1st 0xfffffd807f00d018 vmmaplk (&map->lock) @ /syzkaller/managers/multicore/kernel/sys/uvm/uvm_fault.c:1442 2nd 0xfffffd8067c534e8 inode (&ip->i_lock) @ /syzkaller/managers/multicore/kernel/sys/ufs/ufs/ufs_vnops.c:1547 lock order "&ip->i_lock"(rrwlock) -> "&map->lock"(rwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 vm_map_lock_ln+0x14e #3 uvm_map+0x2e2 #4 km_alloc+0x19a #5 pool_multi_alloc_ni+0xe4 #6 pool_p_alloc+0x70 #7 pool_do_get+0x127 #8 pool_get+0x104 #9 ufsdirhash_build+0x40b #10 ufs_lookup+0x2a5 #11 VOP_LOOKUP+0x63 #12 vfs_lookup+0x552 #13 namei+0x4af #14 start_init+0xd6 lock order "&map->lock"(rwlock) -> "&ip->i_lock"(rrwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 _rrw_enter+0x5c #3 VOP_LOCK+0x55 #4 vn_lock+0x6e #5 uvn_io+0x2ca #6 uvn_get+0x206 #7 uvm_fault+0x12c1 #8 uvm_fault_wire+0x70 #9 uvm_map_pageable_wire+0x2fd #10 uvm_map_protect+0x610 #11 syscall+0x5a0 #12 Xsyscall+0x128 Stopped at db_enter+0x18: addq $0x8,%rsp ddb{1}> ddb{1}> set $lines = 0 ddb{1}> show panic the kernel did not panic ddb{1}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 witness_checkorder(80ca291e61b60f50,81,fffffd8067c534d8,fffffd8067c534d8,0) at witness_checkorder+0x12f9 witness_debugger sys/kern/subr_witness.c:2543 [inline] witness_checkorder(80ca291e61b60f50,81,fffffd8067c534d8,fffffd8067c534d8,0) at witness_checkorder+0x12f9 sys/kern/subr_witness.c:1089 _rw_enter(1141f156c5c1d46,60b,fffffd8067c534d8,ffffffff81ed5429) at _rw_enter+0xbf _rrw_enter(f5fefc5a4f00d039,fffffd8069920b60,ffffffff819017a0,0) at _rrw_enter+0x5c sys/kern/kern_rwlock.c:410 VOP_LOCK(309a1289778c8817,fffffd8069920b60) at VOP_LOCK+0x55 sys/kern/vfs_vops.c:598 vn_lock(17fdc992c3dc9b84,1000) at vn_lock+0x6e sys/kern/vfs_vnops.c:549 uvn_io(c9952dcce3424064,0,0,fffffd8079a5a518,0) at uvn_io+0x2ca sys/uvm/uvm_vnode.c:1188 uvn_get(e0b3ef7a5957902,ffffffff8136c1a0,fffffd8079a5a518,fffffd806b288838,0,2) at uvn_get+0x206 sys/uvm/uvm_vnode.c:1048 uvm_fault(20d4991602e82906,20ff9000,0,2) at uvm_fault+0x12c1 sys/uvm/uvm_fault.c:1023 uvm_fault_wire(511f900c54b5a373,2,20ff9000,fffffd806b288838) at uvm_fault_wire+0x70 sys/uvm/uvm_fault.c:1293 uvm_map_pageable_wire(a011dfe972286be,fffffd806b288838,20fff000,20ff6000,0,4) at uvm_map_pageable_wire+0x2fd sys/uvm/uvm_map.c:2258 uvm_map_protect(80ca291e616e9cef,0,ffff800020bbb9e0,130b821718,0) at uvm_map_protect+0x610 sys/uvm/uvm_map.c:3294 syscall(bb9a5f05383ab545) at syscall+0x5a0 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(bb9a5f05383ab545) at syscall+0x5a0 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,ffffffffffffffa4,0,3,10909f2010) at Xsyscall+0x128 end of kernel end trace frame: 0x130b8217a0, count: -14 ddb{1}> show registers rdi 0x3 rsi 0x3ffff acpi_pdirpa+0x2be67 rbp 0xffff800020c8f3e0 rbx 0x3 rdx 0x40000 acpi_pdirpa+0x2be68 rcx 0xffff800000946000 rax 0xffff800000940980 r8 0xffffffff81bca74f witness_checkorder+0x12cf r9 0x5 r10 0x4c0afa51073fc646 r11 0x811176ae32a422a0 r12 0xfffffd80025ccc30 r13 0xffffffff81eba9a8 cmd0646_9_tim_udma+0xd171 r14 0xffffffff822c5160 w_lodata+0x4fe10 r15 0xffffffff822cb1a0 w_lodata+0x55e50 rip 0xffffffff817711a8 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020c8f3d0 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{1}> show proc PROC (syz-executor0) pid=22543 stat=onproc flags process=0 proc=4000000 pri=52, usrpri=52, nice=20 forw=0xffffffffffffffff, list=0xffff800020bba4c8,0xffff800020bba280 process=0xffff800020b94010 user=0xffff800020c8a000, vmspace=0xfffffd807f00d000 estcpu=36, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb{1}> ps PID TID PPID UID S FLAGS WAIT COMMAND 86090 386432 11786 0 2 0 syz-executor0 *86090 22543 11786 0 7 0x4000000 syz-executor0 29858 171175 32372 0 3 0x80 nanosleep syz-executor1 29858 238329 32372 0 3 0x4000080 fsleep syz-executor1 29858 185675 32372 0 3 0x4000080 msgwait syz-executor1 29858 111320 32372 0 3 0x4000080 fsleep syz-executor1 87794 232696 0 0 3 0x14200 bored sosplice 32372 357622 3099 0 3 0x82 nanosleep syz-executor1 11786 132736 3099 0 3 0x82 nanosleep syz-executor0 3099 126890 59377 0 3 0x82 thrsleep syz-fuzzer 3099 193853 59377 0 3 0x4000082 thrsleep syz-fuzzer 3099 180048 59377 0 3 0x4000082 thrsleep syz-fuzzer 3099 139978 59377 0 3 0x4000082 thrsleep syz-fuzzer 3099 222065 59377 0 3 0x4000082 thrsleep syz-fuzzer 3099 148222 59377 0 3 0x4000082 thrsleep syz-fuzzer 3099 62113 59377 0 3 0x4000082 thrsleep syz-fuzzer 3099 187361 59377 0 3 0x4000082 thrsleep syz-fuzzer 3099 211123 59377 0 3 0x4000082 kqread syz-fuzzer 3099 117564 59377 0 3 0x4000082 thrsleep syz-fuzzer 59377 126672 351 0 3 0x10008a pause ksh 351 113110 8418 0 3 0x92 select sshd 57612 231192 1 0 3 0x100083 ttyin getty 8418 462320 1 0 3 0x80 select sshd 81819 455031 93086 73 7 0x100090 syslogd 93086 323138 1 0 3 0x100082 netio syslogd 31064 202675 1 77 3 0x100090 poll dhclient 33354 445408 1 0 3 0x80 poll dhclient 53641 196408 0 0 3 0x14200 pgzero zerothread 88275 336733 0 0 3 0x14200 aiodoned aiodoned 93597 203719 0 0 3 0x14200 syncer update 21207 426022 0 0 3 0x14200 cleaner cleaner 15099 237092 0 0 3 0x14200 reaper reaper 76227 315720 0 0 3 0x14200 pgdaemon pagedaemon 89062 324325 0 0 3 0x14200 bored crynlk 29469 250605 0 0 3 0x14200 bored crypto 52336 86101 0 0 3 0x40014200 acpi0 acpi0 57078 340177 0 0 3 0x40014200 idle1 78547 305293 0 0 3 0x14200 bored softnet 78812 58522 0 0 3 0x14200 bored systqmp 98459 77739 0 0 3 0x14200 bored systq 64236 445962 0 0 3 0x40014200 bored softclock 96877 434904 0 0 3 0x40014200 idle0 1 389145 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper