1st 0xfffffd807f00c9f0 vmmaplk (&map->lock) @ /syzkaller/managers/setuid/kernel/sys/uvm/uvm_fault.c:1442 2nd 0xfffffd8079b7f1a8 inode (&ip->i_lock) @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547 lock order "&ip->i_lock"(rrwlock) -> "&map->lock"(rwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 vm_map_lock_ln+0x14e #3 uvm_map+0x2e2 #4 km_alloc+0x19a #5 pool_multi_alloc_ni+0xe4 #6 pool_p_alloc+0x70 #7 pool_do_get+0x127 #8 pool_get+0x104 #9 ufsdirhash_build+0x40b #10 ufs_lookup+0x2a5 #11 VOP_LOOKUP+0x63 #12 vfs_lookup+0x552 #13 namei+0x4af #14 start_init+0xd6 lock order "&map->lock"(rwlock) -> "&ip->i_lock"(rrwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 _rrw_enter+0x5c #3 VOP_LOCK+0x55 #4 vn_lock+0x6e #5 uvn_io+0x2ca #6 uvn_get+0x206 #7 uvm_fault+0x12c1 #8 uvm_fault_wire+0x70 #9 uvm_map_pageable_wire+0x2fd #10 uvm_map_protect+0x610 #11 syscall+0x5a0 #12 Xsyscall+0x128 Stopped at db_enter+0x18: addq $0x8,%rsp ddb{1}> ddb{1}> set $lines = 0 ddb{1}> show panic the kernel did not panic ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 witness_checkorder(efb8538a59741694,81,fffffd8079b7f198,fffffd8079b7f198,0) at witness_checkorder+0x12f9 witness_debugger sys/kern/subr_witness.c:2543 [inline] witness_checkorder(efb8538a59741694,81,fffffd8079b7f198,fffffd8079b7f198,0) at witness_checkorder+0x12f9 sys/kern/subr_witness.c:1089 _rw_enter(80036ee3f629392b,60b,fffffd8079b7f198,ffffffff81edebdf) at _rw_enter+0xbf _rrw_enter(a833132b21e35632,fffffd806ae1da68,ffffffff8139fd50,0) at _rrw_enter+0x5c sys/kern/kern_rwlock.c:410 VOP_LOCK(73da4b7955aa5f92,fffffd806ae1da68) at VOP_LOCK+0x55 sys/kern/vfs_vops.c:598 vn_lock(1ce3dc2d7b16c6f1,1000) at vn_lock+0x6e sys/kern/vfs_vnops.c:549 uvn_io(f7d509843207b7dd,0,0,fffffd8069d88900,0) at uvn_io+0x2ca sys/uvm/uvm_vnode.c:1188 uvn_get(c4b487a5d25fe6b2,ffffffff8146c190,fffffd8069d88900,fffffd806b7d2198,0,2) at uvn_get+0x206 sys/uvm/uvm_vnode.c:1048 uvm_fault(f7d5098432f3438b,20ff8000,0,2) at uvm_fault+0x12c1 sys/uvm/uvm_fault.c:1023 uvm_fault_wire(222321600d7471ee,2,20ff8000,fffffd806b7d2198) at uvm_fault_wire+0x70 sys/uvm/uvm_fault.c:1293 uvm_map_pageable_wire(73da4b7955da18ac,fffffd806b7d2198,20fff000,20ff6000,0,4) at uvm_map_pageable_wire+0x2fd sys/uvm/uvm_map.c:2258 uvm_map_protect(526a1efe91d19e4,10,ffff800020b93c38,d9c2ecbb88,0) at uvm_map_protect+0x610 sys/uvm/uvm_map.c:3294 syscall(32025b01fc04ea25) at syscall+0x5a0 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(32025b01fc04ea25) at syscall+0x5a0 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,ffffffffffffffa4,0,3,d7b40e9010) at Xsyscall+0x128 end of kernel end trace frame: 0xd9c2ecbc10, count: -14 ddb{1}> show registers rdi 0x3 rsi 0x3ffff acpi_pdirpa+0x2be67 rbp 0xffff800020caaec0 rbx 0x3 rdx 0x40000 acpi_pdirpa+0x2be68 rcx 0xffff800000947000 rax 0xffff800001946a40 r8 0xffffffff817c727f witness_checkorder+0x12cf r9 0x5 r10 0xcdfda4fe7dee9b11 r11 0xc1c08a9331b3d40d r12 0xfffffd80025cdc30 r13 0xffffffff81ebbd52 cmd0646_9_tim_udma+0xc96d r14 0xffffffff82279f30 w_lodata+0x4f940 r15 0xffffffff82280440 w_lodata+0x55e50 rip 0xffffffff81107618 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020caaeb0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor0) pid=452550 stat=onproc flags process=10 proc=4000000 pri=86, usrpri=86, nice=20 forw=0xffffffffffffffff, list=0xffff800020b924c8,0xffffffff82300be0 process=0xffff800020bca018 user=0xffff800020ca6000, vmspace=0xfffffd807f00c9d8 estcpu=36, cpticks=4, pctcpu=0.0 user=0, sys=0, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 70968 176325 29804 32767 7 0x10 syz-executor0 *70968 452550 29804 32767 7 0x4000010 syz-executor0 16537 82504 5352 32767 3 0x90 nanosleep syz-executor1 16537 504638 5352 32767 3 0x4000090 lockf syz-executor1 16537 138085 5352 32767 3 0x4000090 lockf syz-executor1 16537 246464 5352 32767 3 0x4000090 fsleep syz-executor1 5352 504830 17051 32767 3 0x90 nanosleep syz-executor1 17051 382851 9592 0 3 0x82 wait syz-executor1 29804 106863 27955 32767 3 0x90 nanosleep syz-executor0 27955 508344 9592 0 3 0x82 wait syz-executor0 66509 507953 0 0 3 0x14200 bored sosplice 9592 412216 18202 0 3 0x82 thrsleep syz-fuzzer 9592 519483 18202 0 3 0x4000082 thrsleep syz-fuzzer 9592 27996 18202 0 3 0x4000082 thrsleep syz-fuzzer 9592 388736 18202 0 3 0x4000082 thrsleep syz-fuzzer 9592 153547 18202 0 3 0x4000082 thrsleep syz-fuzzer 9592 276621 18202 0 3 0x4000082 kqread syz-fuzzer 9592 277435 18202 0 3 0x4000082 thrsleep syz-fuzzer 9592 156595 18202 0 3 0x4000082 thrsleep syz-fuzzer 9592 14743 18202 0 3 0x4000082 thrsleep syz-fuzzer 9592 813 18202 0 3 0x4000082 thrsleep syz-fuzzer 18202 212204 94852 0 3 0x10008a pause ksh 94852 361798 61801 0 3 0x92 select sshd 75606 98349 1 0 3 0x100083 ttyin getty 61801 6305 1 0 3 0x80 select sshd 86419 421747 17062 73 3 0x100010 biowait syslogd 17062 181059 1 0 3 0x100082 netio syslogd 52282 236865 1 77 3 0x100090 poll dhclient 48744 310597 1 0 3 0x80 poll dhclient 32886 72869 0 0 3 0x14200 pgzero zerothread 58978 11757 0 0 3 0x14200 aiodoned aiodoned 56926 167702 0 0 3 0x14200 syncer update 77247 420896 0 0 3 0x14200 cleaner cleaner 45335 517828 0 0 3 0x14200 reaper reaper 20138 144974 0 0 3 0x14200 pgdaemon pagedaemon 16366 321542 0 0 3 0x14200 bored crynlk 17582 267060 0 0 3 0x14200 bored crypto 18205 107377 0 0 3 0x40014200 acpi0 acpi0 61345 393415 0 0 3 0x40014200 idle1 79654 177752 0 0 3 0x14200 bored softnet 7287 53124 0 0 3 0x14200 bored systqmp 51188 139758 0 0 3 0x14200 bored systq 39696 119164 0 0 3 0x40014200 bored softclock 87586 319624 0 0 3 0x40014200 idle0 1 118871 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper