program: r0 = syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x3004048, &(0x7f0000000100)=ANY=[], 0x11, 0x2c6, &(0x7f0000005bc0)="$eJzs3btuE08Ux/HfjJ3E/3+isCFBSJSBSNAgCA2iMUKueAIqBMRGirCCgCAuVUBUCEFPR8Er8BA0IF4AKioeIFSLZmbt9WXXNpbjjcP3I8XatWd2z3gvc46laAXgn3Wt9v3jpZ/uz0gllaTXVyQrqSKVJZ3Qycrjnd3t3WajPmhDJd/D/RmFnqavzdZOI6ur6+d7JCK3VtZS53vB4niDRK44jq/+KDoIFM5f/RmstKD5dL0yxZhG8WLMfnsTjmPWmH3t66mWi44DAFCsZP63IZPXUpK/WyttJNO+zw8O2/w/rv2iAzhw8cBPO+Z/X2XFxh3fY/6jtN7zJZz73LaqxFH2PNez7tNH25NgmmFVpY/F/nd3u9k4v3W/Wbd6qWqio9maf62HU7dlSLTrGbXpACOM3WRnlL5etXNuDJsh/ieSuuJfHXOPYzOfzVdz00R6r3o7/yvHxh0mf6SiniMV4r+Qv0U/ysi1UnLbqFartqvJit/JKXWWEsNGWcmuSNQ6o1bU/QNBNCxO3+t4T68wuotDeq1m9tpsreX0Wuvq5UbTPpvz93fQzFtzw6zrlz6p1pH/WxffhgZemelVYzbCVOC/8TCe+ezdlf02o76Zo/9yaX+LC3mh/+69p13/EA++zSHPG93RZS0/evb8XqnZbDx0C7czFh4std+ZeyVltil4QXvpOwuKvb7GrUlpmoGdm+gG3f1jaGN3lR2Kg3KkF2pfpnsiFbFQ8P0JU5Ee9KIjQUFc3mVC/ZfWK+WQ7LmXKDNPH/GHgGSLscux2xVc2jcOGbmk//+qglvMr+D6a66+mtHXXKfPSmdG32OUxHlEmJq+6Ra//wMAAAAAAAAAAAAAAAAAAMyaafw7QdFjBAAAAAAAAAAAAAAAAAAAAABg1rWf/6vW83812vN/e5+7Msnn/77bUfbzfwFM0p8AAAD//0gLf7E=") r1 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) creat(&(0x7f0000000240)='./bus\x00', 0x6) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r2 = socket$packet(0x11, 0x3, 0x300) setsockopt$packet_int(r2, 0x107, 0xf, &(0x7f0000000180)=0x7ff, 0x4) setsockopt$packet_rx_ring(r2, 0x107, 0x5, &(0x7f0000000040)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x9, 0x0, 0xffffffff}, 0x1c) copy_file_range(r0, &(0x7f0000000100)=0x2, r0, &(0x7f0000000200)=0x3a00, 0xffffffffffffffff, 0x0) r3 = socket$inet6(0xa, 0x800000000000002, 0x0) r4 = eventfd2(0x0, 0x0) writev(r4, &(0x7f0000000480)=[{&(0x7f0000000000)="f67804e83b4e100b", 0x8}, {0x0, 0x8}], 0x2) connect$inet6(r3, &(0x7f0000000040)={0xa, 0x4e1d, 0x1, @mcast1, 0x8}, 0x1c) setsockopt$inet6_udp_int(r3, 0x11, 0x67, &(0x7f0000000000)=0x28, 0x4) sendto$inet6(r3, 0x0, 0x0, 0x400ad80, &(0x7f00000000c0)={0xa, 0x4e23, 0x5b3, @ipv4={'\x00', '\xff\xff', @multicast1}, 0x8}, 0x1c) sendmmsg$inet6(r3, &(0x7f0000001ec0)=[{{0x0, 0x0, &(0x7f0000000540)=[{&(0x7f00000001c0)="b3ab706204ee39c9dae21a1718ee351ebc92d2f0d482a863ae5c0b4d768ffe745af2c53a083d9b761b", 0x29}], 0x1}}], 0x1, 0x0) pwrite64(r1, &(0x7f0000000140)='2', 0x1, 0x8080c61) creat(&(0x7f0000000300)='./bus\x00', 0x4) unlinkat(0xffffffffffffff9c, &(0x7f0000000c40)='./file1\x00', 0x0) syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x3004048, &(0x7f0000000100)=ANY=[], 0x11, 0x2c6, &(0x7f0000005bc0)="$eJzs3btuE08Ux/HfjJ3E/3+isCFBSJSBSNAgCA2iMUKueAIqBMRGirCCgCAuVUBUCEFPR8Er8BA0IF4AKioeIFSLZmbt9WXXNpbjjcP3I8XatWd2z3gvc46laAXgn3Wt9v3jpZ/uz0gllaTXVyQrqSKVJZ3Qycrjnd3t3WajPmhDJd/D/RmFnqavzdZOI6ur6+d7JCK3VtZS53vB4niDRK44jq/+KDoIFM5f/RmstKD5dL0yxZhG8WLMfnsTjmPWmH3t66mWi44DAFCsZP63IZPXUpK/WyttJNO+zw8O2/w/rv2iAzhw8cBPO+Z/X2XFxh3fY/6jtN7zJZz73LaqxFH2PNez7tNH25NgmmFVpY/F/nd3u9k4v3W/Wbd6qWqio9maf62HU7dlSLTrGbXpACOM3WRnlL5etXNuDJsh/ieSuuJfHXOPYzOfzVdz00R6r3o7/yvHxh0mf6SiniMV4r+Qv0U/ysi1UnLbqFartqvJit/JKXWWEsNGWcmuSNQ6o1bU/QNBNCxO3+t4T68wuotDeq1m9tpsreX0Wuvq5UbTPpvz93fQzFtzw6zrlz6p1pH/WxffhgZemelVYzbCVOC/8TCe+ezdlf02o76Zo/9yaX+LC3mh/+69p13/EA++zSHPG93RZS0/evb8XqnZbDx0C7czFh4std+ZeyVltil4QXvpOwuKvb7GrUlpmoGdm+gG3f1jaGN3lR2Kg3KkF2pfpnsiFbFQ8P0JU5Ee9KIjQUFc3mVC/ZfWK+WQ7LmXKDNPH/GHgGSLscux2xVc2jcOGbmk//+qglvMr+D6a66+mtHXXKfPSmdG32OUxHlEmJq+6Ra//wMAAAAAAAAAAAAAAAAAAMyaafw7QdFjBAAAAAAAAAAAAAAAAAAAAABg1rWf/6vW83812vN/e5+7Msnn/77bUfbzfwFM0p8AAAD//0gLf7E=") (async) openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) (async) creat(&(0x7f0000000240)='./bus\x00', 0x6) (async) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) (async) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) (async) socket$packet(0x11, 0x3, 0x300) (async) setsockopt$packet_int(r2, 0x107, 0xf, &(0x7f0000000180)=0x7ff, 0x4) (async) setsockopt$packet_rx_ring(r2, 0x107, 0x5, &(0x7f0000000040)=@req3={0x1000, 0x3a, 0x1000, 0x3a, 0x9, 0x0, 0xffffffff}, 0x1c) (async) copy_file_range(r0, &(0x7f0000000100)=0x2, r0, &(0x7f0000000200)=0x3a00, 0xffffffffffffffff, 0x0) (async) socket$inet6(0xa, 0x800000000000002, 0x0) (async) eventfd2(0x0, 0x0) (async) writev(r4, &(0x7f0000000480)=[{&(0x7f0000000000)="f67804e83b4e100b", 0x8}, {0x0, 0x8}], 0x2) (async) connect$inet6(r3, &(0x7f0000000040)={0xa, 0x4e1d, 0x1, @mcast1, 0x8}, 0x1c) (async) setsockopt$inet6_udp_int(r3, 0x11, 0x67, &(0x7f0000000000)=0x28, 0x4) (async) sendto$inet6(r3, 0x0, 0x0, 0x400ad80, &(0x7f00000000c0)={0xa, 0x4e23, 0x5b3, @ipv4={'\x00', '\xff\xff', @multicast1}, 0x8}, 0x1c) (async) sendmmsg$inet6(r3, &(0x7f0000001ec0)=[{{0x0, 0x0, &(0x7f0000000540)=[{&(0x7f00000001c0)="b3ab706204ee39c9dae21a1718ee351ebc92d2f0d482a863ae5c0b4d768ffe745af2c53a083d9b761b", 0x29}], 0x1}}], 0x1, 0x0) (async) pwrite64(r1, &(0x7f0000000140)='2', 0x1, 0x8080c61) (async) creat(&(0x7f0000000300)='./bus\x00', 0x4) (async) unlinkat(0xffffffffffffff9c, &(0x7f0000000c40)='./file1\x00', 0x0) (async) [ 86.088187][ T5296] Bluetooth: hci0: command tx timeout [ 86.261764][ T5318] loop0: detected capacity change from 0 to 64 [ 86.325386][ T5318] ======================================================= [ 86.325386][ T5318] WARNING: The mand mount option has been deprecated and [ 86.325386][ T5318] and is ignored by this kernel. Remove the mand [ 86.325386][ T5318] option from the mount to silence this warning. [ 86.325386][ T5318] ======================================================= [ 87.031106][ T5318] hfs: request for non-existent node 8 in B*Tree [ 87.034162][ T5318] hfs: request for non-existent node 8 in B*Tree [ 87.048688][ T5318] [ 87.049765][ T5318] ====================================================== [ 87.052766][ T5318] WARNING: possible circular locking dependency detected [ 87.056447][ T5318] syzkaller #0 Not tainted [ 87.058489][ T5318] ------------------------------------------------------ [ 87.061515][ T5318] syz.0.0/5318 is trying to acquire lock: [ 87.064217][ T5318] ffff888011e2c0b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 87.068343][ T5318] [ 87.068343][ T5318] but task is already holding lock: [ 87.071384][ T5318] ffff888036c441f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 87.075902][ T5318] [ 87.075902][ T5318] which lock already depends on the new lock. [ 87.075902][ T5318] [ 87.080298][ T5318] [ 87.080298][ T5318] the existing dependency chain (in reverse order) is: [ 87.084135][ T5318] [ 87.084135][ T5318] -> #1 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}: [ 87.088129][ T5318] __mutex_lock+0x19f/0x1300 [ 87.090388][ T5318] hfs_extend_file+0xf2/0x15e0 [ 87.092625][ T5318] hfs_bmap_reserve+0x107/0x430 [ 87.094870][ T5318] __hfs_ext_write_extent+0x1fa/0x470 [ 87.097313][ T5318] __hfs_ext_cache_extent+0x6b/0x9b0 [ 87.099736][ T5318] hfs_extend_file+0x39b/0x15e0 [ 87.101904][ T5318] hfs_get_block+0x412/0xc50 [ 87.104092][ T5318] __block_write_begin_int+0x6c6/0x1910 [ 87.106623][ T5318] cont_write_begin+0x737/0xae0 [ 87.108850][ T5318] hfs_write_begin+0x66/0xb0 [ 87.110945][ T5318] cont_write_begin+0x2e7/0xae0 [ 87.113203][ T5318] hfs_write_begin+0x66/0xb0 [ 87.115404][ T5318] generic_perform_write+0x2e2/0x8f0 [ 87.117921][ T5318] generic_file_write_iter+0x14a/0x680 [ 87.120494][ T5318] vfs_write+0x61d/0xb90 [ 87.122521][ T5318] __x64_sys_pwrite64+0x199/0x230 [ 87.124863][ T5318] do_syscall_64+0x14d/0xf80 [ 87.127094][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.129821][ T5318] [ 87.129821][ T5318] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 87.133224][ T5318] __lock_acquire+0x15a5/0x2cf0 [ 87.135541][ T5318] lock_acquire+0xf0/0x2e0 [ 87.137663][ T5318] __mutex_lock+0x19f/0x1300 [ 87.139832][ T5318] hfs_find_init+0x18e/0x300 [ 87.142079][ T5318] hfs_extend_file+0x35c/0x15e0 [ 87.144381][ T5318] hfs_bmap_reserve+0x107/0x430 [ 87.146663][ T5318] hfs_cat_create+0x20f/0x800 [ 87.149017][ T5318] hfs_create+0x75/0xe0 [ 87.151125][ T5318] path_openat+0x1395/0x3860 [ 87.153298][ T5318] do_file_open+0x23e/0x4a0 [ 87.155449][ T5318] do_sys_openat2+0x113/0x200 [ 87.157664][ T5318] __x64_sys_openat+0x138/0x170 [ 87.159934][ T5318] do_syscall_64+0x14d/0xf80 [ 87.162196][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.164972][ T5318] [ 87.164972][ T5318] other info that might help us debug this: [ 87.164972][ T5318] [ 87.169349][ T5318] Possible unsafe locking scenario: [ 87.169349][ T5318] [ 87.172543][ T5318] CPU0 CPU1 [ 87.174829][ T5318] ---- ---- [ 87.177157][ T5318] lock(&HFS_I(tree->inode)->extents_lock); [ 87.179728][ T5318] lock(&tree->tree_lock/1); [ 87.183485][ T5318] lock(&HFS_I(tree->inode)->extents_lock); [ 87.187231][ T5318] lock(&tree->tree_lock/1); [ 87.189227][ T5318] [ 87.189227][ T5318] *** DEADLOCK *** [ 87.189227][ T5318] [ 87.192610][ T5318] 4 locks held by syz.0.0/5318: [ 87.194618][ T5318] #0: ffff88800bb72420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 87.198699][ T5318] #1: ffff888036c43d20 (&type->i_mutex_dir_key#8){+.+.}-{4:4}, at: path_openat+0xb4c/0x3860 [ 87.203207][ T5318] #2: ffff888011e280b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 87.207405][ T5318] #3: ffff888036c441f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 87.212187][ T5318] [ 87.212187][ T5318] stack backtrace: [ 87.214815][ T5318] CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 87.214830][ T5318] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 87.214836][ T5318] Call Trace: [ 87.214843][ T5318] [ 87.214878][ T5318] dump_stack_lvl+0xe8/0x150 [ 87.214898][ T5318] print_circular_bug+0x2e1/0x300 [ 87.214914][ T5318] check_noncircular+0x12e/0x150 [ 87.214928][ T5318] __lock_acquire+0x15a5/0x2cf0 [ 87.214941][ T5318] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 87.214990][ T5318] ? kasan_save_track+0x4f/0x80 [ 87.215003][ T5318] ? kasan_save_track+0x3e/0x80 [ 87.215014][ T5318] ? __kasan_kmalloc+0x93/0xb0 [ 87.215027][ T5318] ? __kmalloc_noprof+0x35c/0x760 [ 87.215038][ T5318] ? hfs_find_init+0xaa/0x300 [ 87.215051][ T5318] ? hfs_extend_file+0x35c/0x15e0 [ 87.215059][ T5318] ? hfs_bmap_reserve+0x107/0x430 [ 87.215069][ T5318] lock_acquire+0xf0/0x2e0 [ 87.215080][ T5318] ? hfs_find_init+0x18e/0x300 [ 87.215093][ T5318] __mutex_lock+0x19f/0x1300 [ 87.215107][ T5318] ? hfs_find_init+0x18e/0x300 [ 87.215121][ T5318] ? hfs_find_init+0x18e/0x300 [ 87.215132][ T5318] ? __pfx___mutex_lock+0x10/0x10 [ 87.215152][ T5318] ? rcu_is_watching+0x15/0xb0 [ 87.215165][ T5318] ? __kmalloc_noprof+0x37d/0x760 [ 87.215177][ T5318] ? kasan_save_track+0x4f/0x80 [ 87.215189][ T5318] ? hfs_find_init+0xaa/0x300 [ 87.215200][ T5318] ? __kmalloc_noprof+0x1b8/0x760 [ 87.215214][ T5318] hfs_find_init+0x18e/0x300 [ 87.215226][ T5318] hfs_extend_file+0x35c/0x15e0 [ 87.215237][ T5318] ? __pfx_hfs_extend_file+0x10/0x10 [ 87.215246][ T5318] ? __mutex_lock+0x319/0x1300 [ 87.215260][ T5318] ? __pfx___mutex_lock+0x10/0x10 [ 87.215272][ T5318] ? rcu_is_watching+0x15/0xb0 [ 87.215283][ T5318] hfs_bmap_reserve+0x107/0x430 [ 87.215294][ T5318] hfs_cat_create+0x20f/0x800 [ 87.215303][ T5318] ? do_raw_spin_lock+0x12b/0x2f0 [ 87.215311][ T5318] ? __pfx_hfs_cat_create+0x10/0x10 [ 87.215322][ T5318] ? _raw_spin_unlock+0x28/0x50 [ 87.215332][ T5318] ? hfs_new_inode+0x92d/0xc70 [ 87.215344][ T5318] hfs_create+0x75/0xe0 [ 87.215353][ T5318] ? __pfx_hfs_create+0x10/0x10 [ 87.215362][ T5318] path_openat+0x1395/0x3860 [ 87.215382][ T5318] ? __pfx_path_openat+0x10/0x10 [ 87.215393][ T5318] ? __x64_sys_openat+0x138/0x170 [ 87.215405][ T5318] ? __lock_acquire+0x6b5/0x2cf0 [ 87.215416][ T5318] do_file_open+0x23e/0x4a0 [ 87.215429][ T5318] ? __pfx_do_file_open+0x10/0x10 [ 87.215446][ T5318] ? _raw_spin_unlock+0x28/0x50 [ 87.215457][ T5318] ? alloc_fd+0x64b/0x6c0 [ 87.215468][ T5318] do_sys_openat2+0x113/0x200 [ 87.215479][ T5318] ? __se_sys_futex+0x3a8/0x450 [ 87.215491][ T5318] ? __pfx_do_sys_openat2+0x10/0x10 [ 87.215502][ T5318] ? rcu_is_watching+0x15/0xb0 [ 87.215515][ T5318] __x64_sys_openat+0x138/0x170 [ 87.215526][ T5318] do_syscall_64+0x14d/0xf80 [ 87.215540][ T5318] ? trace_irq_disable+0x3b/0x150 [ 87.215554][ T5318] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.215563][ T5318] ? clear_bhb_loop+0x40/0x90 [ 87.215574][ T5318] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.215584][ T5318] RIP: 0033:0x7f5de579c629 [ 87.215638][ T5318] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 87.215646][ T5318] RSP: 002b:00007f5de6704028 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 87.215706][ T5318] RAX: ffffffffffffffda RBX: 00007f5de5a15fa0 RCX: 00007f5de579c629 [ 87.215713][ T5318] RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c [ 87.215720][ T5318] RBP: 00007f5de5832b39 R08: 0000000000000000 R09: 0000000000000000 [ 87.215726][ T5318] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 87.215732][ T5318] R13: 00007f5de5a16038 R14: 00007f5de5a15fa0 R15: 00007ffd576b0a18 [ 87.215741][ T5318] [ 88.007927][ T5319] syz.0.0: attempt to access beyond end of device [ 88.007927][ T5319] loop0: rw=8388608, sector=27869, nr_sectors = 1 limit=64 [ 88.028123][ T5319] Buffer I/O error on dev loop0, logical block 27869, async page read [ 88.034477][ T5319] syz.0.0: attempt to access beyond end of device [ 88.034477][ T5319] loop0: rw=8388608, sector=27871, nr_sectors = 1 limit=64 [ 88.040388][ T5319] Buffer I/O error on dev loop0, logical block 27871, async page read [ 88.044459][ T5319] syz.0.0: attempt to access beyond end of device [ 88.044459][ T5319] loop0: rw=8388608, sector=27872, nr_sectors = 1 limit=64 [ 89.000252][ T5296] Bluetooth: hci0: command tx timeout [ 89.011897][ T5319] Buffer I/O error on dev loop0, logical block 27872, async page read