1st 0xfffffd807f00d888 vmmaplk (&map->lock) @ /syzkaller/managers/setuid/kernel/sys/uvm/uvm_fault.c:1442 2nd 0xfffffd806e6ef1b8 inode (&ip->i_lock) @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547 lock order "&ip->i_lock"(rrwlock) -> "&map->lock"(rwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 vm_map_lock_ln+0x14e #3 uvm_map+0x2e2 #4 km_alloc+0x19a #5 pool_multi_alloc_ni+0xe4 #6 pool_p_alloc+0x70 #7 pool_do_get+0x127 #8 pool_get+0x104 #9 ufsdirhash_build+0x40b #10 ufs_lookup+0x2a5 #11 VOP_LOOKUP+0x63 #12 vfs_lookup+0x552 #13 namei+0x4af #14 start_init+0xd6 lock order "&map->lock"(rwlock) -> "&ip->i_lock"(rrwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 _rrw_enter+0x5c #3 VOP_LOCK+0x55 #4 vn_lock+0x6e #5 uvn_io+0x2ca #6 uvn_get+0x206 #7 uvm_fault+0x12c1 #8 uvm_fault_wire+0x70 #9 uvm_map_pageable_wire+0x2fd #10 uvm_map_protect+0x610 #11 syscall+0x5a0 #12 Xsyscall+0x128 Stopped at db_enter+0x18: addq $0x8,%rsp ddb{0}> ddb{0}> set $lines = 0 ddb{0}> show panic the kernel did not panic ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 witness_checkorder(f1d00031b0fd6be9,81,fffffd806e6ef1a8,fffffd806e6ef1a8,0) at witness_checkorder+0x12f9 witness_debugger sys/kern/subr_witness.c:2543 [inline] witness_checkorder(f1d00031b0fd6be9,81,fffffd806e6ef1a8,fffffd806e6ef1a8,0) at witness_checkorder+0x12f9 sys/kern/subr_witness.c:1089 _rw_enter(b0f6493883d98ba1,60b,fffffd806e6ef1a8,ffffffff81ee1643) at _rw_enter+0xbf _rrw_enter(97f77e47de29a87a,fffffd806b5ae698,ffffffff81c4fb70,0) at _rrw_enter+0x5c sys/kern/kern_rwlock.c:410 VOP_LOCK(7fda0a72ad999ee8,fffffd806b5ae698) at VOP_LOCK+0x55 sys/kern/vfs_vops.c:598 vn_lock(de9db2713eefd31b,1000) at vn_lock+0x6e sys/kern/vfs_vnops.c:549 uvn_io(371eee6e1d2c1ca9,0,0,fffffd8079722a20,0) at uvn_io+0x2ca sys/uvm/uvm_vnode.c:1188 uvn_get(d5a0163389fc3a3a,ffffffff817d4e70,fffffd8079722a20,fffffd806bd9deb0,0,1) at uvn_get+0x206 sys/uvm/uvm_vnode.c:1048 uvm_fault(d5a0163389fdc2cb,20ff9000,0,1) at uvm_fault+0x12c1 sys/uvm/uvm_fault.c:1023 uvm_fault_wire(6ae1c016ca50964b,1,20ff9000,fffffd806bd9deb0) at uvm_fault_wire+0x70 sys/uvm/uvm_fault.c:1293 uvm_map_pageable_wire(b21997efdf5a563a,fffffd806bd9deb0,20ffa000,20ff6000,0,4) at uvm_map_pageable_wire+0x2fd sys/uvm/uvm_map.c:2258 uvm_map_protect(5cb688c5e449120,10,ffff800020b93788,b5de108b308,0) at uvm_map_protect+0x610 sys/uvm/uvm_map.c:3294 syscall(c29e749c00401b0) at syscall+0x5a0 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(c29e749c00401b0) at syscall+0x5a0 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,ffffffffffffffa4,0,3,b5b66026010) at Xsyscall+0x128 end of kernel end trace frame: 0xb5de108b390, count: -14 ddb{0}> show registers rdi 0x3 rsi 0x3ffff acpi_pdirpa+0x2be67 rbp 0xffff800020bb90a0 rbx 0x3 rdx 0x40000 acpi_pdirpa+0x2be68 rcx 0xffff800002b4b000 rax 0xffff800001b46800 r8 0xffffffff8142346f witness_checkorder+0x12cf r9 0x5 r10 0xc18000ac35abb34 r11 0x497eda4a0cd9c361 r12 0xfffffd80025cec30 r13 0xffffffff81ebc499 cmd0646_9_tim_udma+0xded3 r14 0xffffffff8227a3a0 w_lodata+0x509c0 r15 0xffffffff8227f830 w_lodata+0x55e50 rip 0xffffffff81391848 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020bb9090 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor1) pid=107692 stat=onproc flags process=10 proc=4000000 pri=74, usrpri=74, nice=20 forw=0xffffffffffffffff, list=0xffff800020b93530,0xffffffff82319e38 process=0xffff800020b94010 user=0xffff800020bb4000, vmspace=0xfffffd807f00d870 estcpu=36, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 33941 311922 48464 32767 2 0x10 syz-executor1 *33941 107692 48464 32767 7 0x4000010 syz-executor1 59991 444205 0 0 3 0x14200 bored sosplice 48464 329495 89599 32767 3 0x90 nanosleep syz-executor1 89599 188946 77580 0 3 0x82 wait syz-executor1 77580 212531 95857 0 3 0x82 thrsleep syz-fuzzer 77580 510764 95857 0 3 0x4000082 nanosleep syz-fuzzer 77580 435154 95857 0 3 0x4000082 thrsleep syz-fuzzer 77580 435693 95857 0 3 0x4000082 thrsleep syz-fuzzer 77580 1923 95857 0 3 0x4000082 thrsleep syz-fuzzer 77580 393893 95857 0 3 0x4000082 kqread syz-fuzzer 77580 335602 95857 0 3 0x4000082 thrsleep syz-fuzzer 77580 217118 95857 0 3 0x4000082 thrsleep syz-fuzzer 77580 310841 95857 0 3 0x4000002 biowait syz-fuzzer 77580 480310 95857 0 3 0x4000082 thrsleep syz-fuzzer 95857 452663 63319 0 3 0x10008a pause ksh 63319 415508 32426 0 3 0x92 select sshd 25573 428180 1 0 3 0x100083 ttyin getty 32426 15965 1 0 3 0x80 select sshd 93393 412958 66968 73 7 0x100090 syslogd 66968 52159 1 0 3 0x100082 netio syslogd 86731 474270 1 77 3 0x100090 poll dhclient 75458 267844 1 0 3 0x80 poll dhclient 87080 96248 0 0 3 0x14200 pgzero zerothread 95838 252517 0 0 3 0x14200 aiodoned aiodoned 40521 50389 0 0 3 0x14200 syncer update 59421 17675 0 0 3 0x14200 cleaner cleaner 32570 15999 0 0 3 0x14200 reaper reaper 46695 420058 0 0 3 0x14200 pgdaemon pagedaemon 40303 497735 0 0 3 0x14200 bored crynlk 59648 296979 0 0 3 0x14200 bored crypto 68478 335820 0 0 3 0x40014200 acpi0 acpi0 26498 521167 0 0 3 0x40014200 idle1 7019 522327 0 0 3 0x14200 bored softnet 33214 404520 0 0 3 0x14200 bored systqmp 66996 458840 0 0 3 0x14200 bored systq 50076 403693 0 0 3 0x40014200 bored softclock 4084 368204 0 0 3 0x40014200 idle0 1 40091 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper