program: r0 = socket$nl_sock_diag(0x10, 0x3, 0x4) mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) r1 = openat$fuse(0xffffffffffffff9c, &(0x7f0000002080), 0x2, 0x0) getpeername(r0, &(0x7f0000000240)=@vsock={0x28, 0x0, 0x0, @local}, &(0x7f00000002c0)=0x80) mount$fuse(0x0, &(0x7f00000020c0)='./file0\x00', &(0x7f0000002100), 0x0, &(0x7f0000002140)={{'fd', 0x3d, r1}, 0x2c, {'rootmode', 0x3d, 0x4000}}) syz_mount_image$hfsplus(&(0x7f0000000040), &(0x7f0000000080)='./file1\x00', 0x400, &(0x7f0000000140)=ANY=[], 0x1, 0x694, &(0x7f0000001100)="$eJzs3U1sHGf9B/DvbnbX3vz/Sp02SQOqRNRIBRGROLGSYi4NCKFIVKgqB8TRSpzGyiatHBc5EYLwfuDCoXeKRG5cQOIeVM7AqVcfKyFx6SmAxKKZnbXXr9l1Yq8tPp9odp5nnpd5nt/M7OzOKnKA/1nXzqXxOLVcO/fmcpFfeTTTWXk0c6efTjKRpJ40eqvU7ia1j5Kr6S35TLGx6q623X4+WJh9++NPVz7p5RrVUtav79Rukyv1LTY+rJacSXKkWj+Ddf1d39Bfa+TuaqszLAJ2th84GLdmku463z21VvJUw1+3wIFVK++bm6/5qeRoksnqc0Dvrti7Zx9qD8c9AAAAANgHL/yy/Ap/bNzjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgMOk9/f/i1W51PvpM6n1//5/q9qWKn2oPR73AAAAAAAAAABgdN/8/w0bPvckT7KcY/18t1b+5v9qmTlRvv5f3s+9zGcx57OcuSxlKYu5mGSqLG+Wr63luaWlxYtDtLy02jIDLS8NOYP27icPAAAAAAAAAIdFY/QmP861td//AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgIKglR3qrcjnRT0+l3kgymaRV1HuY/LWfPpB+/afBXPff3dKmao/3c0wAAAAwJi88yZMs51g/362V3/lPld/7J/N+7mYpC1lKJ/O5UT4L6H3rr688mumsPJq5Uyyb+/3qP0YaRtljes8ett7z6bJGOzezUG45n+t5N53cSL1sWTjdH8/W4/pRMabaG5UhR3ajWhcz/1WaI81qN2pD15wqI1KMqBeR6aptEY3jO0dixKPT31M/9hdTX33yc+J5xny5t3r9t711MZ+fjxSTvbYxEpcGzr5TK6ntEInk83/83Xdude7enrh579zBmdIIJgaeoG2MxMxAJF7e+ZxIM1Ukbh3WSAyaLiNxcjV/Ld/It3MuZ/JWFrOQ72UuS5nPmXw9czmSuep8Ll6ndo7U1XW5t542klZ5XJrVu+jwY1rKXF4t2x7LQr6Vd3Mj87lS/ruUi3m96jGrR/jkEFd9fbR32rNfGHiY/Isk7eHa7YNiYMdX706DZ/10eR0cX7dl7Tp48fnfjxqfrRLFPn4ycETGb2MkLg5E4qWdI/Gb8m3lXufu7cVbc+8Nub/XqnVxHf3sQN0livPlxeJglbn1Z0dR9tLGsslevFrVLy69svV33KLs5GrZ9lfq5VzObFn71JY9XSrLXt6ybKYsOz1Qtu7z1tXe5y0ADryjXzzaav+9/Zf2h+2ftm+135z82sSXJ15ppfnn5lca00deq79S+0M+zA/Wvv8DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7d+/+g9tznc784oZEt9v94TZFe5hoJ+lvSZ7Wqpmn19mbRCtJmWj0E6P1MzFU5dba0Xnj988y5uaorZLnEqhGdZLdf3D7n91ud98P0xaJ5g7n/FqiW9lU1B2q+dgS/+o+vw7H/MYE7LkLS3feu3Dv/oMvLdyZe2f+nfm7s5cvz07PXr7ytws3Fzrz073XcY8S2AtrN/1xjwQAAAAAAAAAAAAY1n78t4Rtdv2ffZ4qAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcEhdOzdRpc5PF68rj2Y6xdJPr1Ysq9WT1L6f1D5Krqa3ZGqgu9p2+/lgYfbtjz9d+aSXa1RLWb++rl1zN7N4WC05k+RItR40+Qz9Xa/WuxpZqbY6wyJgZ/uBg3H7bwAAAP//2wMQAg==") r2 = creat(&(0x7f0000000000)='./bus\x00', 0x0) io_setup(0x202, &(0x7f0000000200)=0x0) io_submit(r3, 0x3b, &(0x7f0000000540)=[&(0x7f00000000c0)={0x25, 0xe7030000, 0x0, 0x1, 0x0, r2, &(0x7f0000000000), 0x70000}]) write$FUSE_NOTIFY_RETRIEVE(r1, &(0x7f0000000100)={0x30, 0x5, 0x0, {0x0, 0x1}}, 0x30) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000380)={{0x14, 0x10, 0x1, 0x0, 0x0, {0x7}}, [], {0x14, 0x10, 0x1, 0x0, 0x0, {0xa, 0x84}}}, 0x28}, 0x1, 0x0, 0x0, 0x4}, 0x4008004) rename(&(0x7f0000000300)='./bus\x00', &(0x7f0000000340)='./file1\x00') sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB="500000001000010425bbe5ad600027842cf52300", @ANYRES32=0x0, @ANYBLOB="0000000000008000280012800a00010076786c616e00"], 0x50}}, 0x20008844) r4 = socket$nl_route(0x10, 0x3, 0x0) sendmsg$nl_route_sched(r4, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=@newqdisc={0x40, 0x24, 0x300, 0x0, 0x25dfdc00, {0x60, 0x0, 0x0, 0x0, {}, {0x2, 0xffff}, {0xfff3, 0xffff}}, [@qdisc_kind_options=@q_cake={{0x9}, {0x10, 0x2, [@TCA_CAKE_BASE_RATE64={0xc, 0x2, 0x1ff}]}}]}, 0x40}, 0x1, 0x0, 0x0, 0xc4014}, 0x10) sendmsg$nl_route(r4, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000080)={&(0x7f0000000100)=ANY=[@ANYBLOB="500000001000010425bbe5ad600027842cf52300", @ANYRES32=0x0, @ANYBLOB="0000000000008000280012800a00010076786c616e"], 0x50}}, 0x4000000) read$FUSE(r1, &(0x7f00000021c0)={0x2020, 0x0, 0x0}, 0xfc5e) umount2(&(0x7f00000001c0)='./file0\x00', 0x0) write$FUSE_NOTIFY_INVAL_INODE(r1, &(0x7f00000000c0)={0x28, 0x4}, 0x28) mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0xb635773f06ebbeee, 0x8031, 0xffffffffffffffff, 0x0) write$FUSE_INIT(r1, &(0x7f0000000040)={0x50, 0x0, r5}, 0x50) sendmsg$DCCPDIAG_GETSOCK(r0, &(0x7f0000000000)={0x0, 0x0, &(0x7f00000005c0)={&(0x7f0000000100)={0x54, 0x13, 0xa03, 0x70bd2c, 0x25dfdbff, {0x6, 0x34, 0x9, 0x0, {0x4e20, 0x4e21, [0x3, 0x5, 0x5cf, 0x9], [0xd, 0x0, 0x7ff, 0x1], 0x0, [0x4, 0x7f]}, 0x401, 0x9}, [@INET_DIAG_REQ_BYTECODE={0x8, 0x1, '\x00\x00\x00\x00'}]}, 0x54}, 0x1, 0x0, 0x0, 0x20008000}, 0x14) [ 76.014896][ T5314] Bluetooth: hci0: command tx timeout [ 76.127346][ T5330] loop0: detected capacity change from 0 to 1024 [ 76.228210][ T5331] [ 76.229181][ T5331] ====================================================== [ 76.231947][ T5331] WARNING: possible circular locking dependency detected [ 76.234622][ T5331] 6.14.0-syzkaller-13423-ga8662bcd2ff1 #0 Not tainted [ 76.237212][ T5331] ------------------------------------------------------ [ 76.239880][ T5331] syz.0.0/5331 is trying to acquire lock: [ 76.242154][ T5331] ffff8880369220b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfsplus_find_init+0x14f/0x1d0 [ 76.246060][ T5331] [ 76.246060][ T5331] but task is already holding lock: [ 76.248975][ T5331] ffff888043947048 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}, at: hfsplus_file_truncate+0x2fa/0xc70 [ 76.253212][ T5331] [ 76.253212][ T5331] which lock already depends on the new lock. [ 76.253212][ T5331] [ 76.257139][ T5331] [ 76.257139][ T5331] the existing dependency chain (in reverse order) is: [ 76.260450][ T5331] [ 76.260450][ T5331] -> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}: [ 76.263967][ T5331] lock_acquire+0x116/0x2f0 [ 76.266155][ T5331] __mutex_lock+0x1a5/0x10c0 [ 76.268860][ T5331] hfsplus_file_extend+0x21d/0x1b70 [ 76.271201][ T5331] hfsplus_bmap_reserve+0x105/0x4e0 [ 76.273330][ T5331] __hfsplus_ext_write_extent+0x2a4/0x5c0 [ 76.275694][ T5331] __hfsplus_ext_cache_extent+0x84/0xe10 [ 76.278041][ T5331] hfsplus_file_extend+0x48e/0x1b70 [ 76.280176][ T5331] hfsplus_get_block+0x408/0x14f0 [ 76.282332][ T5331] __block_write_begin_int+0x691/0x1930 [ 76.284761][ T5331] cont_write_begin+0x781/0xb40 [ 76.287007][ T5331] hfsplus_write_begin+0x68/0xb0 [ 76.289153][ T5331] generic_perform_write+0x329/0xa10 [ 76.291466][ T5331] generic_file_write_iter+0x10e/0x5e0 [ 76.293815][ T5331] aio_write+0x56d/0x7d0 [ 76.295772][ T5331] io_submit_one+0x8a9/0x18b0 [ 76.297781][ T5331] __se_sys_io_submit+0x17a/0x2e0 [ 76.299917][ T5331] do_syscall_64+0xf3/0x230 [ 76.301833][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.304127][ T5331] [ 76.304127][ T5331] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 76.307013][ T5331] validate_chain+0xa69/0x24e0 [ 76.308879][ T5331] __lock_acquire+0xad5/0xd80 [ 76.310847][ T5331] lock_acquire+0x116/0x2f0 [ 76.312684][ T5331] __mutex_lock+0x1a5/0x10c0 [ 76.314539][ T5331] hfsplus_find_init+0x14f/0x1d0 [ 76.316501][ T5331] hfsplus_file_truncate+0x459/0xc70 [ 76.318742][ T5331] hfsplus_delete_inode+0x174/0x220 [ 76.320971][ T5331] hfsplus_unlink+0x518/0x7b0 [ 76.322986][ T5331] hfsplus_rename+0xc8/0x1c0 [ 76.325025][ T5331] vfs_rename+0xbce/0xf10 [ 76.326965][ T5331] do_renameat2+0xc8d/0x1290 [ 76.328906][ T5331] __x64_sys_rename+0x82/0x90 [ 76.330973][ T5331] do_syscall_64+0xf3/0x230 [ 76.332903][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.335554][ T5331] [ 76.335554][ T5331] other info that might help us debug this: [ 76.335554][ T5331] [ 76.339529][ T5331] Possible unsafe locking scenario: [ 76.339529][ T5331] [ 76.342418][ T5331] CPU0 CPU1 [ 76.344592][ T5331] ---- ---- [ 76.346732][ T5331] lock(&HFSPLUS_I(inode)->extents_lock); [ 76.348976][ T5331] lock(&tree->tree_lock/1); [ 76.351786][ T5331] lock(&HFSPLUS_I(inode)->extents_lock); [ 76.355067][ T5331] lock(&tree->tree_lock/1); [ 76.356891][ T5331] [ 76.356891][ T5331] *** DEADLOCK *** [ 76.356891][ T5331] [ 76.359970][ T5331] 6 locks held by syz.0.0/5331: [ 76.361969][ T5331] #0: ffff888030f78420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x3f/0x90 [ 76.365484][ T5331] #1: ffff888043945df8 (&type->i_mutex_dir_key#8/1){+.+.}-{4:4}, at: do_renameat2+0x633/0x1290 [ 76.369620][ T5331] #2: ffff888043946b78 (&sb->s_type->i_mutex_key#20){+.+.}-{4:4}, at: lock_two_nondirectories+0xe1/0x170 [ 76.373997][ T5331] #3: ffff888043947238 (&sb->s_type->i_mutex_key#20/4){+.+.}-{4:4}, at: vfs_rename+0x686/0xf10 [ 76.378043][ T5331] #4: ffff888043943198 (&sbi->vh_mutex){+.+.}-{4:4}, at: hfsplus_unlink+0x17a/0x7b0 [ 76.381706][ T5331] #5: ffff888043947048 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}, at: hfsplus_file_truncate+0x2fa/0xc70 [ 76.386184][ T5331] [ 76.386184][ T5331] stack backtrace: [ 76.388615][ T5331] CPU: 0 UID: 0 PID: 5331 Comm: syz.0.0 Not tainted 6.14.0-syzkaller-13423-ga8662bcd2ff1 #0 PREEMPT(full) [ 76.388631][ T5331] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.388639][ T5331] Call Trace: [ 76.388646][ T5331] [ 76.388653][ T5331] dump_stack_lvl+0x241/0x360 [ 76.388673][ T5331] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.388687][ T5331] ? __pfx__printk+0x10/0x10 [ 76.388702][ T5331] ? print_lock+0x171/0x1a0 [ 76.388716][ T5331] print_circular_bug+0x2e1/0x300 [ 76.388730][ T5331] check_noncircular+0x142/0x160 [ 76.388745][ T5331] validate_chain+0xa69/0x24e0 [ 76.388764][ T5331] __lock_acquire+0xad5/0xd80 [ 76.388777][ T5331] lock_acquire+0x116/0x2f0 [ 76.388787][ T5331] ? hfsplus_find_init+0x14f/0x1d0 [ 76.388801][ T5331] __mutex_lock+0x1a5/0x10c0 [ 76.388815][ T5331] ? hfsplus_find_init+0x14f/0x1d0 [ 76.388830][ T5331] ? hfsplus_find_init+0x14f/0x1d0 [ 76.388845][ T5331] ? __pfx___mutex_lock+0x10/0x10 [ 76.388858][ T5331] ? rcu_is_watching+0x15/0xb0 [ 76.388871][ T5331] ? __kmalloc_noprof+0x2ae/0x4d0 [ 76.388885][ T5331] ? hfsplus_find_init+0x87/0x1d0 [ 76.388898][ T5331] hfsplus_find_init+0x14f/0x1d0 [ 76.388911][ T5331] hfsplus_file_truncate+0x459/0xc70 [ 76.388926][ T5331] ? __pfx_hfsplus_file_truncate+0x10/0x10 [ 76.388938][ T5331] ? __pfx___mutex_lock+0x10/0x10 [ 76.388954][ T5331] hfsplus_delete_inode+0x174/0x220 [ 76.388971][ T5331] hfsplus_unlink+0x518/0x7b0 [ 76.388983][ T5331] ? __pfx_hfsplus_unlink+0x10/0x10 [ 76.388995][ T5331] ? down_write_nested+0x195/0x220 [ 76.389009][ T5331] ? __pfx_down_write_nested+0x10/0x10 [ 76.389021][ T5331] ? do_raw_spin_unlock+0x58/0x8b0 [ 76.389036][ T5331] hfsplus_rename+0xc8/0x1c0 [ 76.389046][ T5331] ? __pfx_hfsplus_rename+0x10/0x10 [ 76.389060][ T5331] vfs_rename+0xbce/0xf10 [ 76.389079][ T5331] ? __pfx_vfs_rename+0x10/0x10 [ 76.389093][ T5331] ? bpf_lsm_path_rename+0x9/0x10 [ 76.389110][ T5331] do_renameat2+0xc8d/0x1290 [ 76.389128][ T5331] ? __pfx_do_renameat2+0x10/0x10 [ 76.389144][ T5331] ? strncpy_from_user+0x143/0x280 [ 76.389155][ T5331] ? getname_flags+0x1e2/0x530 [ 76.389173][ T5331] __x64_sys_rename+0x82/0x90 [ 76.389188][ T5331] do_syscall_64+0xf3/0x230 [ 76.389202][ T5331] ? clear_bhb_loop+0x45/0xa0 [ 76.389214][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.389225][ T5331] RIP: 0033:0x7fbafa78d169 [ 76.389237][ T5331] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.389246][ T5331] RSP: 002b:00007fbafb50f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000052 [ 76.389258][ T5331] RAX: ffffffffffffffda RBX: 00007fbafa9a6080 RCX: 00007fbafa78d169 [ 76.389266][ T5331] RDX: 0000000000000000 RSI: 0000200000000340 RDI: 0000200000000300 [ 76.389273][ T5331] RBP: 00007fbafa80e2a0 R08: 0000000000000000 R09: 0000000000000000 [ 76.389279][ T5331] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.389285][ T5331] R13: 0000000000000000 R14: 00007fbafa9a6080 R15: 00007fff06eaa5a8 [ 76.389296][ T5331] [ 76.508860][ T1312] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.511360][ T1312] ieee802154 phy1 wpan1: encryption failed: -22 [ 76.526917][ T5331] netlink: 8 bytes leftover after parsing attributes in process `syz.0.0'. [ 76.530175][ T5331] netlink: 8 bytes leftover after parsing attributes in process `syz.0.0'.