program: sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000040)=ANY=[@ANYBLOB="4c0000001800dd8d00000000000000000200000000000005000000000600150001000000280016802400010000000000000000000004010020000000000000000000000000000000000001"], 0x4c}}, 0x0) sendmsg$nl_route(0xffffffffffffffff, &(0x7f0000000140)={0x0, 0x0, &(0x7f00000006c0)={&(0x7f00000004c0)=ANY=[], 0x6c}, 0x1, 0x0, 0x0, 0x18840}, 0x4000841) r0 = socket(0x27, 0xa, 0x0) sendmmsg$alg(r0, &(0x7f0000000140), 0x4924b68, 0x0) bpf$MAP_CREATE(0x0, &(0x7f00000001c0)=ANY=[@ANYBLOB="1a000000fa000000000000000400000004000000", @ANYRES32=0x1, @ANYBLOB='\x00'/20, @ANYRES32=0x0, @ANYRES32, @ANYBLOB="04000000050000000200"/28], 0x50) prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000ff7000/0x1000)=nil, &(0x7f0000ff1000/0xf000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ff5000/0x1000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000ffa000/0x2000)=nil, 0x0, 0xffffffffffffff2c}, 0x68) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x24004045) r1 = io_uring_setup(0x1b7b, &(0x7f0000000040)={0x0, 0x55c8, 0xc000, 0xe, 0x20002f7}) ioctl$sock_ipv6_tunnel_SIOCADDTUNNEL(0xffffffffffffffff, 0x89f1, &(0x7f0000000140)={'ip6_vti0\x00', &(0x7f0000000000)={'syztnl2\x00', 0x0, 0x0, 0x0, 0x0, 0x548c, 0x8, @initdev={0xfe, 0x88, '\x00', 0x0, 0x0}, @mcast1, 0x80}}) r2 = socket$inet_sctp(0x2, 0x1, 0x84) syz_mount_image$hfsplus(&(0x7f0000000140), &(0x7f0000000340)='./file1\x00', 0x1804810, &(0x7f0000000180)=ANY=[], 0x1, 0x683, &(0x7f00000003c0)="$eJzs3U9sHFcdB/DvbDbrbFqCmyZtQJVqNRIgIhI7VgrmQkAI5VChqhw4W4nTWNmkxXGRWyHq8PfaQw+cUDnkgjghcY9UOHCBW04gHyshcekFc1o0s7P2+i/rNPFu2s8nmn3vzZt57ze/2Zn9Y0Ub4DPryrk076fIlXOvrJTttXuznbV7s7f69SQTSVaTZpJGkuI/3W73w+RyUmwMU2wrd3h/ce61Bx+vfdRrNeul2r6x337b1NutJr9tDKxerZdMJTlSl5/AlvGufuLxio3ILyc5W5cwckeTdLf40V+f3ugZ0N5t72OHEiPweBXV6+a1f2xfP5kcry/08n1A71Wx95o9Jla3tCYeai8AAAB48gzzGfjz61nPSnHiEMIBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAT4XVjd//L4tqafTrUyn6v//fqtelro+XFw+2+f3HFQcAAAAAAAAAHKIX17OelZzot7tF9Tf/l6rGqerxqbyVO1nIUs5nJfNZznKWMpNkcmCg1sr88vLSzBB7Xtx1z4v/J9CJumw/muMGAAAAAAAAgE+Zn+XK5t//AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABgHBTJkV6R4u7A6sk0mkmOJWmVK1aTv/frT7L7ow4AAAAADsFEsp6VnOi3u0VOJXmu+g7gWN7K7SxnMcvpZCHXqu8Fep/6G2v3Zjtr92ZvlcvOcb/97wOFUY2Y3ncPu898ptqinetZrNacz9W8kU6upVHtWTpTx9MfdSCuY0nuljEV36oNGdm1uiyP/L263OHdAx3sXg74ZcpklZGjGxmZrmMrs/FM/8zsfoYOeHa2zzSTxmCwW2ZqbT2Yh8r58bosj+dXe+V8JLZn4uLAs++5/XOefPlPf/jhdF0fn0MazpG67FaP7Z2ZmB3IxPPDZOJG5/bNG9fvnHvSMrHDdJWJ0xvtK/lefpBzmcqrWcpifpz5LGchU/luVZuvT34xcMnvkanLW1qv7hXBb+rbd6t+hvZOVhnTg6Fjeqna90QW8/28kWtZyMvVv4uZyddzKZcyN3CGT+9/hqurvrHHVd/93I4DKAM/+5W60U7y67ocD2V4zwzkdfCeO1n1Da7ZzNLJIbJ0wHtj84t1pZzj53U5HrZnYmYgE8/un4nfVbeVO53bN5duzL853HQn36sr5XX0y2RqtDeS1rb6yfJkVa2tz46y79ld+2aqvlMbfY0dfac3+npX6uqeV2qrfg+3c6SLVd/zu/bNVn1nBvp2e78FwNg7/tXjrfa/2n9rf9D+RftG+5Vj35n4xsQLrRz989FvNqePfKnxQvHHfJCfbn7+BwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHt6dt9+5Od/pLCz1Kq0kVaXb7b67teuglWY9w0BXsfukj7qSqX8+VU6zS1f/58we4+zbK194Ojmsuca38t9ut1uvKfbY5vd/GZtEdWtjkboRVUZzPwIOz4XlW29euPP2O19bvDX/+sLrC7fnLl2am5679PLsheuLnYXp3uOoowQeh80X/VFHAgAAAAAAAAAAAAzrMP47waiPEQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHiyXTmX5v0UmZk+P1221+7NdsqlX9/cspmkkaT4SVJ8mFxOb8nkwHDFXvO8vzj32oOP1z7aHKvZ376x337DWa2XTCU50ivvPqrxrtblvor9DqHYOMIyYWf7iYNR+18AAAD///fgA7k=") open(&(0x7f0000000200)='./bus\x00', 0x14507e, 0x0) mount(&(0x7f0000000380)=@loop={'/dev/loop', 0x0}, &(0x7f0000000140)='./bus\x00', 0x0, 0x1000, 0x0) r3 = open(&(0x7f0000000200)='./bus\x00', 0x0, 0x0) ioctl$BLKROSET(r3, 0x125d, &(0x7f0000000080)=0x3f) r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000840)='memory.events.local\x00', 0x275a, 0x0) write$binfmt_script(r4, &(0x7f0000000040), 0x208e24b) setsockopt$IP_VS_SO_SET_ADD(r2, 0x0, 0x482, &(0x7f0000000040)={0x84, @remote, 0x15, 0x3, 'wrr\x00', 0x1, 0x4, 0x72}, 0x2c) r5 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$IP_VS_SO_SET_ADDDEST(r5, 0x0, 0x487, &(0x7f0000000000)={{0x84, @broadcast, 0x4e21, 0x3, 'lc\x00', 0xb, 0x323b, 0x3a}, {@rand_addr=0x64010102, 0x4e23, 0x0, 0xc3, 0x12d5c, 0x12d5c}}, 0x44) setsockopt$IP_VS_SO_SET_FLUSH(r2, 0x0, 0x485, 0x0, 0x0) sendmsg$IPSET_CMD_LIST(0xffffffffffffffff, &(0x7f00000000c0)={&(0x7f0000000000)={0x2d, 0x0, 0x1f, 0x100000}, 0xc, 0x0, 0x1, 0x0, 0x0, 0x40}, 0x41) io_uring_enter(r1, 0x2219, 0x7721, 0x16, 0x0, 0x0) r6 = syz_open_dev$loop(&(0x7f0000000640), 0x0, 0x1e5440) r7 = openat(0xffffffffffffff9c, &(0x7f00000001c0)='./file2\x00', 0x6042, 0x0) sendfile(r7, r6, 0x0, 0x80000002) ioctl$TUNGETSNDBUF(r7, 0x800454d3, &(0x7f0000000000)) [ 109.181713][ T5306] Bluetooth: hci0: command tx timeout [ 109.345007][ T5329] loop0: detected capacity change from 0 to 1024 [ 109.420658][ T24] audit: type=1800 audit(1774662316.565:2): pid=5329 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.0" name="bus" dev="loop0" ino=0 res=0 errno=0 [ 109.436863][ T5329] Trying to write to read-only block-device loop0 [ 109.448597][ T9] IPVS: starting estimator thread 0... [ 109.456802][ T24] audit: type=1800 audit(1774662316.605:3): pid=5329 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.0" name="file2" dev="loop0" ino=22 res=0 errno=0 [ 109.518033][ T5329] [ 109.519101][ T5329] ====================================================== [ 109.522199][ T5329] WARNING: possible circular locking dependency detected [ 109.525200][ T5329] syzkaller #0 Not tainted [ 109.527828][ T5329] ------------------------------------------------------ [ 109.531152][ T5329] syz.0.0/5329 is trying to acquire lock: [ 109.534174][ T5329] ffff88801bb920b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfsplus_find_init+0x168/0x2d0 [ 109.538306][ T5329] [ 109.538306][ T5329] but task is already holding lock: [ 109.541659][ T5329] ffff888042a95c08 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}, at: hfsplus_file_truncate+0x2b3/0xc30 [ 109.546739][ T5329] [ 109.546739][ T5329] which lock already depends on the new lock. [ 109.546739][ T5329] [ 109.552253][ T5329] [ 109.552253][ T5329] the existing dependency chain (in reverse order) is: [ 109.556538][ T5329] [ 109.556538][ T5329] -> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}: [ 109.560925][ T5329] __mutex_lock+0x19f/0x1300 [ 109.563404][ T5329] hfsplus_file_extend+0x215/0x1d70 [ 109.566315][ T5329] hfsplus_bmap_reserve+0x125/0x510 [ 109.569714][ T5329] __hfsplus_ext_write_extent+0x28d/0x5b0 [ 109.573241][ T5329] __hfsplus_ext_cache_extent+0x89/0xe30 [ 109.576693][ T5329] hfsplus_file_extend+0x4af/0x1d70 [ 109.580333][ T5329] hfsplus_get_block+0x42c/0x1670 [ 109.584911][ T5329] __block_write_begin_int+0x6c6/0x1910 [ 109.588176][ T5329] cont_write_begin+0x737/0xae0 [ 109.590657][ T5329] hfsplus_write_begin+0x66/0xb0 [ 109.593025][ T5329] generic_perform_write+0x2e2/0x8f0 [ 109.595634][ T5329] generic_file_write_iter+0x14a/0x680 [ 109.598432][ T5329] vfs_write+0x61d/0xb90 [ 109.600976][ T5329] ksys_write+0x150/0x270 [ 109.603738][ T5329] do_syscall_64+0x14d/0xf80 [ 109.606468][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.609276][ T5329] [ 109.609276][ T5329] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 109.612251][ T5329] __lock_acquire+0x15a5/0x2cf0 [ 109.614694][ T5329] lock_acquire+0xf0/0x2e0 [ 109.617247][ T5329] __mutex_lock+0x19f/0x1300 [ 109.619794][ T5329] hfsplus_find_init+0x168/0x2d0 [ 109.622826][ T5329] hfsplus_file_truncate+0x39b/0xc30 [ 109.625262][ T5329] hfsplus_direct_IO+0x1f4/0x220 [ 109.627618][ T5329] generic_file_direct_write+0x1db/0x3e0 [ 109.630233][ T5329] __generic_file_write_iter+0x11d/0x230 [ 109.632817][ T5329] generic_file_write_iter+0x14a/0x680 [ 109.635579][ T5329] iter_file_splice_write+0x9a1/0x10f0 [ 109.639543][ T5329] direct_splice_actor+0x101/0x160 [ 109.642982][ T5329] splice_direct_to_actor+0x53a/0xc70 [ 109.645480][ T5329] do_splice_direct+0x195/0x290 [ 109.647737][ T5329] do_sendfile+0x535/0x7d0 [ 109.649858][ T5329] __se_sys_sendfile64+0x144/0x1a0 [ 109.652161][ T5329] do_syscall_64+0x14d/0xf80 [ 109.654182][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.656734][ T5329] [ 109.656734][ T5329] other info that might help us debug this: [ 109.656734][ T5329] [ 109.662614][ T5329] Possible unsafe locking scenario: [ 109.662614][ T5329] [ 109.666423][ T5329] CPU0 CPU1 [ 109.669080][ T5329] ---- ---- [ 109.671411][ T5329] lock(&HFSPLUS_I(inode)->extents_lock); [ 109.674129][ T5329] lock(&tree->tree_lock/1); [ 109.677405][ T5329] lock(&HFSPLUS_I(inode)->extents_lock); [ 109.681241][ T5329] lock(&tree->tree_lock/1); [ 109.683738][ T5329] [ 109.683738][ T5329] *** DEADLOCK *** [ 109.683738][ T5329] [ 109.688184][ T5329] 3 locks held by syz.0.0/5329: [ 109.690768][ T5329] #0: ffff88801bb96420 (sb_writers#12){.+.+}-{0:0}, at: direct_splice_actor+0x49/0x160 [ 109.695297][ T5329] #1: ffff888042a95df8 (&sb->s_type->i_mutex_key#25){+.+.}-{4:4}, at: generic_file_write_iter+0x11e/0x680 [ 109.700361][ T5329] #2: ffff888042a95c08 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}, at: hfsplus_file_truncate+0x2b3/0xc30 [ 109.705711][ T5329] [ 109.705711][ T5329] stack backtrace: [ 109.709306][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 109.709342][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 109.709406][ T5329] Call Trace: [ 109.709417][ T5329] [ 109.709426][ T5329] dump_stack_lvl+0xe8/0x150 [ 109.709457][ T5329] print_circular_bug+0x2e1/0x300 [ 109.709492][ T5329] check_noncircular+0x12e/0x150 [ 109.709551][ T5329] __lock_acquire+0x15a5/0x2cf0 [ 109.709575][ T5329] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 109.709594][ T5329] ? kasan_save_track+0x4f/0x80 [ 109.709608][ T5329] ? kasan_save_track+0x3e/0x80 [ 109.709621][ T5329] ? __kasan_kmalloc+0x93/0xb0 [ 109.709634][ T5329] ? __kmalloc_noprof+0x35c/0x760 [ 109.709656][ T5329] ? hfsplus_find_init+0x8c/0x2d0 [ 109.709673][ T5329] ? hfsplus_file_truncate+0x39b/0xc30 [ 109.709686][ T5329] ? hfsplus_direct_IO+0x1f4/0x220 [ 109.709707][ T5329] lock_acquire+0xf0/0x2e0 [ 109.709724][ T5329] ? hfsplus_find_init+0x168/0x2d0 [ 109.709742][ T5329] __mutex_lock+0x19f/0x1300 [ 109.709759][ T5329] ? hfsplus_find_init+0x168/0x2d0 [ 109.709777][ T5329] ? hfsplus_find_init+0x168/0x2d0 [ 109.709794][ T5329] ? __pfx___mutex_lock+0x10/0x10 [ 109.709811][ T5329] ? rcu_is_watching+0x15/0xb0 [ 109.709835][ T5329] ? __kmalloc_noprof+0x37d/0x760 [ 109.709858][ T5329] ? hfsplus_find_init+0x8c/0x2d0 [ 109.709876][ T5329] ? __kmalloc_noprof+0x1b8/0x760 [ 109.709895][ T5329] hfsplus_find_init+0x168/0x2d0 [ 109.709912][ T5329] hfsplus_file_truncate+0x39b/0xc30 [ 109.709929][ T5329] ? __pfx_hfsplus_file_truncate+0x10/0x10 [ 109.709941][ T5329] ? unmap_mapping_range+0xe6/0x180 [ 109.709960][ T5329] ? ktime_get_coarse_real_ts64_mg+0x1c5/0x1e0 [ 109.709978][ T5329] hfsplus_direct_IO+0x1f4/0x220 [ 109.709991][ T5329] generic_file_direct_write+0x1db/0x3e0 [ 109.710004][ T5329] __generic_file_write_iter+0x11d/0x230 [ 109.710017][ T5329] ? generic_file_write_iter+0x136/0x680 [ 109.710032][ T5329] generic_file_write_iter+0x14a/0x680 [ 109.710046][ T5329] ? __pfx_generic_file_write_iter+0x10/0x10 [ 109.710066][ T5329] ? splice_from_pipe_next+0x61c/0x670 [ 109.710086][ T5329] ? __asan_memset+0x22/0x50 [ 109.710106][ T5329] iter_file_splice_write+0x9a1/0x10f0 [ 109.710130][ T5329] ? __pfx_iter_file_splice_write+0x10/0x10 [ 109.710153][ T5329] ? __pfx_iter_file_splice_write+0x10/0x10 [ 109.710171][ T5329] direct_splice_actor+0x101/0x160 [ 109.710189][ T5329] splice_direct_to_actor+0x53a/0xc70 [ 109.710203][ T5329] ? __pfx_direct_splice_actor+0x10/0x10 [ 109.710221][ T5329] ? __pfx_splice_direct_to_actor+0x10/0x10 [ 109.710240][ T5329] do_splice_direct+0x195/0x290 [ 109.710258][ T5329] ? __pfx_do_splice_direct+0x10/0x10 [ 109.710276][ T5329] ? __pfx_direct_file_splice_eof+0x10/0x10 [ 109.710297][ T5329] ? rw_verify_area+0x255/0x4d0 [ 109.710312][ T5329] do_sendfile+0x535/0x7d0 [ 109.710323][ T5329] ? lockdep_hardirqs_on+0x7a/0x110 [ 109.710343][ T5329] ? __pfx_do_sendfile+0x10/0x10 [ 109.710358][ T5329] ? __se_sys_futex+0x3a8/0x450 [ 109.710379][ T5329] __se_sys_sendfile64+0x144/0x1a0 [ 109.710397][ T5329] ? __pfx___se_sys_sendfile64+0x10/0x10 [ 109.710413][ T5329] do_syscall_64+0x14d/0xf80 [ 109.710429][ T5329] ? trace_irq_disable+0x3b/0x150 [ 109.710441][ T5329] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.710455][ T5329] ? clear_bhb_loop+0x40/0x90 [ 109.710471][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 109.710485][ T5329] RIP: 0033:0x7f2bd659c799 [ 109.710496][ T5329] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 109.710505][ T5329] RSP: 002b:00007f2bd7407fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 [ 109.710516][ T5329] RAX: ffffffffffffffda RBX: 00007f2bd6815fa0 RCX: 00007f2bd659c799 [ 109.710523][ T5329] RDX: 0000000000000000 RSI: 0000000000000009 RDI: 000000000000000a [ 109.710531][ T5329] RBP: 00007f2bd6632c99 R08: 0000000000000000 R09: 0000000000000000 [ 109.710539][ T5329] R10: 0000000080000002 R11: 0000000000000246 R12: 0000000000000000 [ 109.710547][ T5329] R13: 00007f2bd6816038 R14: 00007f2bd6815fa0 R15: 00007ffd62496118 [ 109.710560][ T5329] [ 109.901467][ T5335] IPVS: using max 179 ests per chain, 429600 per kthread