program: r0 = openat$binderfs(0xffffffffffffff9c, &(0x7f00000000c0)='./binderfs/binder0\x00', 0x0, 0x0) mmap$binder(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x1, 0x11, r0, 0x4000c) syz_mount_image$hfs(&(0x7f0000000180), &(0x7f0000000100)='./file0\x00', 0x0, &(0x7f0000000380)=ANY=[@ANYBLOB="71756965742c636f6465706167653d69736f383835392d31352c706172743d3078303030303030300000000000000000662c00a20000000700000000ede9debf530c3cc4d04b548919aca0c2937d4da1fc31dc42fc2e3e", @ANYBLOB="23341129bfb4fcc388a80c49b4f4d96254cb9356759776b03b581050240d2d9a5cf3440e76c886f1e5c860656a3648101223fc288fc5274f0e609cfed0fc738d84eb544791dd1cb959421db9fbcb634df876aa2133fd62e245fb6b1ead07ca04772d78564af8f42015e5be557ab3bd60824768691005cbd3d295402693d934226595deeba1ff748b7dde9c617749aa38096ef667700a6b3668cb7296b024fbcf9f74e50bf0f834159f51737baac184f94dd13a9793b76946208f290637d8def94e5f56f1181da3eed500440f", @ANYBLOB="2b86cc0866f043ae112177e8d069d03a337454fddb71ccf58cf87c0c9166ec375c1658949bd54b1b401001d954", @ANYRES16, @ANYRESHEX], 0x11, 0x2d2, &(0x7f0000000bc0)="$eJzs3U1rE1scx/HfmaRteht6pw+XC3fZa0E3UutG3KRIXoS4ELWJUAwVbQV1YxVXIrp371vwLQhuFN+Arlz5AiIII+fMZJJJJzMxNDMNfj9gmMycM+d/Mg/n/AfsCMAf60rzy9uL3+w/I1VUkV5cljxJNakq6R/9W3uwf7h32Gm3MvbTDRxbyyisaY4V2t1vp9WtKaoR8e23quqD6zAdQRDsfJV0UHYgKJW7+lN40kJ0dbrttcIjy/Z0wnpHJxzHrDFddfVQy2XHAQAoVzT+e9E4X4/m754nbUbD/qkc/yfVLTuAqQsytw6M/y7LCow9vn+7Tf18z6VwdrvXyxLHaXlu6Pu8wjMrMcE0eVmli8VbvL3XaZ/fvdtpeXqmRmSg2Lr7bIWnbk9OtBspuWmGMfpu0meUS64Pc7YP2yPiX5uwxYmZD+aTuW58vVErnv9VA2MPkztS/tCRCuPfGr1H10vfllJ022g0Gl6iyIpr5L+ohUhOL2vpGYl6Z9SKkg8I/Lw4Xa3VoVph7y7k1FoLa+0sJmpt976NqLWeaMv2Jj6bR7c3beaVuWo29F3v1ByY/3s2vk1lXpn9q8ZshkOB+8XD/synN1d1+/SPjRxHulZProl/xYVRof/IvqdhyJOMbS91S5e0fPDo8Z1Kp9O+bxdupizcq8dr5p5LqWVKWPDUX6Oj/qYFhQ8ij9XqDUpFhnruRHdo7x+5he1VVkgHT82ZUMZC82OxJ1IZCwXdo1Cq/kHPLfq+kIBQNDfvCvO/gXxly0327IefMU/PnZBFewzsHDvOgGqJ+qtu6a/fyuCWRmdw4+Zc/5+VzsSrfgY5LfpRnLMhyJr6Waapz7rB838AAAAAAAAAAAAAAAAAAIBZU8R/Jyi7jwAAAAAAAAAAAAAAAAAAAAAAzLr4/b/qvf9X473/d/gvf1fCN7ycyPt/X++L9/8C0/crAAD//zZmik0=") r1 = fspick(0xffffffffffffff9c, &(0x7f0000000000)='.\x00', 0x0) r2 = landlock_create_ruleset(&(0x7f00000002c0)={0x2210, 0x2}, 0x10, 0x0) landlock_restrict_self(r2, 0x0) fsconfig$FSCONFIG_CMD_RECONFIGURE(r1, 0x7, 0x0, 0x0, 0x0) r3 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000001c0)='cgroup.controllers\x00', 0x275a, 0x0) r4 = syz_usb_connect(0x0, 0x371, &(0x7f0000000280)=ANY=[@ANYBLOB="1201000057ec0020c215dcff30bd0102030109025f03019b000000090400000b403b4e000905e2379c"], 0x0) syz_usb_control_io$cdc_ncm(r4, 0x0, 0x0) syz_usb_control_io$hid(r4, 0x0, 0x0) syz_usb_control_io$cdc_ncm(r4, 0x0, 0x0) r5 = syz_open_dev$char_usb(0xc, 0xb4, 0x80000000) write$char_usb(r5, &(0x7f0000006800)="10", 0x1) syz_usb_disconnect(r4) write$binfmt_script(r3, &(0x7f0000000000), 0x208e24b) [ 73.151149][ T5314] loop0: detected capacity change from 0 to 64 [ 73.217888][ T5294] Bluetooth: hci0: command tx timeout [ 73.577046][ T1360] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 73.727483][ T1360] usb 5-1: Using ep0 maxpacket: 32 [ 73.732496][ T1360] usb 5-1: config 155 has an invalid descriptor of length 0, skipping remainder of the config [ 73.737316][ T1360] usb 5-1: config 155 interface 0 altsetting 0 has an endpoint descriptor with address 0xE2, changing to 0x82 [ 73.742480][ T1360] usb 5-1: config 155 interface 0 altsetting 0 endpoint 0x82 has an invalid bInterval 0, changing to 7 [ 73.747846][ T1360] usb 5-1: config 155 interface 0 altsetting 0 has 1 endpoint descriptor, different from the interface descriptor's value: 11 [ 73.755528][ T1360] usb 5-1: New USB device found, idVendor=15c2, idProduct=ffdc, bcdDevice=bd.30 [ 73.759769][ T1360] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 73.763308][ T1360] usb 5-1: Product: syz [ 73.765354][ T1360] usb 5-1: Manufacturer: syz [ 73.767862][ T1360] usb 5-1: SerialNumber: syz [ 73.793403][ C0] imon 5-1:155.0: imon usb_rx_callback_intf0: status(-71) [ 73.807577][ T1360] input: iMON Panel, Knob and Mouse(15c2:ffdc) as /devices/platform/dummy_hcd.0/usb5/5-1/5-1:155.0/input/input5 [ 73.996994][ T1360] imon 5-1:155.0: Unknown 0xffdc device, defaulting to VFD and iMON IR [ 74.000594][ T1360] (id 0x00) [ 74.107182][ T1360] rc_core: IR keymap rc-imon-pad not found [ 74.109659][ T1360] Registered IR keymap rc-empty [ 74.111635][ T1360] imon 5-1:155.0: Looks like you're trying to use an IR protocol this device does not support [ 74.118298][ T1360] imon 5-1:155.0: Unsupported IR protocol specified, overriding to iMON IR protocol [ 74.210944][ T1360] rc rc0: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.0/usb5/5-1/5-1:155.0/rc/rc0 [ 74.246217][ T1360] input: iMON Remote (15c2:ffdc) as /devices/platform/dummy_hcd.0/usb5/5-1/5-1:155.0/rc/rc0/input6 [ 74.264893][ T1360] imon 5-1:155.0: iMON device (15c2:ffdc, intf0) on usb<5:2> initialized [ 74.803880][ T5315] imon:send_packet: packet tx failed (-71) [ 74.816033][ T10] usb 5-1: USB disconnect, device number 2 [ 74.821702][ T5315] imon:vfd_write: send packet #1 failed [ 75.148359][ T169] kworker/u4:6: attempt to access beyond end of device [ 75.148359][ T169] loop0: rw=8388609, sector=65, nr_sectors = 1 limit=64 [ 75.165973][ T169] Buffer I/O error on dev loop0, logical block 65, lost async page write [ 75.179544][ T169] kworker/u4:6: attempt to access beyond end of device [ 75.179544][ T169] loop0: rw=8388609, sector=66, nr_sectors = 1 limit=64 [ 75.196983][ T169] Buffer I/O error on dev loop0, logical block 66, lost async page write [ 75.204444][ T169] kworker/u4:6: attempt to access beyond end of device [ 75.204444][ T169] loop0: rw=8388609, sector=67, nr_sectors = 1 limit=64 [ 75.216972][ T169] Buffer I/O error on dev loop0, logical block 67, lost async page write [ 75.220512][ T169] kworker/u4:6: attempt to access beyond end of device [ 75.220512][ T169] loop0: rw=8388609, sector=68, nr_sectors = 1 limit=64 [ 75.228355][ T5294] Bluetooth: hci0: command tx timeout [ 75.239747][ T169] Buffer I/O error on dev loop0, logical block 68, lost async page write [ 75.242969][ T169] kworker/u4:6: attempt to access beyond end of device [ 75.242969][ T169] loop0: rw=8388609, sector=72, nr_sectors = 1 limit=64 [ 75.257100][ T169] Buffer I/O error on dev loop0, logical block 72, lost async page write [ 75.267269][ T169] kworker/u4:6: attempt to access beyond end of device [ 75.267269][ T169] loop0: rw=8388609, sector=73, nr_sectors = 1 limit=64 [ 75.288408][ T169] Buffer I/O error on dev loop0, logical block 73, lost async page write [ 75.292085][ T169] kworker/u4:6: attempt to access beyond end of device [ 75.292085][ T169] loop0: rw=8388609, sector=76, nr_sectors = 1 limit=64 [ 75.318660][ T169] Buffer I/O error on dev loop0, logical block 76, lost async page write [ 75.322853][ T169] kworker/u4:6: attempt to access beyond end of device [ 75.322853][ T169] loop0: rw=8388609, sector=77, nr_sectors = 1 limit=64 [ 75.344786][ T169] Buffer I/O error on dev loop0, logical block 77, lost async page write [ 75.358723][ T169] kworker/u4:6: attempt to access beyond end of device [ 75.358723][ T169] loop0: rw=1, sector=78, nr_sectors = 4088 limit=64 [ 75.372957][ T169] kworker/u4:6: attempt to access beyond end of device [ 75.372957][ T169] loop0: rw=8388609, sector=4166, nr_sectors = 1 limit=64 [ 75.386321][ T169] Buffer I/O error on dev loop0, logical block 4166, lost async page write [ 75.399569][ T169] Buffer I/O error on dev loop0, logical block 4167, lost async page write [ 76.129527][ T5314] [ 76.130741][ T5314] ============================================ [ 76.133423][ T5314] WARNING: possible recursive locking detected [ 76.135905][ T5314] syzkaller #0 Not tainted [ 76.137787][ T5314] -------------------------------------------- [ 76.140283][ T5314] syz.0.0/5314 is trying to acquire lock: [ 76.142535][ T5314] ffff88803fef80b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 76.146917][ T5314] [ 76.146917][ T5314] but task is already holding lock: [ 76.149843][ T5314] ffff88803fef80b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 76.153723][ T5314] [ 76.153723][ T5314] other info that might help us debug this: [ 76.157264][ T5314] Possible unsafe locking scenario: [ 76.157264][ T5314] [ 76.160551][ T5314] CPU0 [ 76.161945][ T5314] ---- [ 76.163492][ T5314] lock(&tree->tree_lock/1); [ 76.165539][ T5314] lock(&tree->tree_lock/1); [ 76.167725][ T5314] [ 76.167725][ T5314] *** DEADLOCK *** [ 76.167725][ T5314] [ 76.170868][ T5314] May be due to missing lock nesting notation [ 76.170868][ T5314] [ 76.173934][ T5314] 6 locks held by syz.0.0/5314: [ 76.175814][ T5314] #0: ffff888042c75638 (&f->f_pos_lock){+.+.}-{4:4}, at: fdget_pos+0x246/0x320 [ 76.179195][ T5314] #1: ffff88804239a420 (sb_writers#12){.+.+}-{0:0}, at: vfs_write+0x227/0xb90 [ 76.182697][ T5314] #2: ffff888041fdb6a0 (&sb->s_type->i_mutex_key#25){+.+.}-{4:4}, at: generic_file_write_iter+0x11e/0x680 [ 76.187553][ T5314] #3: ffff888041fdb4f8 (&HFS_I(inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 76.192114][ T5314] #4: ffff88803fef80b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 76.196124][ T5314] #5: ffff888041fdc878 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 76.200803][ T5314] [ 76.200803][ T5314] stack backtrace: [ 76.203336][ T5314] CPU: 0 UID: 0 PID: 5314 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.203372][ T5314] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 76.203380][ T5314] Call Trace: [ 76.203388][ T5314] [ 76.203444][ T5314] dump_stack_lvl+0xe8/0x150 [ 76.203465][ T5314] print_deadlock_bug+0x279/0x290 [ 76.203482][ T5314] __lock_acquire+0x253f/0x2cf0 [ 76.203497][ T5314] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 76.203703][ T5314] ? stack_depot_save_flags+0x3f3/0x810 [ 76.203776][ T5314] ? kasan_save_track+0x4f/0x80 [ 76.203792][ T5314] ? kasan_save_track+0x3e/0x80 [ 76.203806][ T5314] ? __kasan_kmalloc+0x93/0xb0 [ 76.203821][ T5314] ? __kmalloc_noprof+0x35c/0x760 [ 76.203835][ T5314] ? hfs_find_init+0xaa/0x300 [ 76.203845][ T5314] ? hfs_extend_file+0x35c/0x15e0 [ 76.203852][ T5314] ? hfs_bmap_reserve+0x107/0x430 [ 76.203858][ T5314] lock_acquire+0xf0/0x2e0 [ 76.203867][ T5314] ? hfs_find_init+0x18e/0x300 [ 76.203878][ T5314] __mutex_lock+0x19f/0x1300 [ 76.203893][ T5314] ? hfs_find_init+0x18e/0x300 [ 76.203908][ T5314] ? hfs_find_init+0x18e/0x300 [ 76.203923][ T5314] ? __pfx___mutex_lock+0x10/0x10 [ 76.203937][ T5314] ? rcu_is_watching+0x15/0xb0 [ 76.203953][ T5314] ? __kmalloc_noprof+0x37d/0x760 [ 76.203967][ T5314] ? hfs_find_init+0xaa/0x300 [ 76.203980][ T5314] ? __kmalloc_noprof+0x1b8/0x760 [ 76.203994][ T5314] hfs_find_init+0x18e/0x300 [ 76.204009][ T5314] hfs_extend_file+0x35c/0x15e0 [ 76.204020][ T5314] ? hfs_ext_keycmp+0x1c7/0x320 [ 76.204030][ T5314] ? __pfx_hfs_extend_file+0x10/0x10 [ 76.204042][ T5314] ? __pfx___hfs_brec_find+0x10/0x10 [ 76.204057][ T5314] ? hfs_brec_find+0x3cc/0x510 [ 76.204072][ T5314] hfs_bmap_reserve+0x107/0x430 [ 76.204085][ T5314] __hfs_ext_write_extent+0x1fa/0x470 [ 76.204097][ T5314] __hfs_ext_cache_extent+0x6b/0x9b0 [ 76.204108][ T5314] ? hfs_find_init+0x18e/0x300 [ 76.204123][ T5314] hfs_extend_file+0x39b/0x15e0 [ 76.204134][ T5314] ? __pfx_filemap_get_folios_tag+0x10/0x10 [ 76.204152][ T5314] ? __pfx_hfs_extend_file+0x10/0x10 [ 76.204164][ T5314] ? clean_bdev_aliases+0x62e/0x750 [ 76.204182][ T5314] ? __pfx_clean_bdev_aliases+0x10/0x10 [ 76.204200][ T5314] hfs_get_block+0x412/0xc50 [ 76.204213][ T5314] ? __pfx_hfs_get_block+0x10/0x10 [ 76.204241][ T5314] ? do_raw_spin_unlock+0x4d/0x210 [ 76.204252][ T5314] ? _raw_spin_unlock+0x28/0x50 [ 76.204267][ T5314] __block_write_begin_int+0x6c6/0x1910 [ 76.204281][ T5314] ? __pfx_hfs_get_block+0x10/0x10 [ 76.204297][ T5314] ? __pfx___block_write_begin_int+0x10/0x10 [ 76.204311][ T5314] cont_write_begin+0x737/0xae0 [ 76.204322][ T5314] ? irqentry_exit+0x59e/0x620 [ 76.204340][ T5314] ? __pfx_cont_write_begin+0x10/0x10 [ 76.204354][ T5314] hfs_write_begin+0x66/0xb0 [ 76.204365][ T5314] ? __pfx_hfs_get_block+0x10/0x10 [ 76.204376][ T5314] generic_perform_write+0x2e2/0x8f0 [ 76.204392][ T5314] ? __pfx_generic_perform_write+0x10/0x10 [ 76.204409][ T5314] ? file_update_time_flags+0x400/0x4a0 [ 76.204426][ T5314] ? __generic_file_write_iter+0xf9/0x230 [ 76.204437][ T5314] ? generic_file_write_iter+0x136/0x680 [ 76.204448][ T5314] generic_file_write_iter+0x14a/0x680 [ 76.204460][ T5314] ? __pfx_generic_file_write_iter+0x10/0x10 [ 76.204470][ T5314] ? add_lock_to_list+0xc7/0x100 [ 76.204485][ T5314] ? lockdep_unlock+0x5d/0xd0 [ 76.204496][ T5314] ? __lock_acquire+0x146e/0x2cf0 [ 76.204512][ T5314] ? __pfx___mutex_trylock_common+0x10/0x10 [ 76.204534][ T5314] vfs_write+0x61d/0xb90 [ 76.204550][ T5314] ? __pfx_vfs_write+0x10/0x10 [ 76.204567][ T5314] ? __fget_files+0x2a/0x420 [ 76.204581][ T5314] ksys_write+0x150/0x270 [ 76.204600][ T5314] ? __pfx_ksys_write+0x10/0x10 [ 76.204617][ T5314] do_syscall_64+0x14d/0xf80 [ 76.204632][ T5314] ? trace_irq_disable+0x3b/0x150 [ 76.204647][ T5314] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.204659][ T5314] ? clear_bhb_loop+0x40/0x90 [ 76.204671][ T5314] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.204682][ T5314] RIP: 0033:0x7f816919c629 [ 76.204694][ T5314] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 76.204703][ T5314] RSP: 002b:00007f816a09d028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 76.204716][ T5314] RAX: ffffffffffffffda RBX: 00007f8169415fa0 RCX: 00007f816919c629 [ 76.204724][ T5314] RDX: 000000000208e24b RSI: 0000200000000000 RDI: 0000000000000007 [ 76.204731][ T5314] RBP: 00007f8169232b39 R08: 0000000000000000 R09: 0000000000000000 [ 76.204738][ T5314] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.204744][ T5314] R13: 00007f8169416038 R14: 00007f8169415fa0 R15: 00007fff827d5c08 [ 76.204754][ T5314] [ 77.307612][ T5294] Bluetooth: hci0: command tx timeout [ 79.387058][ T5294] Bluetooth: hci0: command tx timeout