1st 0xfffffd807f00d720 vmmaplk (&map->lock) @ /syzkaller/managers/setuid/kernel/sys/uvm/uvm_fault.c:1442 2nd 0xfffffd806ad89a38 inode (&ip->i_lock) @ /syzkaller/managers/setuid/kernel/sys/ufs/ufs/ufs_vnops.c:1547 lock order "&ip->i_lock"(rrwlock) -> "&map->lock"(rwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 vm_map_lock_ln+0x14e #3 uvm_map+0x2e2 #4 km_alloc+0x19a #5 pool_multi_alloc_ni+0xe4 #6 pool_p_alloc+0x70 #7 pool_do_get+0x127 #8 pool_get+0x104 #9 ufsdirhash_build+0x40b #10 ufs_lookup+0x2a5 #11 VOP_LOOKUP+0x63 #12 vfs_lookup+0x552 #13 namei+0x4af #14 start_init+0xd6 lock order "&map->lock"(rwlock) -> "&ip->i_lock"(rrwlock) first seen at: #0 witness_checkorder+0x6d8 #1 _rw_enter+0xbf #2 _rrw_enter+0x5c #3 VOP_LOCK+0x55 #4 vn_lock+0x6e #5 uvn_io+0x2ca #6 uvn_get+0x206 #7 uvm_fault+0x12c1 #8 uvm_fault_wire+0x70 #9 uvm_map_pageable_wire+0x2fd #10 sys_mlock+0x187 #11 syscall+0x5a0 #12 Xsyscall+0x128 Stopped at db_enter+0x18: addq $0x8,%rsp ddb{0}> ddb{0}> set $lines = 0 ddb{0}> show panic the kernel did not panic ddb{0}> trace db_enter() at db_enter+0x18 sys/arch/amd64/amd64/db_interface.c:399 witness_checkorder(9b520c30f3b9eb73,81,fffffd806ad89a28,fffffd806ad89a28,0) at witness_checkorder+0x12f9 witness_debugger sys/kern/subr_witness.c:2543 [inline] witness_checkorder(9b520c30f3b9eb73,81,fffffd806ad89a28,fffffd806ad89a28,0) at witness_checkorder+0x12f9 sys/kern/subr_witness.c:1089 _rw_enter(57268b01a2508d7f,60b,fffffd806ad89a28,ffffffff81ee1643) at _rw_enter+0xbf _rrw_enter(48dac3ca33d41700,fffffd806a0b0cf8,ffffffff81c4fb70,0) at _rrw_enter+0x5c sys/kern/kern_rwlock.c:410 VOP_LOCK(2b581a38b4fe0369,fffffd806a0b0cf8) at VOP_LOCK+0x55 sys/kern/vfs_vops.c:598 vn_lock(310135bd4dc4e0ae,1000) at vn_lock+0x6e sys/kern/vfs_vnops.c:549 uvn_io(6cd0aa390e9f81c2,0,0,fffffd8077b515e8,0) at uvn_io+0x2ca sys/uvm/uvm_vnode.c:1188 uvn_get(a054776171327fd6,ffffffff817d4e70,fffffd8077b515e8,fffffd806c8778b8,0,1) at uvn_get+0x206 sys/uvm/uvm_vnode.c:1048 uvm_fault(a054776171338727,20010000,0,3) at uvm_fault+0x12c1 sys/uvm/uvm_fault.c:1023 uvm_fault_wire(c13883a2bc44176c,3,20010000,fffffd806c8778b8) at uvm_fault_wire+0x70 sys/uvm/uvm_fault.c:1293 uvm_map_pageable_wire(b40235a602f5b290,20801000,20001000,800000,fffffd807f00d708,800000) at uvm_map_pageable_wire+0x2fd sys/uvm/uvm_map.c:2258 sys_mlock(9b520c30f34ab87c,10,ffff800020b92e28) at sys_mlock+0x187 sys/uvm/uvm_mmap.c:740 syscall(6434a19d00ac34ff) at syscall+0x5a0 mi_syscall sys/sys/syscall_mi.h:99 [inline] syscall(6434a19d00ac34ff) at syscall+0x5a0 sys/arch/amd64/amd64/trap.c:583 Xsyscall(6,0,ffffffffffffffa1,0,2,99dba026010) at Xsyscall+0x128 end of kernel end trace frame: 0x9a001af77b0, count: -14 ddb{0}> show registers rdi 0x3 rsi 0x3ffff acpi_pdirpa+0x2be67 rbp 0xffff800020ca4970 rbx 0x3 rdx 0x40000 acpi_pdirpa+0x2be68 rcx 0xffff800002347000 rax 0xffff800001946380 r8 0xffffffff8142346f witness_checkorder+0x12cf r9 0x5 r10 0x65853cc4fda2215c r11 0x13a59089f793e866 r12 0xfffffd80025cec30 r13 0xffffffff81ebc499 cmd0646_9_tim_udma+0xded3 r14 0xffffffff8226a540 w_lodata+0x40b60 r15 0xffffffff8227f4c0 w_lodata+0x55ae0 rip 0xffffffff81391848 db_enter+0x18 cs 0x8 rflags 0x246 rsp 0xffff800020ca4960 ss 0x10 db_enter+0x18: addq $0x8,%rsp ddb{0}> show proc PROC (syz-executor0) pid=351267 stat=onproc flags process=10 proc=4000000 pri=80, usrpri=80, nice=20 forw=0xffffffffffffffff, list=0xffff800020b92bd0,0xffffffff82319e38 process=0xffff800020bcb710 user=0xffff800020ca0000, vmspace=0xfffffd807f00d708 estcpu=36, cpticks=0, pctcpu=0.0 user=0, sys=0, intr=0 ddb{0}> ps PID TID PPID UID S FLAGS WAIT COMMAND 42202 460393 60600 32767 7 0x10 syz-executor0 *42202 351267 60600 32767 7 0x4000010 syz-executor0 87128 496982 7762 32767 3 0x90 nanosleep syz-executor1 7762 314043 4955 0 3 0x82 wait syz-executor1 60600 463793 38582 32767 3 0x90 nanosleep syz-executor0 38582 244597 4955 0 3 0x82 wait syz-executor0 22944 241943 0 0 3 0x14200 bored sosplice 4955 482818 72143 0 3 0x82 thrsleep syz-fuzzer 4955 368661 72143 0 3 0x4000082 thrsleep syz-fuzzer 4955 367210 72143 0 3 0x4000082 thrsleep syz-fuzzer 4955 391961 72143 0 3 0x4000082 thrsleep syz-fuzzer 4955 446300 72143 0 3 0x4000082 thrsleep syz-fuzzer 4955 222838 72143 0 3 0x4000082 thrsleep syz-fuzzer 4955 272099 72143 0 3 0x4000082 thrsleep syz-fuzzer 4955 148689 72143 0 3 0x4000082 thrsleep syz-fuzzer 4955 294165 72143 0 3 0x4000082 thrsleep syz-fuzzer 4955 232751 72143 0 3 0x4000082 kqread syz-fuzzer 4955 327786 72143 0 3 0x4000082 thrsleep syz-fuzzer 72143 243986 9606 0 3 0x10008a pause ksh 9606 117294 21179 0 3 0x92 select sshd 2363 107005 1 0 3 0x100083 ttyin getty 21179 324498 1 0 3 0x80 select sshd 43863 195168 18211 73 2 0x100090 syslogd 18211 200565 1 0 3 0x100082 netio syslogd 48458 76202 1 77 3 0x100090 poll dhclient 91368 441063 1 0 3 0x80 poll dhclient 46068 440912 0 0 2 0x14200 zerothread 25234 79444 0 0 3 0x14200 aiodoned aiodoned 59051 25337 0 0 3 0x14200 syncer update 39109 201222 0 0 3 0x14200 cleaner cleaner 38436 327439 0 0 3 0x14200 reaper reaper 85240 354803 0 0 3 0x14200 pgdaemon pagedaemon 30933 413447 0 0 3 0x14200 bored crynlk 20769 396265 0 0 3 0x14200 bored crypto 49803 11802 0 0 3 0x40014200 acpi0 acpi0 67328 367394 0 0 3 0x40014200 idle1 92806 158254 0 0 3 0x14200 bored softnet 84773 323193 0 0 3 0x14200 bored systqmp 45219 145744 0 0 3 0x14200 bored systq 14543 350901 0 0 3 0x40014200 bored softclock 39639 3021 0 0 3 0x40014200 idle0 1 55972 0 0 3 0x82 wait init 0 0 -1 0 3 0x10200 scheduler swapper