program: r0 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route(r0, &(0x7f0000000480)={0x0, 0x0, &(0x7f00000002c0)={&(0x7f0000000640)=@newlink={0x40, 0x10, 0x300, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x4042d, 0x110}, [@IFLA_LINKINFO={0x20, 0x12, 0x0, 0x1, @sit={{0x8}, {0x14, 0x2, 0x0, 0x1, [@IFLA_IPTUN_LOCAL={0x8, 0x2, @private=0xa010101}, @IFLA_IPTUN_FLAGS={0x6, 0x8, 0x3}]}}}]}, 0x40}}, 0x0) syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x30000c8, &(0x7f0000000100)=ANY=[], 0x11, 0x2d1, &(0x7f0000000280)="$eJzs3b9u01AUx/HfddI2pVVxaRESY6ESLAjKgliCUCaegAkBTZAqoiKgiD9TQUwIwc7GwCvwECwgXgAmJh6gTEb32o6T2I7dqI0b+H6kRnbia58bX9vnRKquAPy3rrd+fLr8y/4Zqaaa9Oaq5ElqSHVJJ3Wq8WR7Z2un22mP2lHNtbB/RmFLk9pmc7uT1dS2cy0ivl2ra7H/vdDCeJ1EriAIrv2sOghUzl39GTxpTrPJemOCMZXxcsx2uwccx7Qxe9rTMy1VHQcAoFrR898LM3ktRvm750nr0WPf5QdH7fk/rr2qAzh0wchP+57/rsoKjD2/x91HSb3nSjj7uRdXiWWOPDO07tJHbyjBNEVVpYvFm7+31e1c2HzQbXt6pWakb7NV99oOh26sINq1jNp0hBJ9N9kZpatXvRnbh40w/qeSBuJfGfOIKWWvTPPFfDO3jK8Pavfyv3pg7GlyZ8ofOlNh/Bfz9+h66dutFN02ms2mN7DJsjvIafWXEkW9bGRXJIpH1LIGfyDwi+J0rU4MtQp7d6mg1Upmq414LafV6kAr25veaM4/3mEz78xNs6bf+qxWX/7v2fjWNfLKTK4asx4OOPeNh/2ZzT5c3e3TT43P9OXS+xbn8kL/M3xPu/ExGH2bQ563uqsrWnr8/MX9WrfbeWQX7mQsPFzsvTPzWsrcpuIF7SbvzClwUhvHD6VJBnb+QHdo7x+FG9ur7EiclH96ofX1sAbSfDRMq+9phfcmTExy0quOBBWxeZcJ67+kXqmHyZ598TPz9JLlRrTHwObYvQouaRuEGbmkY/uq4BbyK7h0zZWqGV3NdeacdLb8Ef0ozmlm+hL4lr7rNr//AwAAAAAAAAAAAAAAAAAATJtJ/DtB1X0EAAAAAAAAAAAAAAAAAAAAAGDa9eb/VTz/r8rN/zs878pBzv/7flvZ8//GcuaaAbAvfwMAAP//QTZ8Yw==") prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r1 = open(&(0x7f0000000240)='./file1\x00', 0x145142, 0x0) r2 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x42, 0x2) pwrite64(r2, &(0x7f0000000140)='2', 0x1, 0x8000c61) syz_mount_image$vfat(&(0x7f0000000180), &(0x7f00000001c0)='./file0\x00', 0x0, &(0x7f0000000040), 0x1, 0x185, &(0x7f0000000680)="$eJzs279qU1EcB/BvTLRVh2RwEocLLk4h6RNYpIIYEJQMCoJiW5BeKVgI6GC7ufgQPlOfxLGDcKW9MbYhFUUkcPP5LPnByRfOGe49f7jn1Z13e9v7B7uDl8dZb7XSuZ8iJ630ciXt1I4CADTJSVWlXVVVtXaU619TVdWyewQA/G+n8/838z8ArJTfzv8WAwDQSPb/ALB6nj1/8XhzNNp6WhTrSfl5Mp6M69+6fXM3b1NmJ4N08z2nC4Spun74aLQ1KM708qU8nOYPJ+P2xfww3fQW54d1vriYv5ob5/Mb6ebW4vzGwvy13Lt7Lt9PN8dvsp8y29OjjZ/5T8OiePBkNJe/efY/AAAAaIJ+MbNw/97vX9Ze5//ifGBuf93J7c5yxw4Aq+rgw8e912W5816hUChmxewV4YsgaKhfD/2yewIAAAAAAAAAAAAAAFzmj+4DrSX5h+tEyx4jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAzPsRAAD//9MdsGs=") unshare(0x40400) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000000)='blkio.bfq.io_wait_time\x00', 0x275a, 0x0) prctl$PR_SET_MM_EXE_FILE(0x23, 0xd, r3) creat(&(0x7f0000000e00)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x0) mknod$loop(&(0x7f0000000000)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x0, 0x1) openat$rfkill(0xffffffffffffff9c, &(0x7f0000000200), 0x400, 0x0) rename(&(0x7f0000000600)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', &(0x7f0000000f40)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00') ftruncate(r1, 0x2007ffc) umount2(&(0x7f0000000840)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0x9) r4 = socket$nl_generic(0x10, 0x3, 0x10) r5 = syz_genetlink_get_family_id$batadv(&(0x7f0000000040), 0xffffffffffffffff) r6 = socket$inet_mptcp(0x2, 0x1, 0x106) ioctl$ifreq_SIOCGIFINDEX_batadv_mesh(r6, 0x8933, &(0x7f0000000b00)={'batadv0\x00', 0x0}) sendmsg$BATADV_CMD_GET_MESH(r4, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000100)={&(0x7f0000000580)=ANY=[@ANYBLOB="1c000000", @ANYRES16=r5, @ANYBLOB="01002dbd7000fbdbdf250100000008000300", @ANYRES32=r7, @ANYBLOB="97723660b1878eaa61af999e8b72f4be58e4a128d64745df8fe6a9b6d88c5ae2d2c9715bb7a6203afdc2b3b2e3883c8c2f1ef05e9987fd3a2ae03c1000865aab494ceaf5c798b717ba71f0c542dc565beac2621d3940869fced611615037e38d219c61660359cc12cf05a00be08212a1459727289cfcffec98633c9a0940f321d0c82f77cceef86d2ae310c96b09f36f1b6f53a9"], 0x1c}, 0x1, 0x0, 0x0, 0x20008804}, 0x4) splice(r6, &(0x7f0000000000)=0x76c, r0, &(0x7f0000000040)=0x3, 0xffffffffffff0000, 0xc577fbc4c3b27b59) [ 102.551277][ T5290] Bluetooth: hci0: command tx timeout [ 102.660903][ T5325] loop0: detected capacity change from 0 to 64 [ 102.673483][ T5325] ======================================================= [ 102.673483][ T5325] WARNING: The mand mount option has been deprecated and [ 102.673483][ T5325] and is ignored by this kernel. Remove the mand [ 102.673483][ T5325] option from the mount to silence this warning. [ 102.673483][ T5325] ======================================================= [ 102.766948][ T24] audit: type=1800 audit(1782848988.912:2): pid=5325 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.0" name="file1" dev="loop0" ino=21 res=0 errno=0 [ 103.579080][ T5325] hfs: request for non-existent node 8 in B*Tree [ 103.583449][ T5325] hfs: request for non-existent node 8 in B*Tree [ 103.652165][ T5325] [ 103.653663][ T5325] ====================================================== [ 103.657452][ T5325] WARNING: possible circular locking dependency detected [ 103.660540][ T5325] syzkaller #0 Not tainted [ 103.662529][ T5325] ------------------------------------------------------ [ 103.665555][ T5325] syz.0.0/5325 is trying to acquire lock: [ 103.668016][ T5325] ffff888032bd60a8 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18d/0x300 [ 103.672959][ T5325] [ 103.672959][ T5325] but task is already holding lock: [ 103.676428][ T5325] ffff888012aafa20 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf9/0x1680 [ 103.681102][ T5325] [ 103.681102][ T5325] which lock already depends on the new lock. [ 103.681102][ T5325] [ 103.686079][ T5325] [ 103.686079][ T5325] the existing dependency chain (in reverse order) is: [ 103.690125][ T5325] [ 103.690125][ T5325] -> #1 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}: [ 103.693981][ T5325] __mutex_lock+0x19d/0x1550 [ 103.696461][ T5325] hfs_extend_file+0xf9/0x1680 [ 103.699384][ T5325] hfs_bmap_reserve+0x108/0x430 [ 103.702280][ T5325] __hfs_ext_write_extent+0x1fc/0x470 [ 103.704831][ T5325] __hfs_ext_cache_extent+0x6e/0x9b0 [ 103.707229][ T5325] hfs_extend_file+0x3a0/0x1680 [ 103.709384][ T5325] hfs_get_block+0x401/0xbe0 [ 103.711496][ T5325] __block_write_begin_int+0x6c2/0x1900 [ 103.713959][ T5325] cont_write_begin+0x71b/0xac0 [ 103.716471][ T5325] hfs_write_begin+0x66/0xb0 [ 103.719213][ T5325] cont_write_begin+0x2d6/0xac0 [ 103.722010][ T5325] hfs_write_begin+0x66/0xb0 [ 103.724279][ T5325] generic_perform_write+0x2d5/0x8f0 [ 103.726745][ T5325] generic_file_write_iter+0xae/0x330 [ 103.729272][ T5325] vfs_write+0x612/0xba0 [ 103.731280][ T5325] __x64_sys_pwrite64+0x196/0x220 [ 103.733845][ T5325] do_syscall_64+0x174/0x580 [ 103.736746][ T5325] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.739884][ T5325] [ 103.739884][ T5325] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 103.743240][ T5325] __lock_acquire+0x1520/0x2cf0 [ 103.745553][ T5325] lock_acquire+0x106/0x350 [ 103.747718][ T5325] __mutex_lock+0x19d/0x1550 [ 103.750130][ T5325] hfs_find_init+0x18d/0x300 [ 103.752751][ T5325] hfs_extend_file+0x35f/0x1680 [ 103.755103][ T5325] hfs_bmap_reserve+0x108/0x430 [ 103.757483][ T5325] hfs_cat_create+0x221/0x810 [ 103.759720][ T5325] hfs_create+0x78/0xe0 [ 103.761737][ T5325] vfs_create+0x2c4/0x450 [ 103.763958][ T5325] filename_mknodat+0x3e8/0x660 [ 103.767137][ T5325] __se_sys_mknod+0x3a/0x150 [ 103.770028][ T5325] do_syscall_64+0x174/0x580 [ 103.772386][ T5325] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.775111][ T5325] [ 103.775111][ T5325] other info that might help us debug this: [ 103.775111][ T5325] [ 103.779433][ T5325] Possible unsafe locking scenario: [ 103.779433][ T5325] [ 103.782549][ T5325] CPU0 CPU1 [ 103.785058][ T5325] ---- ---- [ 103.788020][ T5325] lock(&HFS_I(tree->inode)->extents_lock); [ 103.790862][ T5325] lock(&tree->tree_lock/1); [ 103.794053][ T5325] lock(&HFS_I(tree->inode)->extents_lock); [ 103.797751][ T5325] lock(&tree->tree_lock/1); [ 103.799713][ T5325] [ 103.799713][ T5325] *** DEADLOCK *** [ 103.799713][ T5325] [ 103.803633][ T5325] 4 locks held by syz.0.0/5325: [ 103.806750][ T5325] #0: ffff888032bf6450 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 103.811401][ T5325] #1: ffff888012aaf600 (&type->i_mutex_dir_key#8/1){+.+.}-{4:4}, at: filename_create+0x200/0x370 [ 103.816081][ T5325] #2: ffff8880332c40a8 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x18d/0x300 [ 103.820159][ T5325] #3: ffff888012aafa20 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf9/0x1680 [ 103.825298][ T5325] [ 103.825298][ T5325] stack backtrace: [ 103.828722][ T5325] CPU: 0 UID: 0 PID: 5325 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 103.828746][ T5325] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 103.828756][ T5325] Call Trace: [ 103.828766][ T5325] [ 103.828777][ T5325] dump_stack_lvl+0xe8/0x150 [ 103.828801][ T5325] print_circular_bug+0x2e1/0x300 [ 103.828823][ T5325] check_noncircular+0x12e/0x150 [ 103.828844][ T5325] __lock_acquire+0x1520/0x2cf0 [ 103.828862][ T5325] ? stack_depot_save_flags+0x3ec/0x800 [ 103.828938][ T5325] ? __kmalloc_noprof+0x1ad/0x720 [ 103.828960][ T5325] ? kasan_save_track+0x4f/0x80 [ 103.828981][ T5325] ? kasan_save_track+0x3e/0x80 [ 103.829000][ T5325] ? __kasan_kmalloc+0x93/0xb0 [ 103.829021][ T5325] ? __kmalloc_noprof+0x375/0x720 [ 103.829042][ T5325] ? hfs_find_init+0x9d/0x300 [ 103.829059][ T5325] ? hfs_extend_file+0x35f/0x1680 [ 103.829081][ T5325] ? hfs_bmap_reserve+0x108/0x430 [ 103.829099][ T5325] ? hfs_cat_create+0x221/0x810 [ 103.829117][ T5325] ? hfs_create+0x78/0xe0 [ 103.829135][ T5325] ? vfs_create+0x2c4/0x450 [ 103.829161][ T5325] ? hfs_find_init+0x18d/0x300 [ 103.829175][ T5325] lock_acquire+0x106/0x350 [ 103.829190][ T5325] ? hfs_find_init+0x18d/0x300 [ 103.829211][ T5325] __mutex_lock+0x19d/0x1550 [ 103.829228][ T5325] ? hfs_find_init+0x18d/0x300 [ 103.829248][ T5325] ? hfs_find_init+0x18d/0x300 [ 103.829266][ T5325] ? __pfx___mutex_lock+0x10/0x10 [ 103.829282][ T5325] ? trace_kmalloc+0x2a/0xf0 [ 103.829302][ T5325] ? __kmalloc_noprof+0x396/0x720 [ 103.829320][ T5325] ? __kmalloc_noprof+0x1ad/0x720 [ 103.829339][ T5325] ? hfs_find_init+0x9d/0x300 [ 103.829356][ T5325] hfs_find_init+0x18d/0x300 [ 103.829374][ T5325] hfs_extend_file+0x35f/0x1680 [ 103.829398][ T5325] ? __pfx___mutex_trylock_common+0x10/0x10 [ 103.829455][ T5325] ? __pfx_hfs_extend_file+0x10/0x10 [ 103.829480][ T5325] ? __mutex_lock+0x30d/0x1550 [ 103.829499][ T5325] ? hfs_find_init+0x18d/0x300 [ 103.829516][ T5325] ? __pfx___mutex_lock+0x10/0x10 [ 103.829531][ T5325] ? trace_kmalloc+0x2a/0xf0 [ 103.829552][ T5325] hfs_bmap_reserve+0x108/0x430 [ 103.829577][ T5325] hfs_cat_create+0x221/0x810 [ 103.829600][ T5325] ? do_raw_spin_lock+0x12b/0x2f0 [ 103.829620][ T5325] ? __pfx_hfs_cat_create+0x10/0x10 [ 103.829645][ T5325] ? hfs_new_inode+0x8b8/0xc10 [ 103.829669][ T5325] hfs_create+0x78/0xe0 [ 103.829689][ T5325] vfs_create+0x2c4/0x450 [ 103.829703][ T5325] filename_mknodat+0x3e8/0x660 [ 103.829721][ T5325] ? __pfx_filename_mknodat+0x10/0x10 [ 103.829737][ T5325] ? do_getname+0x151/0x250 [ 103.829754][ T5325] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.829770][ T5325] __se_sys_mknod+0x3a/0x150 [ 103.829785][ T5325] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.829800][ T5325] do_syscall_64+0x174/0x580 [ 103.829816][ T5325] ? trace_irq_disable+0x3b/0x140 [ 103.829829][ T5325] ? clear_bhb_loop+0x40/0x90 [ 103.829845][ T5325] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.829860][ T5325] RIP: 0033:0x7fca4739ce59 [ 103.829877][ T5325] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 103.829889][ T5325] RSP: 002b:00007fca481d9fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085 [ 103.829904][ T5325] RAX: ffffffffffffffda RBX: 00007fca47615fa0 RCX: 00007fca4739ce59 [ 103.829913][ T5325] RDX: 0000000000000701 RSI: 0000000000000000 RDI: 0000200000000000 [ 103.829922][ T5325] RBP: 00007fca47432e6f R08: 0000000000000000 R09: 0000000000000000 [ 103.829930][ T5325] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 103.829938][ T5325] R13: 00007fca47616038 R14: 00007fca47615fa0 R15: 00007ffde355e7f8 [ 103.829951][ T5325] [ 104.048287][ T41] kworker/u4:3: attempt to access beyond end of device [ 104.048287][ T41] loop0: rw=1, sector=4169, nr_sectors = 1 limit=64 [ 104.092093][ T41] Buffer I/O error on dev loop0, logical block 4169, lost async page write [ 104.107415][ T41] kworker/u4:3: attempt to access beyond end of device [ 104.107415][ T41] loop0: rw=1, sector=4170, nr_sectors = 1 limit=64