1st 0xfffffd806e92fcc8 vmmaplk (&map->lock) @ /syzkaller/managers/setuid/kernel/sys/uvm/uvm_fault.c:1442 2nd 0xfffffd80760d6e68 inode (&ip->i_lock) @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547 lock order "&ip->i_lock"(rrwlock) -> "&map->lock"(rwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 vm_map_lock_ln+0x14e #3 uvm_map+0x2e2 #4 km_alloc+0x19a #5 pool_multi_alloc_ni+0xe4 #6 pool_p_alloc+0x70 #7 pool_do_get+0x127 #8 pool_get+0x104 #9 ufsdirhash_build+0x40b #10 ufs_lookup+0x2a5 #11 VOP_LOOKUP+0x63 #12 vfs_lookup+0x552 #13 namei+0x4af #14 start_init+0xd6 lock order "&map->lock"(rwlock) -> "&ip->i_lock"(rrwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 _rrw_enter+0x5c #3 VOP_LOCK+0x55 #4 vn_lock+0x6e #5 uvn_io+0x2ca #6 uvn_get+0x206 #7 uvm_fault+0x12c1 #8 uvm_fault_wire+0x70 #9 uvm_map_pageable_wire+0x2fd #10 uvm_map_protect+0x610 #11 syscall+0x5a0 #12 Xsyscall+0x128 Stopped at db_enter+0x18: addq $0x8,%rsp ddb{0}> ddb{0}> set $lines = 0 ddb{0}> show panic the kernel did not panic ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 witness_checkorder(c3065a47657610d2,81,fffffd80760d6e58,fffffd80760d6e58,0) at witness_checkorder+0x12f9 witness_debugger sys/kern/subr_witness.c:2543 [inline] witness_checkorder(c3065a47657610d2,81,fffffd80760d6e58,fffffd80760d6e58,0) at witness_checkorder+0x12f9 sys/kern/subr_witness.c:1089 _rw_enter(35ac8504cb098e22,60b,fffffd80760d6e58,ffffffff81edebdf) at _rw_enter+0xbf _rrw_enter(6b1c1cda59679430,fffffd8065245ca0,ffffffff8139fd50,0) at _rrw_enter+0x5c sys/kern/kern_rwlock.c:410 VOP_LOCK(86a2f64c31ae55f6,fffffd8065245ca0) at VOP_LOCK+0x55 sys/kern/vfs_vops.c:598 vn_lock(1fe2f0fdd24f495e,2000) at vn_lock+0x6e sys/kern/vfs_vnops.c:549 uvn_io(12f57c307512cd0e,0,0,fffffd80669cb950,1000) at uvn_io+0x2ca sys/uvm/uvm_vnode.c:1188 uvn_get(53aea9b8b46c71fc,ffffffff8146c190,fffffd80669cb950,fffffd8065825840,1000,1) at uvn_get+0x206 sys/uvm/uvm_vnode.c:1048 uvm_fault(12f57c3075e63958,21000000,0,1) at uvm_fault+0x12c1 sys/uvm/uvm_fault.c:1023 uvm_fault_wire(ed90dbb170fee37a,1,21000000,fffffd8065825840) at uvm_fault_wire+0x70 sys/uvm/uvm_fault.c:1293 uvm_map_pageable_wire(86a2f64c31de12c8,fffffd8065825840,21000000,20ffd000,0,4) at uvm_map_pageable_wire+0x2fd sys/uvm/uvm_map.c:2258 uvm_map_protect(6e8ed869a6e7f248,10,ffff800020b92270,6928040a9d8,0) at uvm_map_protect+0x610 sys/uvm/uvm_map.c:3294 syscall(32fb5a39048a57bd) at syscall+0x5a0 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(32fb5a39048a57bd) at syscall+0x5a0 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,ffffffffffffffa4,0,3,68fc0901010) at Xsyscall+0x128 end of kernel end trace frame: 0x6928040aa60, count: -14 ddb{0}> show registers rdi 0x3 rsi 0x3ffff acpi_pdirpa+0x2be67 rbp 0xffff800020c8b700 rbx 0x3 rdx 0x40000 acpi_pdirpa+0x2be68 rcx 0xffff800003f52000 rax 0xffff800000940980 r8 0xffffffff817c727f witness_checkorder+0x12cf r9 0x5 r10 0xcd04a5c685602689 r11 0x4c212380e2d6d652 r12 0xfffffd80025cdc30 r13 0xffffffff81ebbd52 cmd0646_9_tim_udma+0xc96d r14 0xffffffff8226ccd0 w_lodata+0x426e0 r15 0xffffffff82280440 w_lodata+0x55e50 rip 0xffffffff81107618 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020c8b6f0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor1) pid=62831 stat=onproc flags process=10 proc=4000000 pri=81, usrpri=81, nice=20 forw=0xffffffffffffffff, list=0xffff800020b924c8,0xffff800020b932e8 process=0xffff800020b953c0 user=0xffff800020c86000, vmspace=0xfffffd806e92fcb0 estcpu=36, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 56662 274446 72383 32767 2 0x10 syz-executor0 56662 500249 72383 32767 3 0x4000090 ttyout syz-executor0 25704 469546 49799 32767 2 0x10 syz-executor1 *25704 62831 49799 32767 7 0x4000010 syz-executor1 49799 2568 59239 32767 3 0x90 nanosleep syz-executor1 59239 402898 74368 0 3 0x82 wait syz-executor1 72383 378034 25809 32767 3 0x90 nanosleep syz-executor0 25809 249069 74368 0 3 0x82 wait syz-executor0 83518 213460 0 0 3 0x14200 bored sosplice 74368 338072 83838 0 3 0x82 thrsleep syz-fuzzer 74368 376122 83838 0 3 0x4000082 thrsleep syz-fuzzer 74368 467639 83838 0 3 0x4000082 thrsleep syz-fuzzer 74368 54550 83838 0 3 0x4000082 thrsleep syz-fuzzer 74368 299366 83838 0 3 0x4000082 thrsleep syz-fuzzer 74368 83364 83838 0 3 0x4000082 thrsleep syz-fuzzer 74368 323540 83838 0 3 0x4000082 thrsleep syz-fuzzer 74368 242268 83838 0 3 0x4000082 thrsleep syz-fuzzer 74368 447734 83838 0 3 0x4000082 kqread syz-fuzzer 74368 74829 83838 0 3 0x4000082 thrsleep syz-fuzzer 74368 52648 83838 0 3 0x4000082 thrsleep syz-fuzzer 83838 113865 40636 0 3 0x10008a pause ksh 40636 227426 8451 0 3 0x92 select sshd 77614 463283 1 0 3 0x100083 ttyin getty 8451 474059 1 0 3 0x80 select sshd 45156 282414 74309 73 7 0x100090 syslogd 74309 68913 1 0 3 0x100082 netio syslogd 86950 43510 1 77 3 0x100090 poll dhclient 92461 252058 1 0 3 0x80 poll dhclient 71551 161157 0 0 2 0x14200 zerothread 98022 514772 0 0 3 0x14200 aiodoned aiodoned 27193 100773 0 0 3 0x14200 syncer update 40058 76224 0 0 3 0x14200 cleaner cleaner 60375 74240 0 0 3 0x14200 reaper reaper 25454 299833 0 0 3 0x14200 pgdaemon pagedaemon 12961 360729 0 0 3 0x14200 bored crynlk 54405 439211 0 0 3 0x14200 bored crypto 30772 93136 0 0 3 0x40014200 acpi0 acpi0 54601 167568 0 0 3 0x40014200 idle1 16662 177088 0 0 3 0x14200 bored softnet 31644 396218 0 0 3 0x14200 bored systqmp 48014 176525 0 0 3 0x14200 bored systq 1694 468627 0 0 3 0x40014200 bored softclock 31745 201962 0 0 3 0x40014200 idle0 1 439509 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper