program: syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x30000c8, &(0x7f0000000100)=ANY=[], 0x11, 0x2d1, &(0x7f0000000280)="$eJzs3b9u01AUx/HfddI2pVVxaRESY6ESLAjKgliCUCaegAkBTZAqoiKgiD9TQUwIwc7GwCvwECwgXgAmJh6gTEb32o6T2I7dqI0b+H6kRnbia58bX9vnRKquAPy3rrd+fLr8y/4Zqaaa9Oaq5ElqSHVJJ3Wq8WR7Z2un22mP2lHNtbB/RmFLk9pmc7uT1dS2cy0ivl2ra7H/vdDCeJ1EriAIrv2sOghUzl39GTxpTrPJemOCMZXxcsx2uwccx7Qxe9rTMy1VHQcAoFrR898LM3ktRvm750nr0WPf5QdH7fk/rr2qAzh0wchP+57/rsoKjD2/x91HSb3nSjj7uRdXiWWOPDO07tJHbyjBNEVVpYvFm7+31e1c2HzQbXt6pWakb7NV99oOh26sINq1jNp0hBJ9N9kZpatXvRnbh40w/qeSBuJfGfOIKWWvTPPFfDO3jK8Pavfyv3pg7GlyZ8ofOlNh/Bfz9+h66dutFN02ms2mN7DJsjvIafWXEkW9bGRXJIpH1LIGfyDwi+J0rU4MtQp7d6mg1Upmq414LafV6kAr25veaM4/3mEz78xNs6bf+qxWX/7v2fjWNfLKTK4asx4OOPeNh/2ZzT5c3e3TT43P9OXS+xbn8kL/M3xPu/ExGH2bQ563uqsrWnr8/MX9WrfbeWQX7mQsPFzsvTPzWsrcpuIF7SbvzClwUhvHD6VJBnb+QHdo7x+FG9ur7EiclH96ofX1sAbSfDRMq+9phfcmTExy0quOBBWxeZcJ67+kXqmHyZ598TPz9JLlRrTHwObYvQouaRuEGbmkY/uq4BbyK7h0zZWqGV3NdeacdLb8Ef0ozmlm+hL4lr7rNr//AwAAAAAAAAAAAAAAAAAATJtJ/DtB1X0EAAAAAAAAAAAAAAAAAAAAAGDa9eb/VTz/r8rN/zs878pBzv/7flvZ8//GcuaaAbAvfwMAAP//QTZ8Yw==") prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r0 = open(&(0x7f0000000240)='./file1\x00', 0x145142, 0x0) r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x42, 0x2) pwrite64(r1, &(0x7f0000000140)='2', 0x1, 0x8000c61) keyctl$clear(0x3, 0xfffffffffffffffc) syz_mount_image$ext4(&(0x7f0000000200)='ext4\x00', &(0x7f0000000740)='./file0aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\x00', 0xc000, &(0x7f00000006c0), 0x2, 0x246, &(0x7f0000000ac0)="$eJzs3T9oM2UcB/DvXRJf+75BXnURxD8gIloor5vg8rooFKQUEUGFioiL0gq1xa1xcnHQWaWTSxE3q6N0KS6K4FS1Q10ELQ4WBx0iybVS24ja1Jz0Ph+43l3vee73HLnvkyyXBGisq0muJ2klmU7SSVIcb3B3tVw93F2f2l5I+v0nfiqG7ar9ylG/K0l6SR5KslUWeamdrG4+s/fLzmP3vbnSuff9zaenJnqRh/b3dh8/eG/ujY9mH1z94qsf5opcT/dP13X+ihH/axfJLf9Fsf+Jol33CPgn5l/78OtB7m9Ncs8w/52UqV68t5Zv2OrkgXf/qu/bP355+yTHCpy/fr8zeA/s9YHGKZN0U5QzSartspyZqT7Df9O6XL68tPzq9ItLK4sv1D1TAeelm+w++smlj6+cyP/3rSr/wMU1yP+T8xvfDrYPWnWPBpiIO6rVIP/Tz63dH/mHxpF/aC75h+aSf2gu+Yfmkn9oLvmHC6xztNEbeVj+obnkH5pL/qG5jucfAGiW/qW6n0AG6lL3/AMAAAAAAAAAAAAAAAAAAJy2PrW9cLRMquZn7yT7jyRpj6rfGv4ecXLj8O/ln4tBsz8UVbexPHvXmCcY0wc1P31903f11v/8znrrry0mvdeTXGu3T99/xeH9d3Y3/83xzvNjFviXihP7Dz812fon/bZRb/3ZneTTwfxzbdT8U+a24Xr0/NM9/hXLZ/TKr2OeAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgIn5PQAA//8PK23M") mkdir(&(0x7f00000020c0)='./file0\x00', 0x0) r2 = open$dir(&(0x7f0000000100)='./file0\x00', 0x0, 0x0) r3 = open$dir(&(0x7f0000000100)='./file0\x00', 0x0, 0x0) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(r3, 0x800c6613, &(0x7f0000000140)=@v1={0x0, @adiantum, 0x4, @desc3}) r4 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000300)='blkio.bfq.dequeue\x00', 0x275a, 0x0) ioctl$EXT4_IOC_MOVE_EXT(r4, 0x8004587d, &(0x7f0000000080)) ioctl$FS_IOC_SET_ENCRYPTION_POLICY(r2, 0x800c6613, &(0x7f0000000140)=@v1={0x0, @adiantum, 0x4, @desc3}) keyctl$session_to_parent(0x12) ftruncate(r0, 0x2007ffc) syz_mount_image$vfat(&(0x7f0000000240), &(0x7f0000000000)='./bus\x00', 0x80000a, &(0x7f00000007c0)=ANY=[@ANYBLOB='shortname=lower,shortname=win95,rodir,iocharset=default,uni_xlate=0,nonumtail=1,utf8=0,flush,rodir,shortname=win95,shortname=winnt,shortname=win95,showexec,uni_xlate=0,utf8=0,utf8=0,uni_xlate=0,shortname=mixed,\x00'], 0x97, 0x2cf, &(0x7f00000008c0)="$eJzs3T+LXFUUAPDzZmffDFrMClYi+EALq5BNazOLJBBMJ4uohS4mAckMwgYW/IPPVLY2lrY2gmDnl7DxGwi2gp0LBp689+7LzCRvJzPIJP75/Yrk7L333Hvu7lt2tpiz7784v3OziNv3PvslxuMsBtOYxnkWBzGIzhexYvpVAAD/ZudVFb9XrW3ysogY764sAGCHzsuI2Obn/w87LwkA2LE3337njaM8IopiHNfmX54d17/Z1/+380e348OYxa24HJO4/+ClQvNqof73WlVV5bCoHcQr8/LsuM6cv/dT2v/ot4io9z/MuiPb9FHKv37j6mHRWsov6zqeSedP6/OvxCSe7zn/+o2rV3ry4ziPV19eqv9STOLnD+KjmMXNpog2PwYRnx8WxevV1398+m5dXp2flWfHo2bdQrX3JL8uAAAAAAAAAAAAAAAAAAAAAAD8t11KvXNG0fTvqYdS/529+/UH+1F0Dlb787T5D7r6PNQfqKzim64/z+WiKKq0cJE/jBeGMXw6twYAAAAAAAAAAAAAAAAAAIB/lrsff3LnZDa7dfqYYLjBmpNZ1w2geVv/W1sesRRMl0ZeivWLR+mYk9lskMI1O8detyaLWFtGfYmNa/4ztT3Y+qZN8NxFNX/3/cb7fPv4u6dgf4M1fzNItRQXPgCj6EbGkYIfl9fkseFZef/U/mnVPhKPTO317pz3HjHZ+u75s01QrlkTWX9hbfDar+3nLI1kD98ij4gLdt5PwVL66prx5s9z/Z3yiEy3DgAAAAAAAAAAAAAAAAAA2KnFm357Ju+tTR1Uo52VBQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABP1OLv/zfBOA0vRvqCMq1anRouRqpJN5XH6d2neD0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD+J/4KAAD//4sJU/Y=") mknod(&(0x7f0000000040)='./file0\x00', 0x800, 0x0) truncate(&(0x7f0000000080)='./file0\x00', 0x80000) openat(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00', 0x397b, 0x41) [ 110.097303][ T5293] Bluetooth: hci0: command tx timeout [ 110.169276][ T5335] loop0: detected capacity change from 0 to 64 [ 110.195139][ T5335] ======================================================= [ 110.195139][ T5335] WARNING: The mand mount option has been deprecated and [ 110.195139][ T5335] and is ignored by this kernel. Remove the mand [ 110.195139][ T5335] option from the mount to silence this warning. [ 110.195139][ T5335] ======================================================= [ 111.215062][ T5335] hfs: request for non-existent node 8 in B*Tree [ 111.219552][ T5335] hfs: request for non-existent node 8 in B*Tree [ 111.236479][ T24] audit: type=1800 audit(1782550852.860:2): pid=5335 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.0" name="file1" dev="loop0" ino=21 res=0 errno=0 [ 111.341271][ T5335] [ 111.342661][ T5335] ====================================================== [ 111.345756][ T5335] WARNING: possible circular locking dependency detected [ 111.348891][ T5335] syzkaller #0 Not tainted [ 111.351043][ T5335] ------------------------------------------------------ [ 111.354861][ T5335] syz.0.0/5335 is trying to acquire lock: [ 111.357608][ T5335] ffff88803faea0a8 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18d/0x300 [ 111.361174][ T5335] [ 111.361174][ T5335] but task is already holding lock: [ 111.364059][ T5335] ffff888011da7a20 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf9/0x1680 [ 111.368454][ T5335] [ 111.368454][ T5335] which lock already depends on the new lock. [ 111.368454][ T5335] [ 111.373058][ T5335] [ 111.373058][ T5335] the existing dependency chain (in reverse order) is: [ 111.377169][ T5335] [ 111.377169][ T5335] -> #1 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}: [ 111.381137][ T5335] __mutex_lock+0x19d/0x1550 [ 111.383702][ T5335] hfs_extend_file+0xf9/0x1680 [ 111.386699][ T5335] hfs_bmap_reserve+0x108/0x430 [ 111.389508][ T5335] __hfs_ext_write_extent+0x1fc/0x470 [ 111.392454][ T5335] __hfs_ext_cache_extent+0x6e/0x9b0 [ 111.394933][ T5335] hfs_extend_file+0x3a0/0x1680 [ 111.397273][ T5335] hfs_get_block+0x401/0xbe0 [ 111.399554][ T5335] __block_write_begin_int+0x6c2/0x1900 [ 111.402094][ T5335] cont_write_begin+0x71b/0xac0 [ 111.404426][ T5335] hfs_write_begin+0x66/0xb0 [ 111.406708][ T5335] cont_write_begin+0x2d6/0xac0 [ 111.409172][ T5335] hfs_write_begin+0x66/0xb0 [ 111.411656][ T5335] generic_perform_write+0x2d5/0x8f0 [ 111.414654][ T5335] generic_file_write_iter+0xae/0x330 [ 111.417164][ T5335] vfs_write+0x612/0xba0 [ 111.419332][ T5335] __x64_sys_pwrite64+0x196/0x220 [ 111.421720][ T5335] do_syscall_64+0x174/0x580 [ 111.423814][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.426681][ T5335] [ 111.426681][ T5335] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 111.430470][ T5335] __lock_acquire+0x1520/0x2cf0 [ 111.432677][ T5335] lock_acquire+0x106/0x350 [ 111.434779][ T5335] __mutex_lock+0x19d/0x1550 [ 111.436867][ T5335] hfs_find_init+0x18d/0x300 [ 111.439047][ T5335] hfs_extend_file+0x35f/0x1680 [ 111.441563][ T5335] hfs_bmap_reserve+0x108/0x430 [ 111.444173][ T5335] hfs_cat_create+0x221/0x810 [ 111.446564][ T5335] hfs_create+0x78/0xe0 [ 111.448842][ T5335] vfs_create+0x2c4/0x450 [ 111.450824][ T5335] filename_mknodat+0x3e8/0x660 [ 111.453045][ T5335] __se_sys_mknod+0x3a/0x150 [ 111.455186][ T5335] do_syscall_64+0x174/0x580 [ 111.457317][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.459888][ T5335] [ 111.459888][ T5335] other info that might help us debug this: [ 111.459888][ T5335] [ 111.463768][ T5335] Possible unsafe locking scenario: [ 111.463768][ T5335] [ 111.467468][ T5335] CPU0 CPU1 [ 111.470298][ T5335] ---- ---- [ 111.472888][ T5335] lock(&HFS_I(tree->inode)->extents_lock); [ 111.475332][ T5335] lock(&tree->tree_lock/1); [ 111.478304][ T5335] lock(&HFS_I(tree->inode)->extents_lock); [ 111.481475][ T5335] lock(&tree->tree_lock/1); [ 111.483425][ T5335] [ 111.483425][ T5335] *** DEADLOCK *** [ 111.483425][ T5335] [ 111.486902][ T5335] 4 locks held by syz.0.0/5335: [ 111.489183][ T5335] #0: ffff8880354bc450 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 111.493706][ T5335] #1: ffff888011da7600 (&type->i_mutex_dir_key#8/1){+.+.}-{4:4}, at: filename_create+0x200/0x370 [ 111.498665][ T5335] #2: ffff88803eff60a8 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x18d/0x300 [ 111.502610][ T5335] #3: ffff888011da7a20 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf9/0x1680 [ 111.507048][ T5335] [ 111.507048][ T5335] stack backtrace: [ 111.509790][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 111.509813][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 111.509824][ T5335] Call Trace: [ 111.509833][ T5335] [ 111.509840][ T5335] dump_stack_lvl+0xe8/0x150 [ 111.509863][ T5335] print_circular_bug+0x2e1/0x300 [ 111.509883][ T5335] check_noncircular+0x12e/0x150 [ 111.509903][ T5335] __lock_acquire+0x1520/0x2cf0 [ 111.509920][ T5335] ? stack_depot_save_flags+0x3ec/0x800 [ 111.510001][ T5335] ? __kmalloc_noprof+0x1ad/0x720 [ 111.510027][ T5335] ? kasan_save_track+0x4f/0x80 [ 111.510047][ T5335] ? kasan_save_track+0x3e/0x80 [ 111.510065][ T5335] ? __kasan_kmalloc+0x93/0xb0 [ 111.510086][ T5335] ? __kmalloc_noprof+0x375/0x720 [ 111.510106][ T5335] ? hfs_find_init+0x9d/0x300 [ 111.510122][ T5335] ? hfs_extend_file+0x35f/0x1680 [ 111.510138][ T5335] ? hfs_bmap_reserve+0x108/0x430 [ 111.510153][ T5335] ? hfs_cat_create+0x221/0x810 [ 111.510170][ T5335] ? hfs_create+0x78/0xe0 [ 111.510187][ T5335] ? vfs_create+0x2c4/0x450 [ 111.510202][ T5335] ? hfs_find_init+0x18d/0x300 [ 111.510217][ T5335] lock_acquire+0x106/0x350 [ 111.510231][ T5335] ? hfs_find_init+0x18d/0x300 [ 111.510250][ T5335] __mutex_lock+0x19d/0x1550 [ 111.510266][ T5335] ? hfs_find_init+0x18d/0x300 [ 111.510285][ T5335] ? hfs_find_init+0x18d/0x300 [ 111.510300][ T5335] ? __pfx___mutex_lock+0x10/0x10 [ 111.510315][ T5335] ? trace_kmalloc+0x2a/0xf0 [ 111.510335][ T5335] ? __kmalloc_noprof+0x396/0x720 [ 111.510356][ T5335] ? __kmalloc_noprof+0x1ad/0x720 [ 111.510374][ T5335] ? hfs_find_init+0x9d/0x300 [ 111.510391][ T5335] hfs_find_init+0x18d/0x300 [ 111.510407][ T5335] hfs_extend_file+0x35f/0x1680 [ 111.510429][ T5335] ? __pfx___mutex_trylock_common+0x10/0x10 [ 111.510450][ T5335] ? __pfx_hfs_extend_file+0x10/0x10 [ 111.510470][ T5335] ? __mutex_lock+0x30d/0x1550 [ 111.510488][ T5335] ? hfs_find_init+0x18d/0x300 [ 111.510504][ T5335] ? __pfx___mutex_lock+0x10/0x10 [ 111.510520][ T5335] ? trace_kmalloc+0x2a/0xf0 [ 111.510538][ T5335] hfs_bmap_reserve+0x108/0x430 [ 111.510570][ T5335] hfs_cat_create+0x221/0x810 [ 111.510589][ T5335] ? do_raw_spin_lock+0x12b/0x2f0 [ 111.510609][ T5335] ? __pfx_hfs_cat_create+0x10/0x10 [ 111.510629][ T5335] ? hfs_new_inode+0x8b8/0xc10 [ 111.510648][ T5335] hfs_create+0x78/0xe0 [ 111.510666][ T5335] vfs_create+0x2c4/0x450 [ 111.510681][ T5335] filename_mknodat+0x3e8/0x660 [ 111.510695][ T5335] ? __pfx_filename_mknodat+0x10/0x10 [ 111.510709][ T5335] ? do_getname+0x151/0x250 [ 111.510726][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.510740][ T5335] __se_sys_mknod+0x3a/0x150 [ 111.510755][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.510770][ T5335] do_syscall_64+0x174/0x580 [ 111.510781][ T5335] ? trace_irq_disable+0x3b/0x140 [ 111.510792][ T5335] ? clear_bhb_loop+0x40/0x90 [ 111.510804][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 111.510818][ T5335] RIP: 0033:0x7f0127b9ce59 [ 111.510835][ T5335] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 111.510847][ T5335] RSP: 002b:00007f0128a95fe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085 [ 111.510865][ T5335] RAX: ffffffffffffffda RBX: 00007f0127e15fa0 RCX: 00007f0127b9ce59 [ 111.510879][ T5335] RDX: 0000000000000000 RSI: 0000000000000800 RDI: 0000200000000040 [ 111.510889][ T5335] RBP: 00007f0127c32e6f R08: 0000000000000000 R09: 0000000000000000 [ 111.510897][ T5335] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 111.510905][ T5335] R13: 00007f0127e16038 R14: 00007f0127e15fa0 R15: 00007ffcfb5ebdf8 [ 111.510918][ T5335] [ 111.676998][ T68] kworker/u4:4: attempt to access beyond end of device [ 111.676998][ T68] loop0: rw=1, sector=4169, nr_sectors = 1 limit=64 [ 111.683981][ T5335] syz.0.0: attempt to access beyond end of device [ 111.683981][ T5335] loop0: rw=0, sector=27869, nr_sectors = 1 limit=64 [ 111.689075][ T5335] Buffer I/O error on dev loop0, logical block 27869, async page read [ 111.693075][ T5335] syz.0.0: attempt to access beyond end of device [ 111.693075][ T5335] loop0: rw=0, sector=27874, nr_sectors = 1 limit=64 [ 111.698632][ T5335] Buffer I/O error on dev loop0, logical block 27874, async page read [ 111.701711][ T5335] syz.0.0: attempt to access beyond end of device [ 111.701711][ T5335] loop0: rw=0, sector=27876, nr_sectors = 1 limit=64 [ 111.707513][ T5335] Buffer I/O error on dev loop0, logical block 27876, async page read [ 111.711079][ T5335] syz.0.0: attempt to access beyond end of device [ 111.711079][ T5335] loop0: rw=0, sector=27877, nr_sectors = 1 limit=64 [ 111.716223][ T5335] Buffer I/O error on dev loop0, logical block 27877, async page read [ 111.740543][ T68] Buffer I/O error on dev loop0, logical block 4169, lost async page write [ 111.765816][ T68] kworker/u4:4: attempt to access beyond end of device [ 111.765816][ T68] loop0: rw=1, sector=4170, nr_sectors = 1 limit=64