program: mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./file0\x00', 0x1d0) ioctl$VIDIOC_QUERYMENU(0xffffffffffffffff, 0xc02c5625, &(0x7f0000000180)={0x8000, 0xc5f7, @value=0x1}) r0 = add_key$user(&(0x7f0000000080), &(0x7f0000000300)={'syz', 0x3}, &(0x7f0000000200)='\x00', 0x1, 0xfffffffffffffffe) r1 = add_key$user(&(0x7f00000003c0), &(0x7f0000000440), &(0x7f00000000c0), 0xc9, 0xfffffffffffffffd) keyctl$dh_compute(0x17, &(0x7f0000000140)={r0, r1, r0}, &(0x7f00000000c0)=""/67, 0x43, 0x0) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f0000000140)='ramfs\x00', 0x10, 0x0) syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x30000c8, &(0x7f0000000100)=ANY=[], 0x11, 0x2d1, &(0x7f0000000280)="$eJzs3b9u01AUx/HfddI2pVVxaRESY6ESLAjKgliCUCaegAkBTZAqoiKgiD9TQUwIwc7GwCvwECwgXgAmJh6gTEb32o6T2I7dqI0b+H6kRnbia58bX9vnRKquAPy3rrd+fLr8y/4Zqaaa9Oaq5ElqSHVJJ3Wq8WR7Z2un22mP2lHNtbB/RmFLk9pmc7uT1dS2cy0ivl2ra7H/vdDCeJ1EriAIrv2sOghUzl39GTxpTrPJemOCMZXxcsx2uwccx7Qxe9rTMy1VHQcAoFrR898LM3ktRvm750nr0WPf5QdH7fk/rr2qAzh0wchP+57/rsoKjD2/x91HSb3nSjj7uRdXiWWOPDO07tJHbyjBNEVVpYvFm7+31e1c2HzQbXt6pWakb7NV99oOh26sINq1jNp0hBJ9N9kZpatXvRnbh40w/qeSBuJfGfOIKWWvTPPFfDO3jK8Pavfyv3pg7GlyZ8ofOlNh/Bfz9+h66dutFN02ms2mN7DJsjvIafWXEkW9bGRXJIpH1LIGfyDwi+J0rU4MtQp7d6mg1Upmq414LafV6kAr25veaM4/3mEz78xNs6bf+qxWX/7v2fjWNfLKTK4asx4OOPeNh/2ZzT5c3e3TT43P9OXS+xbn8kL/M3xPu/ExGH2bQ563uqsrWnr8/MX9WrfbeWQX7mQsPFzsvTPzWsrcpuIF7SbvzClwUhvHD6VJBnb+QHdo7x+FG9ur7EiclH96ofX1sAbSfDRMq+9phfcmTExy0quOBBWxeZcJ67+kXqmHyZ598TPz9JLlRrTHwObYvQouaRuEGbmkY/uq4BbyK7h0zZWqGV3NdeacdLb8Ef0ozmlm+hL4lr7rNr//AwAAAAAAAAAAAAAAAAAATJtJ/DtB1X0EAAAAAAAAAAAAAAAAAAAAAGDa9eb/VTz/r8rN/zs878pBzv/7flvZ8//GcuaaAbAvfwMAAP//QTZ8Yw==") r2 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) open(&(0x7f0000000080)='./bus\x00', 0x14d27e, 0x0) open(&(0x7f0000000180)='./bus\x00', 0x14927e, 0x0) pwrite64(r2, &(0x7f0000000140)='2', 0x1, 0x8080c61) r3 = open(&(0x7f0000000240)='./file1\x00', 0x145142, 0x0) ftruncate(r3, 0x2007ffc) syz_mount_image$fuse(&(0x7f0000000000), &(0x7f0000000040)='./file0\x00', 0x400a8, &(0x7f0000000380)=ANY=[], 0x1, 0x0, 0x0) symlinkat(&(0x7f0000000080)='.\x00', 0xffffffffffffff9c, &(0x7f0000000200)='./file0\x00') mount$bind(&(0x7f0000000480)='./file0/file0\x00', &(0x7f0000000140)='./file0/file0/../file0\x00', 0x0, 0xa1c08, 0x0) mount$9p_unix(&(0x7f0000000100)='./file0/file0\x00', &(0x7f0000000180)='./file0/file0\x00', 0x0, 0x1ad7c98, 0x0) mount$bind(&(0x7f0000000040)='.\x00', &(0x7f0000000080)='./file0\x00', 0x0, 0x2a05004, 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000280)='./file0\x00', 0x1d0) (async) ioctl$VIDIOC_QUERYMENU(0xffffffffffffffff, 0xc02c5625, &(0x7f0000000180)={0x8000, 0xc5f7, @value=0x1}) (async) add_key$user(&(0x7f0000000080), &(0x7f0000000300)={'syz', 0x3}, &(0x7f0000000200)='\x00', 0x1, 0xfffffffffffffffe) (async) add_key$user(&(0x7f00000003c0), &(0x7f0000000440), &(0x7f00000000c0), 0xc9, 0xfffffffffffffffd) (async) keyctl$dh_compute(0x17, &(0x7f0000000140)={r0, r1, r0}, &(0x7f00000000c0)=""/67, 0x43, 0x0) (async) mount(0x0, &(0x7f00000001c0)='./file0\x00', &(0x7f0000000140)='ramfs\x00', 0x10, 0x0) (async) syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x30000c8, &(0x7f0000000100)=ANY=[], 0x11, 0x2d1, &(0x7f0000000280)="$eJzs3b9u01AUx/HfddI2pVVxaRESY6ESLAjKgliCUCaegAkBTZAqoiKgiD9TQUwIwc7GwCvwECwgXgAmJh6gTEb32o6T2I7dqI0b+H6kRnbia58bX9vnRKquAPy3rrd+fLr8y/4Zqaaa9Oaq5ElqSHVJJ3Wq8WR7Z2un22mP2lHNtbB/RmFLk9pmc7uT1dS2cy0ivl2ra7H/vdDCeJ1EriAIrv2sOghUzl39GTxpTrPJemOCMZXxcsx2uwccx7Qxe9rTMy1VHQcAoFrR898LM3ktRvm750nr0WPf5QdH7fk/rr2qAzh0wchP+57/rsoKjD2/x91HSb3nSjj7uRdXiWWOPDO07tJHbyjBNEVVpYvFm7+31e1c2HzQbXt6pWakb7NV99oOh26sINq1jNp0hBJ9N9kZpatXvRnbh40w/qeSBuJfGfOIKWWvTPPFfDO3jK8Pavfyv3pg7GlyZ8ofOlNh/Bfz9+h66dutFN02ms2mN7DJsjvIafWXEkW9bGRXJIpH1LIGfyDwi+J0rU4MtQp7d6mg1Upmq414LafV6kAr25veaM4/3mEz78xNs6bf+qxWX/7v2fjWNfLKTK4asx4OOPeNh/2ZzT5c3e3TT43P9OXS+xbn8kL/M3xPu/ExGH2bQ563uqsrWnr8/MX9WrfbeWQX7mQsPFzsvTPzWsrcpuIF7SbvzClwUhvHD6VJBnb+QHdo7x+FG9ur7EiclH96ofX1sAbSfDRMq+9phfcmTExy0quOBBWxeZcJ67+kXqmHyZ598TPz9JLlRrTHwObYvQouaRuEGbmkY/uq4BbyK7h0zZWqGV3NdeacdLb8Ef0ozmlm+hL4lr7rNr//AwAAAAAAAAAAAAAAAAAATJtJ/DtB1X0EAAAAAAAAAAAAAAAAAAAAAGDa9eb/VTz/r8rN/zs878pBzv/7flvZ8//GcuaaAbAvfwMAAP//QTZ8Yw==") (async) openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) (async) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) (async) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) (async) open(&(0x7f0000000080)='./bus\x00', 0x14d27e, 0x0) (async) open(&(0x7f0000000180)='./bus\x00', 0x14927e, 0x0) (async) pwrite64(r2, &(0x7f0000000140)='2', 0x1, 0x8080c61) (async) open(&(0x7f0000000240)='./file1\x00', 0x145142, 0x0) (async) ftruncate(r3, 0x2007ffc) (async) syz_mount_image$fuse(&(0x7f0000000000), &(0x7f0000000040)='./file0\x00', 0x400a8, &(0x7f0000000380)=ANY=[], 0x1, 0x0, 0x0) (async) symlinkat(&(0x7f0000000080)='.\x00', 0xffffffffffffff9c, &(0x7f0000000200)='./file0\x00') (async) mount$bind(&(0x7f0000000480)='./file0/file0\x00', &(0x7f0000000140)='./file0/file0/../file0\x00', 0x0, 0xa1c08, 0x0) (async) mount$9p_unix(&(0x7f0000000100)='./file0/file0\x00', &(0x7f0000000180)='./file0/file0\x00', 0x0, 0x1ad7c98, 0x0) (async) mount$bind(&(0x7f0000000040)='.\x00', &(0x7f0000000080)='./file0\x00', 0x0, 0x2a05004, 0x0) (async) [ 86.674282][ T5296] Bluetooth: hci0: command tx timeout [ 86.889598][ T5317] loop0: detected capacity change from 0 to 64 [ 86.926031][ T5317] ======================================================= [ 86.926031][ T5317] WARNING: The mand mount option has been deprecated and [ 86.926031][ T5317] and is ignored by this kernel. Remove the mand [ 86.926031][ T5317] option from the mount to silence this warning. [ 86.926031][ T5317] ======================================================= [ 87.770974][ T5317] hfs: request for non-existent node 8 in B*Tree [ 87.774210][ T5317] hfs: request for non-existent node 8 in B*Tree [ 87.817420][ T5317] [ 87.818884][ T5317] ====================================================== [ 87.821912][ T5317] WARNING: possible circular locking dependency detected [ 87.825719][ T5317] syzkaller #0 Not tainted [ 87.827707][ T5317] ------------------------------------------------------ [ 87.830687][ T5317] syz.0.0/5317 is trying to acquire lock: [ 87.833094][ T5317] ffff8880423960b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 87.837257][ T5317] [ 87.837257][ T5317] but task is already holding lock: [ 87.840288][ T5317] ffff888042db41f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 87.844926][ T5317] [ 87.844926][ T5317] which lock already depends on the new lock. [ 87.844926][ T5317] [ 87.848877][ T5317] [ 87.848877][ T5317] the existing dependency chain (in reverse order) is: [ 87.852349][ T5317] [ 87.852349][ T5317] -> #1 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}: [ 87.856028][ T5317] __mutex_lock+0x19f/0x1300 [ 87.858406][ T5317] hfs_extend_file+0xf2/0x15e0 [ 87.860751][ T5317] hfs_bmap_reserve+0x107/0x430 [ 87.863114][ T5317] __hfs_ext_write_extent+0x1fa/0x470 [ 87.865627][ T5317] __hfs_ext_cache_extent+0x6b/0x9b0 [ 87.867974][ T5317] hfs_extend_file+0x39b/0x15e0 [ 87.870369][ T5317] hfs_get_block+0x412/0xc50 [ 87.872597][ T5317] __block_write_begin_int+0x6c6/0x1910 [ 87.875196][ T5317] cont_write_begin+0x737/0xae0 [ 87.877435][ T5317] hfs_write_begin+0x66/0xb0 [ 87.879569][ T5317] cont_write_begin+0x2e7/0xae0 [ 87.881907][ T5317] hfs_write_begin+0x66/0xb0 [ 87.884113][ T5317] generic_perform_write+0x2e2/0x8f0 [ 87.886580][ T5317] generic_file_write_iter+0x14a/0x680 [ 87.889206][ T5317] vfs_write+0x61d/0xb90 [ 87.891193][ T5317] __x64_sys_pwrite64+0x199/0x230 [ 87.893529][ T5317] do_syscall_64+0x14d/0xf80 [ 87.895632][ T5317] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.898415][ T5317] [ 87.898415][ T5317] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 87.901599][ T5317] __lock_acquire+0x15a5/0x2cf0 [ 87.903719][ T5317] lock_acquire+0xf0/0x2e0 [ 87.905760][ T5317] __mutex_lock+0x19f/0x1300 [ 87.907889][ T5317] hfs_find_init+0x18e/0x300 [ 87.909942][ T5317] hfs_extend_file+0x35c/0x15e0 [ 87.912051][ T5317] hfs_bmap_reserve+0x107/0x430 [ 87.914232][ T5317] hfs_cat_create+0x20f/0x800 [ 87.916334][ T5317] hfs_create+0x75/0xe0 [ 87.918371][ T5317] path_openat+0x1395/0x3860 [ 87.920553][ T5317] do_file_open+0x23e/0x4a0 [ 87.922422][ T5317] do_sys_openat2+0x113/0x200 [ 87.924691][ T5317] __x64_sys_open+0x11e/0x150 [ 87.927357][ T5317] do_syscall_64+0x14d/0xf80 [ 87.929911][ T5317] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.932860][ T5317] [ 87.932860][ T5317] other info that might help us debug this: [ 87.932860][ T5317] [ 87.937384][ T5317] Possible unsafe locking scenario: [ 87.937384][ T5317] [ 87.940776][ T5317] CPU0 CPU1 [ 87.943427][ T5317] ---- ---- [ 87.945870][ T5317] lock(&HFS_I(tree->inode)->extents_lock); [ 87.948634][ T5317] lock(&tree->tree_lock/1); [ 87.951582][ T5317] lock(&HFS_I(tree->inode)->extents_lock); [ 87.954948][ T5317] lock(&tree->tree_lock/1); [ 87.956962][ T5317] [ 87.956962][ T5317] *** DEADLOCK *** [ 87.956962][ T5317] [ 87.960431][ T5317] 4 locks held by syz.0.0/5317: [ 87.962516][ T5317] #0: ffff888042392420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 87.966308][ T5317] #1: ffff888042db3d20 (&type->i_mutex_dir_key#8){+.+.}-{4:4}, at: path_openat+0xb4c/0x3860 [ 87.970717][ T5317] #2: ffff8880330860b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 87.974998][ T5317] #3: ffff888042db41f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 87.979793][ T5317] [ 87.979793][ T5317] stack backtrace: [ 87.982400][ T5317] CPU: 0 UID: 0 PID: 5317 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 87.982414][ T5317] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 87.982421][ T5317] Call Trace: [ 87.982428][ T5317] [ 87.982455][ T5317] dump_stack_lvl+0xe8/0x150 [ 87.982477][ T5317] print_circular_bug+0x2e1/0x300 [ 87.982493][ T5317] check_noncircular+0x12e/0x150 [ 87.982508][ T5317] __lock_acquire+0x15a5/0x2cf0 [ 87.982521][ T5317] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 87.982536][ T5317] ? kasan_save_track+0x4f/0x80 [ 87.982549][ T5317] ? kasan_save_track+0x3e/0x80 [ 87.982561][ T5317] ? __kasan_kmalloc+0x93/0xb0 [ 87.982574][ T5317] ? __kmalloc_noprof+0x35c/0x760 [ 87.982586][ T5317] ? hfs_find_init+0xaa/0x300 [ 87.982598][ T5317] ? hfs_extend_file+0x35c/0x15e0 [ 87.982607][ T5317] ? hfs_bmap_reserve+0x107/0x430 [ 87.982615][ T5317] lock_acquire+0xf0/0x2e0 [ 87.982626][ T5317] ? hfs_find_init+0x18e/0x300 [ 87.982640][ T5317] __mutex_lock+0x19f/0x1300 [ 87.982653][ T5317] ? hfs_find_init+0x18e/0x300 [ 87.982667][ T5317] ? hfs_find_init+0x18e/0x300 [ 87.982680][ T5317] ? __pfx___mutex_lock+0x10/0x10 [ 87.982692][ T5317] ? rcu_is_watching+0x15/0xb0 [ 87.982706][ T5317] ? __kmalloc_noprof+0x37d/0x760 [ 87.982718][ T5317] ? kasan_save_track+0x4f/0x80 [ 87.982730][ T5317] ? hfs_find_init+0xaa/0x300 [ 87.982740][ T5317] ? __kmalloc_noprof+0x1b8/0x760 [ 87.982753][ T5317] hfs_find_init+0x18e/0x300 [ 87.982766][ T5317] hfs_extend_file+0x35c/0x15e0 [ 87.982778][ T5317] ? __pfx_hfs_extend_file+0x10/0x10 [ 87.982787][ T5317] ? __mutex_lock+0x319/0x1300 [ 87.982802][ T5317] ? __pfx___mutex_lock+0x10/0x10 [ 87.982815][ T5317] ? rcu_is_watching+0x15/0xb0 [ 87.982828][ T5317] hfs_bmap_reserve+0x107/0x430 [ 87.982839][ T5317] hfs_cat_create+0x20f/0x800 [ 87.982848][ T5317] ? do_raw_spin_lock+0x12b/0x2f0 [ 87.982857][ T5317] ? __pfx_hfs_cat_create+0x10/0x10 [ 87.982869][ T5317] ? _raw_spin_unlock+0x28/0x50 [ 87.982879][ T5317] ? hfs_new_inode+0x92d/0xc70 [ 87.982891][ T5317] hfs_create+0x75/0xe0 [ 87.982900][ T5317] ? __pfx_hfs_create+0x10/0x10 [ 87.982908][ T5317] path_openat+0x1395/0x3860 [ 87.982930][ T5317] ? __pfx_path_openat+0x10/0x10 [ 87.982942][ T5317] ? __x64_sys_open+0x11e/0x150 [ 87.982955][ T5317] ? __lock_acquire+0x6b5/0x2cf0 [ 87.982968][ T5317] do_file_open+0x23e/0x4a0 [ 87.982981][ T5317] ? __pfx_do_file_open+0x10/0x10 [ 87.982997][ T5317] ? _raw_spin_unlock+0x28/0x50 [ 87.983007][ T5317] ? alloc_fd+0x64b/0x6c0 [ 87.983019][ T5317] do_sys_openat2+0x113/0x200 [ 87.983030][ T5317] ? __se_sys_futex+0x3a8/0x450 [ 87.983042][ T5317] ? __pfx_do_sys_openat2+0x10/0x10 [ 87.983053][ T5317] ? rcu_is_watching+0x15/0xb0 [ 87.983065][ T5317] __x64_sys_open+0x11e/0x150 [ 87.983076][ T5317] do_syscall_64+0x14d/0xf80 [ 87.983088][ T5317] ? trace_irq_disable+0x3b/0x150 [ 87.983102][ T5317] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.983111][ T5317] ? clear_bhb_loop+0x40/0x90 [ 87.983122][ T5317] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 87.983132][ T5317] RIP: 0033:0x7f4c45f9c629 [ 87.983162][ T5317] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 87.983170][ T5317] RSP: 002b:00007f4c46e52028 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 87.983213][ T5317] RAX: ffffffffffffffda RBX: 00007f4c46215fa0 RCX: 00007f4c45f9c629 [ 87.983219][ T5317] RDX: 0000000000000000 RSI: 000000000014927e RDI: 0000200000000180 [ 87.983226][ T5317] RBP: 00007f4c46032b39 R08: 0000000000000000 R09: 0000000000000000 [ 87.983232][ T5317] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 87.983238][ T5317] R13: 00007f4c46216038 R14: 00007f4c46215fa0 R15: 00007ffed3167378 [ 87.983247][ T5317]