program: syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x3004048, &(0x7f0000000100)=ANY=[], 0x11, 0x2c6, &(0x7f0000005bc0)="$eJzs3btuE08Ux/HfjJ3E/3+isCFBSJSBSNAgCA2iMUKueAIqBMRGirCCgCAuVUBUCEFPR8Er8BA0IF4AKioeIFSLZmbt9WXXNpbjjcP3I8XatWd2z3gvc46laAXgn3Wt9v3jpZ/uz0gllaTXVyQrqSKVJZ3Qycrjnd3t3WajPmhDJd/D/RmFnqavzdZOI6ur6+d7JCK3VtZS53vB4niDRK44jq/+KDoIFM5f/RmstKD5dL0yxZhG8WLMfnsTjmPWmH3t66mWi44DAFCsZP63IZPXUpK/WyttJNO+zw8O2/w/rv2iAzhw8cBPO+Z/X2XFxh3fY/6jtN7zJZz73LaqxFH2PNez7tNH25NgmmFVpY/F/nd3u9k4v3W/Wbd6qWqio9maf62HU7dlSLTrGbXpACOM3WRnlL5etXNuDJsh/ieSuuJfHXOPYzOfzVdz00R6r3o7/yvHxh0mf6SiniMV4r+Qv0U/ysi1UnLbqFartqvJit/JKXWWEsNGWcmuSNQ6o1bU/QNBNCxO3+t4T68wuotDeq1m9tpsreX0Wuvq5UbTPpvz93fQzFtzw6zrlz6p1pH/WxffhgZemelVYzbCVOC/8TCe+ezdlf02o76Zo/9yaX+LC3mh/+69p13/EA++zSHPG93RZS0/evb8XqnZbDx0C7czFh4std+ZeyVltil4QXvpOwuKvb7GrUlpmoGdm+gG3f1jaGN3lR2Kg3KkF2pfpnsiFbFQ8P0JU5Ee9KIjQUFc3mVC/ZfWK+WQ7LmXKDNPH/GHgGSLscux2xVc2jcOGbmk//+qglvMr+D6a66+mtHXXKfPSmdG32OUxHlEmJq+6Ra//wMAAAAAAAAAAAAAAAAAAMyaafw7QdFjBAAAAAAAAAAAAAAAAAAAAABg1rWf/6vW83812vN/e5+7Msnn/77bUfbzfwFM0p8AAAD//0gLf7E=") r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) getpid() creat(&(0x7f0000000600)='./bus\x00', 0x6) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) pwrite64(r0, &(0x7f0000000140)='2', 0x1, 0x8080c61) creat(&(0x7f0000000300)='./bus\x00', 0x4) unlinkat(0xffffffffffffff9c, &(0x7f0000000c40)='./file1\x00', 0x0) syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x3004048, &(0x7f0000000100)=ANY=[], 0x11, 0x2c6, &(0x7f0000005bc0)="$eJzs3btuE08Ux/HfjJ3E/3+isCFBSJSBSNAgCA2iMUKueAIqBMRGirCCgCAuVUBUCEFPR8Er8BA0IF4AKioeIFSLZmbt9WXXNpbjjcP3I8XatWd2z3gvc46laAXgn3Wt9v3jpZ/uz0gllaTXVyQrqSKVJZ3Qycrjnd3t3WajPmhDJd/D/RmFnqavzdZOI6ur6+d7JCK3VtZS53vB4niDRK44jq/+KDoIFM5f/RmstKD5dL0yxZhG8WLMfnsTjmPWmH3t66mWi44DAFCsZP63IZPXUpK/WyttJNO+zw8O2/w/rv2iAzhw8cBPO+Z/X2XFxh3fY/6jtN7zJZz73LaqxFH2PNez7tNH25NgmmFVpY/F/nd3u9k4v3W/Wbd6qWqio9maf62HU7dlSLTrGbXpACOM3WRnlL5etXNuDJsh/ieSuuJfHXOPYzOfzVdz00R6r3o7/yvHxh0mf6SiniMV4r+Qv0U/ysi1UnLbqFartqvJit/JKXWWEsNGWcmuSNQ6o1bU/QNBNCxO3+t4T68wuotDeq1m9tpsreX0Wuvq5UbTPpvz93fQzFtzw6zrlz6p1pH/WxffhgZemelVYzbCVOC/8TCe+ezdlf02o76Zo/9yaX+LC3mh/+69p13/EA++zSHPG93RZS0/evb8XqnZbDx0C7czFh4std+ZeyVltil4QXvpOwuKvb7GrUlpmoGdm+gG3f1jaGN3lR2Kg3KkF2pfpnsiFbFQ8P0JU5Ee9KIjQUFc3mVC/ZfWK+WQ7LmXKDNPH/GHgGSLscux2xVc2jcOGbmk//+qglvMr+D6a66+mtHXXKfPSmdG32OUxHlEmJq+6Ra//wMAAAAAAAAAAAAAAAAAAMyaafw7QdFjBAAAAAAAAAAAAAAAAAAAAABg1rWf/6vW83812vN/e5+7Msnn/77bUfbzfwFM0p8AAAD//0gLf7E=") (async) openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) (async) getpid() (async) creat(&(0x7f0000000600)='./bus\x00', 0x6) (async) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) (async) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) (async) pwrite64(r0, &(0x7f0000000140)='2', 0x1, 0x8080c61) (async) creat(&(0x7f0000000300)='./bus\x00', 0x4) (async) unlinkat(0xffffffffffffff9c, &(0x7f0000000c40)='./file1\x00', 0x0) (async) [ 91.807252][ T5297] Bluetooth: hci0: command tx timeout [ 91.956282][ T9] cfg80211: failed to load regulatory.db [ 91.993912][ T5320] loop0: detected capacity change from 0 to 64 [ 92.028881][ T5320] ======================================================= [ 92.028881][ T5320] WARNING: The mand mount option has been deprecated and [ 92.028881][ T5320] and is ignored by this kernel. Remove the mand [ 92.028881][ T5320] option from the mount to silence this warning. [ 92.028881][ T5320] ======================================================= [ 92.894102][ T5320] hfs: request for non-existent node 8 in B*Tree [ 92.897016][ T5320] hfs: request for non-existent node 8 in B*Tree [ 92.930569][ T5320] [ 92.931846][ T5320] ====================================================== [ 92.935793][ T5320] WARNING: possible circular locking dependency detected [ 92.939329][ T5320] syzkaller #0 Not tainted [ 92.941883][ T5320] ------------------------------------------------------ [ 92.945304][ T5320] syz.0.0/5320 is trying to acquire lock: [ 92.947335][ T5320] ffff888042d4a0b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 92.951303][ T5320] [ 92.951303][ T5320] but task is already holding lock: [ 92.954977][ T5320] ffff88803786c1f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 92.960700][ T5320] [ 92.960700][ T5320] which lock already depends on the new lock. [ 92.960700][ T5320] [ 92.966015][ T5320] [ 92.966015][ T5320] the existing dependency chain (in reverse order) is: [ 92.969913][ T5320] [ 92.969913][ T5320] -> #1 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}: [ 92.975799][ T5320] __mutex_lock+0x19f/0x1300 [ 92.977783][ T5320] hfs_extend_file+0xf2/0x15e0 [ 92.980155][ T5320] hfs_bmap_reserve+0x107/0x430 [ 92.982297][ T5320] __hfs_ext_write_extent+0x1fa/0x470 [ 92.984823][ T5320] __hfs_ext_cache_extent+0x6b/0x9b0 [ 92.987540][ T5320] hfs_extend_file+0x39b/0x15e0 [ 92.990363][ T5320] hfs_get_block+0x412/0xc50 [ 92.993326][ T5320] __block_write_begin_int+0x6c6/0x1910 [ 92.997534][ T5320] cont_write_begin+0x737/0xae0 [ 93.001309][ T5320] hfs_write_begin+0x66/0xb0 [ 93.004384][ T5320] cont_write_begin+0x2e7/0xae0 [ 93.007203][ T5320] hfs_write_begin+0x66/0xb0 [ 93.009559][ T5320] generic_perform_write+0x2e2/0x8f0 [ 93.012300][ T5320] generic_file_write_iter+0x14a/0x680 [ 93.015076][ T5320] vfs_write+0x61d/0xb90 [ 93.017364][ T5320] __x64_sys_pwrite64+0x199/0x230 [ 93.020421][ T5320] do_syscall_64+0x14d/0xf80 [ 93.022752][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.025281][ T5320] [ 93.025281][ T5320] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 93.028596][ T5320] __lock_acquire+0x15a5/0x2cf0 [ 93.030722][ T5320] lock_acquire+0xf0/0x2e0 [ 93.033419][ T5320] __mutex_lock+0x19f/0x1300 [ 93.035965][ T5320] hfs_find_init+0x18e/0x300 [ 93.038454][ T5320] hfs_extend_file+0x35c/0x15e0 [ 93.040544][ T5320] hfs_bmap_reserve+0x107/0x430 [ 93.043074][ T5320] hfs_cat_create+0x20f/0x800 [ 93.045213][ T5320] hfs_create+0x75/0xe0 [ 93.047019][ T5320] path_openat+0x1395/0x3860 [ 93.049130][ T5320] do_file_open+0x23e/0x4a0 [ 93.051357][ T5320] do_sys_openat2+0x113/0x200 [ 93.054141][ T5320] __x64_sys_openat+0x138/0x170 [ 93.057214][ T5320] do_syscall_64+0x14d/0xf80 [ 93.059870][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.063091][ T5320] [ 93.063091][ T5320] other info that might help us debug this: [ 93.063091][ T5320] [ 93.067272][ T5320] Possible unsafe locking scenario: [ 93.067272][ T5320] [ 93.070365][ T5320] CPU0 CPU1 [ 93.072661][ T5320] ---- ---- [ 93.075073][ T5320] lock(&HFS_I(tree->inode)->extents_lock); [ 93.077595][ T5320] lock(&tree->tree_lock/1); [ 93.081169][ T5320] lock(&HFS_I(tree->inode)->extents_lock); [ 93.085772][ T5320] lock(&tree->tree_lock/1); [ 93.087609][ T5320] [ 93.087609][ T5320] *** DEADLOCK *** [ 93.087609][ T5320] [ 93.090732][ T5320] 4 locks held by syz.0.0/5320: [ 93.092649][ T5320] #0: ffff888032eaa420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 93.096068][ T5320] #1: ffff88803786bd20 (&type->i_mutex_dir_key#8){+.+.}-{4:4}, at: path_openat+0xb4c/0x3860 [ 93.100306][ T5320] #2: ffff888011f6a0b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 93.105250][ T5320] #3: ffff88803786c1f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 93.109970][ T5320] [ 93.109970][ T5320] stack backtrace: [ 93.112334][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 93.112350][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 93.112358][ T5320] Call Trace: [ 93.112367][ T5320] [ 93.112373][ T5320] dump_stack_lvl+0xe8/0x150 [ 93.112396][ T5320] print_circular_bug+0x2e1/0x300 [ 93.112414][ T5320] check_noncircular+0x12e/0x150 [ 93.112431][ T5320] __lock_acquire+0x15a5/0x2cf0 [ 93.112446][ T5320] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 93.112472][ T5320] ? kasan_save_track+0x4f/0x80 [ 93.112490][ T5320] ? kasan_save_track+0x3e/0x80 [ 93.112503][ T5320] ? __kasan_kmalloc+0x93/0xb0 [ 93.112513][ T5320] ? __kmalloc_noprof+0x35c/0x760 [ 93.112528][ T5320] ? hfs_find_init+0xaa/0x300 [ 93.112543][ T5320] ? hfs_extend_file+0x35c/0x15e0 [ 93.112553][ T5320] ? hfs_bmap_reserve+0x107/0x430 [ 93.112566][ T5320] lock_acquire+0xf0/0x2e0 [ 93.112579][ T5320] ? hfs_find_init+0x18e/0x300 [ 93.112594][ T5320] __mutex_lock+0x19f/0x1300 [ 93.112606][ T5320] ? hfs_find_init+0x18e/0x300 [ 93.112622][ T5320] ? hfs_find_init+0x18e/0x300 [ 93.112636][ T5320] ? __pfx___mutex_lock+0x10/0x10 [ 93.112647][ T5320] ? rcu_is_watching+0x15/0xb0 [ 93.112663][ T5320] ? __kmalloc_noprof+0x37d/0x760 [ 93.112679][ T5320] ? kasan_save_track+0x4f/0x80 [ 93.112693][ T5320] ? hfs_find_init+0xaa/0x300 [ 93.112706][ T5320] ? __kmalloc_noprof+0x1b8/0x760 [ 93.112722][ T5320] hfs_find_init+0x18e/0x300 [ 93.112738][ T5320] hfs_extend_file+0x35c/0x15e0 [ 93.112751][ T5320] ? __pfx_hfs_extend_file+0x10/0x10 [ 93.112763][ T5320] ? __mutex_lock+0x319/0x1300 [ 93.112776][ T5320] ? __pfx___mutex_lock+0x10/0x10 [ 93.112785][ T5320] ? rcu_is_watching+0x15/0xb0 [ 93.112801][ T5320] hfs_bmap_reserve+0x107/0x430 [ 93.112815][ T5320] hfs_cat_create+0x20f/0x800 [ 93.112828][ T5320] ? do_raw_spin_lock+0x12b/0x2f0 [ 93.112838][ T5320] ? __pfx_hfs_cat_create+0x10/0x10 [ 93.112852][ T5320] ? _raw_spin_unlock+0x28/0x50 [ 93.112867][ T5320] ? hfs_new_inode+0x92d/0xc70 [ 93.112880][ T5320] hfs_create+0x75/0xe0 [ 93.112892][ T5320] ? __pfx_hfs_create+0x10/0x10 [ 93.112902][ T5320] path_openat+0x1395/0x3860 [ 93.112927][ T5320] ? __pfx_path_openat+0x10/0x10 [ 93.112941][ T5320] ? __x64_sys_openat+0x138/0x170 [ 93.112959][ T5320] ? __lock_acquire+0x6b5/0x2cf0 [ 93.112973][ T5320] do_file_open+0x23e/0x4a0 [ 93.112991][ T5320] ? __pfx_do_file_open+0x10/0x10 [ 93.113010][ T5320] ? _raw_spin_unlock+0x28/0x50 [ 93.113025][ T5320] ? alloc_fd+0x64b/0x6c0 [ 93.113040][ T5320] do_sys_openat2+0x113/0x200 [ 93.113053][ T5320] ? __se_sys_futex+0x3a8/0x450 [ 93.113069][ T5320] ? __pfx_do_sys_openat2+0x10/0x10 [ 93.113082][ T5320] ? rcu_is_watching+0x15/0xb0 [ 93.113099][ T5320] __x64_sys_openat+0x138/0x170 [ 93.113113][ T5320] do_syscall_64+0x14d/0xf80 [ 93.113131][ T5320] ? trace_irq_disable+0x3b/0x150 [ 93.113148][ T5320] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.113159][ T5320] ? clear_bhb_loop+0x40/0x90 [ 93.113172][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 93.113184][ T5320] RIP: 0033:0x7f4bc279c799 [ 93.113197][ T5320] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 93.113208][ T5320] RSP: 002b:00007f4bbebf4fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 93.113221][ T5320] RAX: ffffffffffffffda RBX: 00007f4bc2a15fa0 RCX: 00007f4bc279c799 [ 93.113228][ T5320] RDX: 0000000000000042 RSI: 0000200000000040 RDI: ffffffffffffff9c [ 93.113237][ T5320] RBP: 00007f4bc2832bd9 R08: 0000000000000000 R09: 0000000000000000 [ 93.113244][ T5320] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 93.113250][ T5320] R13: 00007f4bc2a16038 R14: 00007f4bc2a15fa0 R15: 00007fff89b97eb8 [ 93.113261][ T5320] [ 93.881540][ T4665] Bluetooth: hci0: command tx timeout [ 93.890823][ T5321] syz.0.0: attempt to access beyond end of device [ 93.890823][ T5321] loop0: rw=8388608, sector=27869, nr_sectors = 1 limit=64 [ 93.903862][ T5321] Buffer I/O error on dev loop0, logical block 27869, async page read [ 93.909395][ T5321] syz.0.0: attempt to access beyond end of device [ 93.909395][ T5321] loop0: rw=8388608, sector=27871, nr_sectors = 1 limit=64 [ 93.915432][ T5321] Buffer I/O error on dev loop0, logical block 27871, async page read [ 93.921180][ T5321] syz.0.0: attempt to access beyond end of device [ 93.921180][ T5321] loop0: rw=8388608, sector=27872, nr_sectors = 1 limit=64 [ 94.883992][ T5321] Buffer I/O error on dev loop0, logical block 27872, async page read