0 0 3 0x14200 bored crypto 44412 133746 0 0 3 0x40014200 acpi0 acpi0 12501 519421 0 0 3 0x40014200 idle1 12443 509378 0 0 3 0x14200 bored softnet 43573 105374 0 0 3 0x14200 bored systqmp 75286 51144 0 0 3 0x14200 bored systq 4082 77741 0 0 3 0x40014200 bored softclock 18953 253112 0 0 3 0x40014200 idle0 1 475527 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper