program: r0 = socket(0x10, 0x3, 0x0) r1 = socket(0x25, 0x2, 0x0) syz_genetlink_get_family_id$mptcp(&(0x7f00000000c0), r1) syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x3004048, &(0x7f0000000100)=ANY=[], 0x11, 0x2c6, &(0x7f0000005bc0)="$eJzs3btuE08Ux/HfjJ3E/3+isCFBSJSBSNAgCA2iMUKueAIqBMRGirCCgCAuVUBUCEFPR8Er8BA0IF4AKioeIFSLZmbt9WXXNpbjjcP3I8XatWd2z3gvc46laAXgn3Wt9v3jpZ/uz0gllaTXVyQrqSKVJZ3Qycrjnd3t3WajPmhDJd/D/RmFnqavzdZOI6ur6+d7JCK3VtZS53vB4niDRK44jq/+KDoIFM5f/RmstKD5dL0yxZhG8WLMfnsTjmPWmH3t66mWi44DAFCsZP63IZPXUpK/WyttJNO+zw8O2/w/rv2iAzhw8cBPO+Z/X2XFxh3fY/6jtN7zJZz73LaqxFH2PNez7tNH25NgmmFVpY/F/nd3u9k4v3W/Wbd6qWqio9maf62HU7dlSLTrGbXpACOM3WRnlL5etXNuDJsh/ieSuuJfHXOPYzOfzVdz00R6r3o7/yvHxh0mf6SiniMV4r+Qv0U/ysi1UnLbqFartqvJit/JKXWWEsNGWcmuSNQ6o1bU/QNBNCxO3+t4T68wuotDeq1m9tpsreX0Wuvq5UbTPpvz93fQzFtzw6zrlz6p1pH/WxffhgZemelVYzbCVOC/8TCe+ezdlf02o76Zo/9yaX+LC3mh/+69p13/EA++zSHPG93RZS0/evb8XqnZbDx0C7czFh4std+ZeyVltil4QXvpOwuKvb7GrUlpmoGdm+gG3f1jaGN3lR2Kg3KkF2pfpnsiFbFQ8P0JU5Ee9KIjQUFc3mVC/ZfWK+WQ7LmXKDNPH/GHgGSLscux2xVc2jcOGbmk//+qglvMr+D6a66+mtHXXKfPSmdG32OUxHlEmJq+6Ra//wMAAAAAAAAAAAAAAAAAAMyaafw7QdFjBAAAAAAAAAAAAAAAAAAAAABg1rWf/6vW83812vN/e5+7Msnn/77bUfbzfwFM0p8AAAD//0gLf7E=") r2 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) creat(&(0x7f0000000600)='./bus\x00', 0x6) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) pwrite64(r2, &(0x7f0000000140)='2', 0x1, 0x8080c61) creat(&(0x7f0000000300)='./bus\x00', 0x4) unlinkat(0xffffffffffffff9c, &(0x7f0000000c40)='./file1\x00', 0x0) getsockname$packet(r1, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000003c0)=0x14) sendmsg$nl_route_sched(r0, &(0x7f0000005840)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000020c0)=@newqdisc={0x44, 0x24, 0x5820a61ca228651, 0x0, 0x0, {0x0, 0x0, 0x0, r3, {}, {0xffff, 0xffff}, {0x0, 0xfff1}}, [@qdisc_kind_options=@q_hfsc={{0x9}, {0x14, 0x2, @TCA_HFSC_RSC={0x10, 0x1, {0x2, 0x2, 0x9}}}}]}, 0x44}}, 0x0) syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x3004048, &(0x7f0000000100)=ANY=[], 0x11, 0x2c6, &(0x7f0000005bc0)="$eJzs3btuE08Ux/HfjJ3E/3+isCFBSJSBSNAgCA2iMUKueAIqBMRGirCCgCAuVUBUCEFPR8Er8BA0IF4AKioeIFSLZmbt9WXXNpbjjcP3I8XatWd2z3gvc46laAXgn3Wt9v3jpZ/uz0gllaTXVyQrqSKVJZ3Qycrjnd3t3WajPmhDJd/D/RmFnqavzdZOI6ur6+d7JCK3VtZS53vB4niDRK44jq/+KDoIFM5f/RmstKD5dL0yxZhG8WLMfnsTjmPWmH3t66mWi44DAFCsZP63IZPXUpK/WyttJNO+zw8O2/w/rv2iAzhw8cBPO+Z/X2XFxh3fY/6jtN7zJZz73LaqxFH2PNez7tNH25NgmmFVpY/F/nd3u9k4v3W/Wbd6qWqio9maf62HU7dlSLTrGbXpACOM3WRnlL5etXNuDJsh/ieSuuJfHXOPYzOfzVdz00R6r3o7/yvHxh0mf6SiniMV4r+Qv0U/ysi1UnLbqFartqvJit/JKXWWEsNGWcmuSNQ6o1bU/QNBNCxO3+t4T68wuotDeq1m9tpsreX0Wuvq5UbTPpvz93fQzFtzw6zrlz6p1pH/WxffhgZemelVYzbCVOC/8TCe+ezdlf02o76Zo/9yaX+LC3mh/+69p13/EA++zSHPG93RZS0/evb8XqnZbDx0C7czFh4std+ZeyVltil4QXvpOwuKvb7GrUlpmoGdm+gG3f1jaGN3lR2Kg3KkF2pfpnsiFbFQ8P0JU5Ee9KIjQUFc3mVC/ZfWK+WQ7LmXKDNPH/GHgGSLscux2xVc2jcOGbmk//+qglvMr+D6a66+mtHXXKfPSmdG32OUxHlEmJq+6Ra//wMAAAAAAAAAAAAAAAAAAMyaafw7QdFjBAAAAAAAAAAAAAAAAAAAAABg1rWf/6vW83812vN/e5+7Msnn/77bUfbzfwFM0p8AAAD//0gLf7E=") open(&(0x7f0000000000)='./file1\x00', 0x101247, 0x5) sendmsg$nl_route_sched(r1, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000009c0)=@newtfilter={0x2c, 0x28, 0xc2f, 0x0, 0x0, {0x0, 0x0, 0x0, r3, {0x2}, {0x0, 0x4}, {0x3}}, [@TCA_CHAIN={0x8, 0xb, 0xffff7229}]}, 0x2c}, 0x1, 0x0, 0x0, 0x2000c880}, 0x0) [ 75.197043][ T4662] Bluetooth: hci0: command tx timeout [ 75.251282][ T5314] loop0: detected capacity change from 0 to 64 [ 75.267277][ T5314] ======================================================= [ 75.267277][ T5314] WARNING: The mand mount option has been deprecated and [ 75.267277][ T5314] and is ignored by this kernel. Remove the mand [ 75.267277][ T5314] option from the mount to silence this warning. [ 75.267277][ T5314] ======================================================= [ 76.088101][ T5314] hfs: request for non-existent node 8 in B*Tree [ 76.090833][ T5314] hfs: request for non-existent node 8 in B*Tree [ 76.134622][ T1091] kworker/u4:9: attempt to access beyond end of device [ 76.134622][ T1091] loop0: rw=8388609, sector=4169, nr_sectors = 1 limit=64 [ 76.140599][ T1091] Buffer I/O error on dev loop0, logical block 4169, lost async page write [ 76.173217][ T1091] kworker/u4:9: attempt to access beyond end of device [ 76.173217][ T1091] loop0: rw=8388609, sector=4170, nr_sectors = 1 limit=64 [ 76.178762][ T1091] Buffer I/O error on dev loop0, logical block 4170, lost async page write [ 76.201758][ T5314] [ 76.202914][ T5314] ====================================================== [ 76.205942][ T5314] WARNING: possible circular locking dependency detected [ 76.208775][ T5314] syzkaller #0 Not tainted [ 76.210676][ T5314] ------------------------------------------------------ [ 76.213518][ T5314] syz.0.0/5314 is trying to acquire lock: [ 76.215935][ T5314] ffff8880120940b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 76.219897][ T5314] [ 76.219897][ T5314] but task is already holding lock: [ 76.222997][ T5314] ffff888012ad41f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 76.227459][ T5314] [ 76.227459][ T5314] which lock already depends on the new lock. [ 76.227459][ T5314] [ 76.232145][ T5314] [ 76.232145][ T5314] the existing dependency chain (in reverse order) is: [ 76.235828][ T5314] [ 76.235828][ T5314] -> #1 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}: [ 76.239703][ T5314] __mutex_lock+0x19f/0x1300 [ 76.242116][ T5314] hfs_extend_file+0xf2/0x15e0 [ 76.244438][ T5314] hfs_bmap_reserve+0x107/0x430 [ 76.246871][ T5314] __hfs_ext_write_extent+0x1fa/0x470 [ 76.249769][ T5314] __hfs_ext_cache_extent+0x6b/0x9b0 [ 76.252365][ T5314] hfs_extend_file+0x39b/0x15e0 [ 76.254670][ T5314] hfs_get_block+0x412/0xc50 [ 76.256847][ T5314] __block_write_begin_int+0x6c6/0x1910 [ 76.259378][ T5314] cont_write_begin+0x737/0xae0 [ 76.261687][ T5314] hfs_write_begin+0x66/0xb0 [ 76.263909][ T5314] cont_write_begin+0x2e7/0xae0 [ 76.266184][ T5314] hfs_write_begin+0x66/0xb0 [ 76.268350][ T5314] generic_perform_write+0x2e2/0x8f0 [ 76.270827][ T5314] generic_file_write_iter+0x14a/0x680 [ 76.273676][ T5314] vfs_write+0x61d/0xb90 [ 76.275780][ T5314] __x64_sys_pwrite64+0x199/0x230 [ 76.278123][ T5314] do_syscall_64+0x14d/0xf80 [ 76.280390][ T5314] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.283115][ T5314] [ 76.283115][ T5314] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 76.286346][ T5314] __lock_acquire+0x15a5/0x2cf0 [ 76.288773][ T5314] lock_acquire+0xf0/0x2e0 [ 76.291029][ T5314] __mutex_lock+0x19f/0x1300 [ 76.293231][ T5314] hfs_find_init+0x18e/0x300 [ 76.295587][ T5314] hfs_extend_file+0x35c/0x15e0 [ 76.297995][ T5314] hfs_bmap_reserve+0x107/0x430 [ 76.300294][ T5314] hfs_cat_create+0x20f/0x800 [ 76.302636][ T5314] hfs_create+0x75/0xe0 [ 76.304687][ T5314] path_openat+0x1395/0x3860 [ 76.306951][ T5314] do_file_open+0x23e/0x4a0 [ 76.309151][ T5314] do_sys_openat2+0x113/0x200 [ 76.311379][ T5314] __x64_sys_open+0x11e/0x150 [ 76.313659][ T5314] do_syscall_64+0x14d/0xf80 [ 76.315916][ T5314] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.318684][ T5314] [ 76.318684][ T5314] other info that might help us debug this: [ 76.318684][ T5314] [ 76.322912][ T5314] Possible unsafe locking scenario: [ 76.322912][ T5314] [ 76.326062][ T5314] CPU0 CPU1 [ 76.328389][ T5314] ---- ---- [ 76.330691][ T5314] lock(&HFS_I(tree->inode)->extents_lock); [ 76.333237][ T5314] lock(&tree->tree_lock/1); [ 76.336416][ T5314] lock(&HFS_I(tree->inode)->extents_lock); [ 76.339967][ T5314] lock(&tree->tree_lock/1); [ 76.342001][ T5314] [ 76.342001][ T5314] *** DEADLOCK *** [ 76.342001][ T5314] [ 76.345507][ T5314] 4 locks held by syz.0.0/5314: [ 76.347649][ T5314] #0: ffff888012096420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 76.351608][ T5314] #1: ffff888012ad3d20 (&type->i_mutex_dir_key#8){+.+.}-{4:4}, at: path_openat+0xb4c/0x3860 [ 76.356978][ T5314] #2: ffff8880120920b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 76.361518][ T5314] #3: ffff888012ad41f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 76.366080][ T5314] [ 76.366080][ T5314] stack backtrace: [ 76.368568][ T5314] CPU: 0 UID: 0 PID: 5314 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.368579][ T5314] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 76.368631][ T5314] Call Trace: [ 76.368639][ T5314] [ 76.368645][ T5314] dump_stack_lvl+0xe8/0x150 [ 76.368664][ T5314] print_circular_bug+0x2e1/0x300 [ 76.368684][ T5314] check_noncircular+0x12e/0x150 [ 76.368699][ T5314] __lock_acquire+0x15a5/0x2cf0 [ 76.368711][ T5314] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 76.368725][ T5314] ? kasan_save_track+0x4f/0x80 [ 76.368739][ T5314] ? kasan_save_track+0x3e/0x80 [ 76.368753][ T5314] ? __kasan_kmalloc+0x93/0xb0 [ 76.368769][ T5314] ? __kmalloc_noprof+0x35c/0x760 [ 76.368784][ T5314] ? hfs_find_init+0xaa/0x300 [ 76.368797][ T5314] ? hfs_extend_file+0x35c/0x15e0 [ 76.368804][ T5314] ? hfs_bmap_reserve+0x107/0x430 [ 76.368810][ T5314] lock_acquire+0xf0/0x2e0 [ 76.368819][ T5314] ? hfs_find_init+0x18e/0x300 [ 76.368832][ T5314] __mutex_lock+0x19f/0x1300 [ 76.368846][ T5314] ? hfs_find_init+0x18e/0x300 [ 76.368861][ T5314] ? hfs_find_init+0x18e/0x300 [ 76.368874][ T5314] ? __pfx___mutex_lock+0x10/0x10 [ 76.368896][ T5314] ? rcu_is_watching+0x15/0xb0 [ 76.368913][ T5314] ? __kmalloc_noprof+0x37d/0x760 [ 76.368927][ T5314] ? kasan_save_track+0x4f/0x80 [ 76.368941][ T5314] ? hfs_find_init+0xaa/0x300 [ 76.368953][ T5314] ? __kmalloc_noprof+0x1b8/0x760 [ 76.368969][ T5314] hfs_find_init+0x18e/0x300 [ 76.368984][ T5314] hfs_extend_file+0x35c/0x15e0 [ 76.368997][ T5314] ? __pfx_hfs_extend_file+0x10/0x10 [ 76.369007][ T5314] ? __mutex_lock+0x319/0x1300 [ 76.369022][ T5314] ? __pfx___mutex_lock+0x10/0x10 [ 76.369036][ T5314] ? rcu_is_watching+0x15/0xb0 [ 76.369050][ T5314] hfs_bmap_reserve+0x107/0x430 [ 76.369062][ T5314] hfs_cat_create+0x20f/0x800 [ 76.369071][ T5314] ? do_raw_spin_lock+0x12b/0x2f0 [ 76.369081][ T5314] ? __pfx_hfs_cat_create+0x10/0x10 [ 76.369094][ T5314] ? _raw_spin_unlock+0x28/0x50 [ 76.369105][ T5314] ? hfs_new_inode+0x92d/0xc70 [ 76.369117][ T5314] hfs_create+0x75/0xe0 [ 76.369125][ T5314] ? __pfx_hfs_create+0x10/0x10 [ 76.369134][ T5314] path_openat+0x1395/0x3860 [ 76.369156][ T5314] ? __pfx_path_openat+0x10/0x10 [ 76.369169][ T5314] ? __x64_sys_open+0x11e/0x150 [ 76.369181][ T5314] ? __lock_acquire+0x6b5/0x2cf0 [ 76.369193][ T5314] do_file_open+0x23e/0x4a0 [ 76.369207][ T5314] ? __pfx_do_file_open+0x10/0x10 [ 76.369225][ T5314] ? _raw_spin_unlock+0x28/0x50 [ 76.369237][ T5314] ? alloc_fd+0x64b/0x6c0 [ 76.369249][ T5314] do_sys_openat2+0x113/0x200 [ 76.369260][ T5314] ? __se_sys_futex+0x3a8/0x450 [ 76.369271][ T5314] ? __pfx_do_sys_openat2+0x10/0x10 [ 76.369284][ T5314] ? rcu_is_watching+0x15/0xb0 [ 76.369300][ T5314] __x64_sys_open+0x11e/0x150 [ 76.369313][ T5314] do_syscall_64+0x14d/0xf80 [ 76.369328][ T5314] ? trace_irq_disable+0x3b/0x150 [ 76.369343][ T5314] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.369350][ T5314] ? clear_bhb_loop+0x40/0x90 [ 76.369357][ T5314] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.369365][ T5314] RIP: 0033:0x7facfbf9c629 [ 76.369374][ T5314] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 76.369382][ T5314] RSP: 002b:00007facfce47028 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 76.369394][ T5314] RAX: ffffffffffffffda RBX: 00007facfc215fa0 RCX: 00007facfbf9c629 [ 76.369402][ T5314] RDX: 0000000000000005 RSI: 0000000000101247 RDI: 0000200000000000 [ 76.369409][ T5314] RBP: 00007facfc032b39 R08: 0000000000000000 R09: 0000000000000000 [ 76.369415][ T5314] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.369422][ T5314] R13: 00007facfc216038 R14: 00007facfc215fa0 R15: 00007fff6cd3aad8 [ 76.369434][ T5314] [ 76.563604][ T1091] kworker/u4:9: attempt to access beyond end of device [ 76.563604][ T1091] loop0: rw=8388609, sector=4172, nr_sectors = 1 limit=64 [ 76.593661][ T1091] Buffer I/O error on dev loop0, logical block 4172, lost async page write [ 76.597745][ T1091] kworker/u4:9: attempt to access beyond end of device [ 76.597745][ T1091] loop0: rw=8388609, sector=4173, nr_sectors = 1 limit=64 [ 76.631373][ T1091] Buffer I/O error on dev loop0, logical block 4173, lost async page write [ 76.637737][ T1091] kworker/u4:9: attempt to access beyond end of device [ 76.637737][ T1091] loop0: rw=8388609, sector=4174, nr_sectors = 1 limit=64 [ 76.664338][ T1091] Buffer I/O error on dev loop0, logical block 4174, lost async page write [ 76.668114][ T1091] kworker/u4:9: attempt to access beyond end of device [ 76.668114][ T1091] loop0: rw=8388609, sector=4175, nr_sectors = 1 limit=64 [ 76.675690][ T1091] Buffer I/O error on dev loop0, logical block 4175, lost async page write [ 76.679166][ T1091] kworker/u4:9: attempt to access beyond end of device [ 76.679166][ T1091] loop0: rw=8388609, sector=4176, nr_sectors = 1 limit=64 [ 76.685132][ T1091] Buffer I/O error on dev loop0, logical block 4176, lost async page write [ 76.688744][ T1091] kworker/u4:9: attempt to access beyond end of device [ 76.688744][ T1091] loop0: rw=8388609, sector=4177, nr_sectors = 1 limit=64 [ 76.695559][ T1091] Buffer I/O error on dev loop0, logical block 4177, lost async page write [ 76.714153][ T1091] kworker/u4:9: attempt to access beyond end of device [ 76.714153][ T1091] loop0: rw=8388609, sector=4200, nr_sectors = 1 limit=64 [ 76.733241][ T1091] Buffer I/O error on dev loop0, logical block 4200, lost async page write [ 76.737094][ T1091] kworker/u4:9: attempt to access beyond end of device [ 76.737094][ T1091] loop0: rw=8388609, sector=4201, nr_sectors = 1 limit=64 [ 76.743005][ T1091] Buffer I/O error on dev loop0, logical block 4201, lost async page write