program: syz_mount_image$hfs(&(0x7f0000000180), &(0x7f0000000080)='./file1\x00', 0x84, &(0x7f0000000000)=ANY=[], 0x8b, 0x2d5, &(0x7f0000025dc0)="$eJzs3c9OE10Yx/HfmSlteeHFUTAmxoVBia4M4Ma4aWKI1+BGI9KaEBqIiImysXFtvAD3bLwAL8KVMXGNK1deALsxZ3pKz7QzbYHQAfl+ktrO9Px5zsy0c56RZgTgwnq0sr93/7d9GClUKOmhFNi3bqok6aquVd9s7qzvNBv1QQ2FUlXJw0hJTdNXZm2zkVXV1ktqOJFdKmnaX4fTEcdx/KvoIFCkqnsOs94MpIr7dIZ+4bOs0rM80bPcCqXWGOM5i8yBDvRWM0XHAQAolmmf3wN3np928/cgkBbcad8////8v+B4T+aODooOoWDe+T/JsmJj9++l5K1uvmc06cp3ssSj9mPnYmW1j6zUBNOks8r+ZDGJJZh8ud5s3FvbatYDfVAtYfy8cE5STXWXs2ZF29/0fMa6tLK/sD+sdK6pZAwTdgzL3fhrNa/IbFanx93aozDfzHfzzET6rPrh/K8UG3/Mbk89nujGv5jX3Narp/Y5apfKGeVluxtK19MbduAow7yMRG5LxaHSFwiidJzlzFpl9dRqj24pryfXzmxmreUhteZsrS9ere7RnF/ztJlP5omZ1x991Yo3/w/s1l5Q/yczu5GkpDsyBo6nlJSM/FWtG5klg6OPBUfU3cYf9UIPNPP63e7GarPZ2B73CxvD2Du9mC8i9a7pHARnJcLjvbDfsf4aRY3t0nh6L59401XdTrGTmf4yld2N1YpfuD3Szgmxt8HOx3qE3jsX8IZGOMZvJRSmu9Pzy7wX/xPzD7NfHqad/3n5ymKS9Nh/ogHz9HjYtM1rcSkjN+heqv/Pa8m46/P5GdBUZgbX0mg5V1L31l3ptrdyf68yKOeKdEWH2fD5Z1b0Q8+5/g8AAAAAAAAAAAAAAAAAAHDejOPXGl53/B05AAAAAAAAAAAAAAAAAAAAAADHkH//36pO8f6/qd8BjHz/394bewI4kb8BAAD//+jIZ98=") r0 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0xf, 0x4, 0x8, 0x9}, 0x48) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000012c0)={0xe, 0x3, &(0x7f0000000080)=ANY=[@ANYBLOB="1800000000000000000000000000000095"], &(0x7f0000000200)='syzkaller\x00'}, 0x90) bpf$BPF_PROG_DETACH(0x8, &(0x7f0000000240)={@map=r0, r1, 0x4}, 0x10) r2 = bpf$MAP_CREATE(0x0, &(0x7f0000000000)=@base={0x12, 0x4, 0x8, 0x8}, 0x48) r3 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f00000012c0)={0xe, 0x3, &(0x7f0000000180)=@framed, &(0x7f0000000200)='syzkaller\x00'}, 0x90) r4 = syz_open_dev$dri(&(0x7f0000000000), 0x2, 0x0) r5 = syz_open_dev$dri(&(0x7f0000000000), 0x2, 0x0) ioctl$DRM_IOCTL_MODE_GETRESOURCES(r5, 0xc04064a0, &(0x7f0000000300)={0x0, &(0x7f0000000240)=[0x0], 0x0, 0x0, 0x0, 0x1}) ioctl$DRM_IOCTL_MODE_GETCRTC(r5, 0xc06864a1, &(0x7f00000001c0)={0x0, 0x0, r6, 0x0}) ioctl$DRM_IOCTL_MODE_DIRTYFB(r4, 0xc01864b1, &(0x7f00000001c0)={r7, 0x1, 0x800064, 0x6, &(0x7f00000000c0)=[{0x7ff, 0x7fc0, 0x401, 0x10}, {0x400, 0x4, 0xfff5, 0x8}, {0x578, 0xd, 0x2, 0xb}, {0x6, 0x6, 0x4, 0x6}, {0x1ff, 0x7fff, 0x129, 0x9}, {0xc6f, 0x0, 0x1e, 0x40}]}) bpf$BPF_PROG_DETACH(0x8, &(0x7f0000000240)={@map=r2, r3, 0x26}, 0x10) r8 = socket(0x1, 0x2, 0x0) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000300)={r2, &(0x7f0000000240), &(0x7f00000000c0)=@tcp=r8}, 0x20) bpf$MAP_UPDATE_ELEM(0x2, &(0x7f0000000200)={r0, &(0x7f0000000100), &(0x7f00000001c0)=@tcp=r8}, 0x20) getsockopt$inet_sctp6_SCTP_HMAC_IDENT(r8, 0x84, 0x16, &(0x7f0000000000)={0x4, [0x120, 0x7, 0x9, 0xaa]}, &(0x7f0000000040)=0xc) openat(0xffffffffffffff9c, &(0x7f0000000180)='./file1\x00', 0x84042, 0x1fb) [ 127.541838][ T4679] Bluetooth: hci0: command tx timeout [ 127.656442][ T5344] loop0: detected capacity change from 0 to 64 [ 127.725759][ T26] audit: type=1800 audit(1766605525.423:2): pid=5344 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.0" name="file1" dev="loop0" ino=22 res=0 errno=0 [ 127.749150][ T13] ------------[ cut here ]------------ [ 127.751961][ T13] kernel BUG at fs/hfs/inode.c:456! [ 127.755188][ T13] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 127.757806][ T13] CPU: 0 UID: 0 PID: 13 Comm: kworker/u4:1 Not tainted syzkaller #0 PREEMPT(full) [ 127.761752][ T13] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 127.766194][ T13] Workqueue: writeback wb_workfn (flush-7:0) [ 127.768824][ T13] RIP: 0010:hfs_write_inode+0x86f/0x8a0 [ 127.771277][ T13] Code: 88 cd 0c 89 de 81 e6 00 00 00 40 31 ff e8 79 1b 1d ff 81 e3 00 00 00 40 75 12 e8 2c 17 1d ff e9 55 f8 ff ff e8 22 17 1d ff 90 <0f> 0b e8 1a 17 1d ff e8 25 de 8e fe e9 3e f8 ff ff 44 89 f1 80 e1 [ 127.780313][ T13] RSP: 0018:ffffc900001f7100 EFLAGS: 00010293 [ 127.782888][ T13] RAX: ffffffff82a3edfe RBX: ffff888012468e98 RCX: ffff88801c2d0000 [ 127.786185][ T13] RDX: 0000000000000000 RSI: ffffffff8e17cc20 RDI: 0000000000000000 [ 127.789493][ T13] RBP: ffffc900001f7288 R08: ffff88801c2d0000 R09: 0000000000000003 [ 127.792841][ T13] R10: 0000000000000004 R11: 0000000000000000 R12: dffffc0000000000 [ 127.796318][ T13] R13: 1ffff9200003ee24 R14: 0000000000000000 R15: ffff888012468e58 [ 127.800332][ T13] FS: 0000000000000000(0000) GS:ffff88808d416000(0000) knlGS:0000000000000000 [ 127.804298][ T13] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 127.807207][ T13] CR2: 00007f5b7c1909c0 CR3: 000000000dd3a000 CR4: 0000000000352ef0 [ 127.810835][ T13] Call Trace: [ 127.812446][ T13] [ 127.813845][ T13] ? __lock_acquire+0x6b6/0x2cf0 [ 127.816158][ T13] ? __pfx_hfs_write_inode+0x10/0x10 [ 127.818657][ T13] ? do_raw_spin_unlock+0x4d/0x240 [ 127.820861][ T13] __writeback_single_inode+0x7e1/0x1240 [ 127.823274][ T13] writeback_sb_inodes+0x93a/0x1870 [ 127.825555][ T13] ? __pfx_writeback_sb_inodes+0x10/0x10 [ 127.828011][ T13] ? __pfx_down_read_trylock+0x10/0x10 [ 127.830397][ T13] ? __pfx___up_read+0x10/0x10 [ 127.832573][ T13] __writeback_inodes_wb+0x111/0x240 [ 127.834957][ T13] wb_writeback+0x43f/0xaa0 [ 127.836924][ T13] ? queue_io+0x261/0x450 [ 127.838707][ T13] ? __pfx_wb_writeback+0x10/0x10 [ 127.840650][ T13] ? do_raw_spin_lock+0x121/0x290 [ 127.842567][ T13] wb_workfn+0x8ee/0xed0 [ 127.844083][ T13] ? __pfx_wb_workfn+0x10/0x10 [ 127.845782][ T13] ? finish_task_switch+0x162/0x940 [ 127.848045][ T13] ? do_raw_spin_lock+0x121/0x290 [ 127.850355][ T13] ? lock_acquire+0x107/0x340 [ 127.852512][ T13] ? __pfx_do_raw_spin_lock+0x10/0x10 [ 127.854980][ T13] ? process_scheduled_works+0x9ef/0x1770 [ 127.857191][ T13] ? process_scheduled_works+0x9ef/0x1770 [ 127.859539][ T13] ? process_scheduled_works+0x9ef/0x1770 [ 127.862032][ T13] process_scheduled_works+0xad1/0x1770 [ 127.864480][ T13] ? __pfx_process_scheduled_works+0x10/0x10 [ 127.867149][ T13] ? do_raw_spin_lock+0x121/0x290 [ 127.869436][ T13] worker_thread+0x8a0/0xda0 [ 127.871514][ T13] kthread+0x711/0x8a0 [ 127.873315][ T13] ? __pfx_worker_thread+0x10/0x10 [ 127.875522][ T13] ? __pfx_kthread+0x10/0x10 [ 127.877533][ T13] ? _raw_spin_unlock_irq+0x23/0x50 [ 127.879868][ T13] ? __pfx_kthread+0x10/0x10 [ 127.882247][ T13] ret_from_fork+0x510/0xa50 [ 127.884642][ T13] ? __pfx_ret_from_fork+0x10/0x10 [ 127.887315][ T13] ? __switch_to+0xc9e/0x1480 [ 127.889669][ T13] ? __pfx_kthread+0x10/0x10 [ 127.891587][ T13] ret_from_fork_asm+0x1a/0x30 [ 127.893530][ T13] [ 127.894810][ T13] Modules linked in: [ 127.896776][ T13] ---[ end trace 0000000000000000 ]---