program: pipe(&(0x7f0000000000)) prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000ff0000/0x1000)=nil, &(0x7f0000ffd000/0x3000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ffa000/0x1000)=nil, &(0x7f0000ffa000/0x2000)=nil, 0x0}, 0x68) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x0) r0 = io_uring_setup(0x7, &(0x7f0000000040)={0x0, 0xc8a1, 0xc000, 0x8, 0xc1}) bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="02000000040000000100000022bf000000000000", @ANYRES32, @ANYBLOB="0000000080"], 0x48) io_uring_enter(r0, 0x2219, 0x7721, 0x16, 0x0, 0x0) syz_mount_image$hfs(&(0x7f00000007c0), &(0x7f0000000280)='./file1\x00', 0x30008c0, &(0x7f0000000800)=ANY=[@ANYBLOB="66696c655f756d61736b3d30303030303030303030303030303030303030373737372c6469725f756d61736b3d30303030303030303030303030303030303030303030302c696f636861727365743d69736f383835392d362c636f6465706167653d63703835352c63726561746f723d4ddd71752c00eeabc72a9832436950c6116498dda8be60a94746ea68766f63d1d63944fbda2a9337439b37b6f2a694ba98f40070d09c3890bd28a2018f1adfe1e0a630020a9cac1a43800a70a9328ddb2a2f2e207da7cd3caf243b39eaff4966b7aa97cb6cc7d2cfc59e7a976de0a00d23c7ffaaa056cc4f8bc7b4c0f9a21db642b3e832e30a90ba1b9e7933b77c60f6a1b9ca9128f0a2d0e23373c9d15c79865bae97ddd82b98001b6aa9c5390e4deaf5f0ee492c6842b1c08486e479a889491459a257e9d4083634dac6cd58520f72e6c2f11bbd5b03655bb1863b16f3"], 0x11, 0x2fe, &(0x7f00000004c0)="$eJzs3U1rE0EcBvBndtNma0tdbUXwIFIN2ItovYiXSMmH8CRqk0JxqagtvuChiicRe/fu0aufQbwogud68iSe60FG5iXZl+xuEsnuJvr8oGGzszP7n8zOzkygWRDRf2u9dfD28nf1JwAXLvDyKuAA8IAagBM46e1u72ztBJ12XkEuTtdNLgGTU/Qds7HdScvqweawfPWuhoXoPiqGlPLat6qDoMrp3i/d+M4z+k5Qt71TJ3oVxZfl2ehZfs4B2CsimImS31LiEId4hMXSwiEiookkzPju2HF+wc7fHQdo2MFEz8Ynbfz/W4dVB1A4mZsaGf91u0qh2v2oTgrXe3oJp9Kd7ioxrax3ifczifezMFdWbHYpBq0qdSzO3OZW0LmwcTdoO3iOphU5bFm/ts2l25UXLYCVlLVpjl5pc5mHiPQZ5byuw4yqw5qJ/yGAWPxLuWcsgPgoPosbwscbtHvzv5oUqpl0S/mJljLxX8wuUdfSV0fB3jaazaYTO+SYPskpewZrQC09uFlnnLVlxr4g8AfFqXMdT+Qytbs0INdSaq41vb0KJyPXciyXqs3mVvAh+1SlEK/FdbGCH3iPVmT+76j4GsjtmWGvEQ0zFOhPXPXOeMtG1Bo2RY8cu18Pnpr9/d2l9ynWs0L/lX9PoxG8wm1cweKDx0/uuEHQua82bgXqctUbvT33FuxG0Jl5AUSTJmUDe+GeOqTWd3B3UCozsNWxFqjuHylJqmOFe1QvK7xe6j4wAe1e3Ubr03gupO60IZb0W0pZYnX2bcdIJlV3a6LyhI0+3PEpUx2abqpJhVn/heuVmpnsqRc/dZ4+5BcBtkSp5ti9FVyYV5oZOYAjI63g5rNXcP1rrr41o15znT0PnBv+jL6N8x8hWviCm/z+n4iIiIiIiIiIiIiIiIiIiIiIiIho2pTx/xJV15GIiIiIiIiIiIiIiIiIiIiIiIiIiIiIaNqtezC/e43u838x3PN/k49icc1Pgo/l+b/72+Dzf4mK9ycAAP//m053Mg==") r1 = creat(&(0x7f0000000040)='./file0\x00', 0x4b) openat$dir(0xffffffffffffff9c, &(0x7f0000000240)='./file1\x00', 0x0, 0x0) syz_mount_image$ext4(&(0x7f0000000040)='ext4\x00', &(0x7f0000000000)='./file1\x00', 0x446, &(0x7f0000000080)={[{@stripe={'stripe', 0x3d, 0x2}}, {@journal_dev={'journal_dev', 0x3d, 0x1045}}, {@oldalloc}, {@noquota}, {@minixdf}, {@barrier_val={'barrier', 0x3d, 0x2}}, {@delalloc}, {@nojournal_checksum}, {@orlov}, {@user_xattr}, {@quota}, {@delalloc}]}, 0x1, 0x553, &(0x7f0000001080)="$eJzs3d9rW1UcAPDvTdv91nUwhopIYQ9O5tK19ccEH+aj6HCg7zO0d2U0WUaTjrUO3B7ciy8yBBEH4ru++zj8B/wrBjoYMoo++BK56U2XrUmbddnSmc8Hbjkn9ybnfnPv9/TcnBsSwNCayP4UIl6OiG+SiIMRkeTrRiNfObG23er9q7PZkkSj8elfSXO7rN56rdbz9ueVlyLit68ijhc2tltbXlkolcvpYl6frFcuTdaWV05cqJTm0/n04vTMzKm3Z6bfe/edvsX6xtl/vv/k9oenvj66+t0vdw/dTOJ0HMjXtcfxBK61VyZiIn9PxuL0IxtO9aGxnSQZ9A6wLSN5no9F1gccjJE864H/vy8jogEMqUT+w5BqjQNa1/Z9ug5+btz7YO0CaGP8o2ufjcSe5rXRvtXkoSuj7Hp3vA/tZ238+uetm9kS/fscAmBL165HxMnR0Y39X5L3f9t3sodtHm1D/wfPzu1s/PNmp/FPYX38Ex3GP/s75O52bJ3/hbt9aKarbPz3fsfx7/qk1fhIXnuhOeYbS85fKKdZ3/ZiRByLsd1ZfbP5nFOrdxrd1rWP/7Ila781Fsz34+7o7oefM1eql54k5nb3rke80nH8m6wf/6TD8c/ej7M9tnEkvfVat3Vbx/90NX6KeL3j8X8wo5VsPj852TwfJltnxUZ/3zjye7f2Bx1/dvz3bR7/eNI+X1t7/DZ+3PNv2m3dQ/FH7+f/ruSzZnlX/tiVUr2+OBWxK/l44+PTD57bqre2z+I/dnTz/q/T+b83Ij7vMf4bh39+taf4B3T85x7r+D9+4c5HX/zQrf3e+r+3mqVj+SO99H+97uCTvHcAAAAAAACw0xQi4kAkheJ6uVAoFtfu7zgc+wrlaq1+/Hx16eJcNL8rOx5jhdZM98G2+yGm8vthW/XpR+ozEXEoIr4d2dusF2er5blBBw8AAAAAAAAAAAAAAAAAAAA7xP4u3//P/DEy6L0Dnjo/+Q3Da8v878cvPQE7kv//MLzkPwwv+Q/DS/7D8JL/MLzkPwwv+Q/DS/4DAAAAAAAAAAAAAAAAAAAAAAAAAABAX509cyZbGqv3r85m9bnLy0sL1csn5tLaQrGyNFucrS5eKs5Xq/PltDhbrWz1euVq9dLUdCxdmayntfpkbXnlXKW6dLF+7kKlNJ+eS8eeSVQAAAAAAAAAAAAAAAAAAADwfKktryyUyuV0UUFhW4XRnbEbCn0uDLpnAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAH/gsAAP//6AY3sQ==") io_uring_setup(0xa77, &(0x7f0000000180)={0x0, 0x74e, 0x0, 0x0, 0x3bd, 0x0, r1}) r2 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) pwrite64(r2, &(0x7f0000000140)='2', 0x1, 0x8000c61) r3 = openat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x42, 0x10) mmap(&(0x7f0000000000/0x600000)=nil, 0x600000, 0x7ffff5, 0x4012011, r3, 0x0) r4 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x101042, 0x35) pwrite64(r4, &(0x7f0000000140)='2', 0xfdef, 0xfecc) setxattr$trusted_overlay_upper(&(0x7f0000000000)='./file1\x00', &(0x7f0000000500), &(0x7f0000001040)=ANY=[], 0x841, 0x0) r5 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_HEADER(r5, &(0x7f0000000100)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000080)={0x14, 0xc, 0x6, 0x101, 0x0, 0x0, {0xa, 0x0, 0x5}}, 0x14}}, 0x40910) r6 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x42, 0x0) r7 = socket$inet6_tcp(0xa, 0x1, 0x0) setsockopt$inet6_tcp_int(r7, 0x6, 0x13, &(0x7f0000000040)=0x100000001, 0x76dc) connect$inet6(r7, &(0x7f0000000080), 0x1c) setsockopt$inet6_tcp_TCP_ULP(r7, 0x6, 0x1f, &(0x7f00000002c0), 0x4) setsockopt$inet6_tcp_TCP_REPAIR_QUEUE(r7, 0x6, 0x14, &(0x7f00000000c0)=0x1, 0x4) write$binfmt_script(r7, &(0x7f0000000100), 0xfffffecd) setsockopt$inet6_tcp_TLS_TX(r7, 0x11a, 0x2, &(0x7f0000000400)=@gcm_256={{0x304}, "ca7ee2b1848ae337", "4b5b154869939154798f82be7dcae38bcdcab75bc2d1dcb3b28921cb75aab36d", "9f9d6e3a", "90167d3ae79ca2c5"}, 0x38) setsockopt$sock_int(r7, 0x1, 0x12, &(0x7f0000000b40)=0x20000, 0x4) write$FUSE_WRITE(r6, &(0x7f00000000c0)={0x18}, 0xfffffdef) [ 74.771348][ T5299] Bluetooth: hci0: command tx timeout [ 74.832640][ T5319] loop0: detected capacity change from 0 to 64 [ 74.843975][ T5319] ======================================================= [ 74.843975][ T5319] WARNING: The mand mount option has been deprecated and [ 74.843975][ T5319] and is ignored by this kernel. Remove the mand [ 74.843975][ T5319] option from the mount to silence this warning. [ 74.843975][ T5319] ======================================================= [ 74.899367][ T5319] hfs: unable to locate alternate MDB [ 74.908286][ T5319] hfs: continuing without an alternate MDB [ 74.927051][ T25] audit: type=1804 audit(1769770205.761:2): pid=5319 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=invalid_pcr cause=open_writers comm="syz.0.0" name="/newroot/0/file1/file1" dev="loop0" ino=22 res=1 errno=0 [ 74.948121][ T25] audit: type=1804 audit(1769770205.781:3): pid=5319 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=invalid_pcr cause=ToMToU comm="syz.0.0" name="/newroot/0/file1/file1" dev="loop0" ino=22 res=1 errno=0 [ 75.041641][ T5319] [ 75.042863][ T5319] ============================================ [ 75.045303][ T5319] WARNING: possible recursive locking detected [ 75.048141][ T5319] syzkaller #0 Not tainted [ 75.053181][ T5319] -------------------------------------------- [ 75.055741][ T5319] syz.0.0/5319 is trying to acquire lock: [ 75.058232][ T5319] ffff88801205c0b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 75.062630][ T5319] [ 75.062630][ T5319] but task is already holding lock: [ 75.065608][ T5319] ffff88801205c0b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 75.069817][ T5319] [ 75.069817][ T5319] other info that might help us debug this: [ 75.073191][ T5319] Possible unsafe locking scenario: [ 75.073191][ T5319] [ 75.076428][ T5319] CPU0 [ 75.077900][ T5319] ---- [ 75.079405][ T5319] lock(&tree->tree_lock/1); [ 75.081356][ T5319] lock(&tree->tree_lock/1); [ 75.083169][ T5319] [ 75.083169][ T5319] *** DEADLOCK *** [ 75.083169][ T5319] [ 75.086544][ T5319] May be due to missing lock nesting notation [ 75.086544][ T5319] [ 75.090106][ T5319] 5 locks held by syz.0.0/5319: [ 75.092269][ T5319] #0: ffff888036b4e420 (sb_writers#12){.+.+}-{0:0}, at: vfs_write+0x227/0xb90 [ 75.096303][ T5319] #1: ffff8880424b9620 (&sb->s_type->i_mutex_key#24){+.+.}-{4:4}, at: generic_file_write_iter+0x11e/0x680 [ 75.101200][ T5319] #2: ffff8880424b9478 (&HFS_I(inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 75.105714][ T5319] #3: ffff88801205c0b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 75.109883][ T5319] #4: ffff8880424b80f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 75.114520][ T5319] [ 75.114520][ T5319] stack backtrace: [ 75.117061][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 75.117077][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 75.117086][ T5319] Call Trace: [ 75.117094][ T5319] [ 75.117100][ T5319] dump_stack_lvl+0xe8/0x150 [ 75.117122][ T5319] print_deadlock_bug+0x279/0x290 [ 75.117134][ T5319] __lock_acquire+0x253f/0x2cf0 [ 75.117150][ T5319] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 75.117214][ T5319] ? lockdep_hardirqs_on+0x7a/0x110 [ 75.117226][ T5319] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 75.117241][ T5319] ? stack_depot_save_flags+0x3f3/0x810 [ 75.117284][ T5319] ? hfs_find_init+0x18e/0x300 [ 75.117302][ T5319] lock_acquire+0x106/0x330 [ 75.117317][ T5319] ? hfs_find_init+0x18e/0x300 [ 75.117335][ T5319] __mutex_lock+0x19f/0x1300 [ 75.117347][ T5319] ? hfs_find_init+0x18e/0x300 [ 75.117363][ T5319] ? hfs_find_init+0x18e/0x300 [ 75.117377][ T5319] ? __pfx___mutex_lock+0x10/0x10 [ 75.117388][ T5319] ? rcu_is_watching+0x15/0xb0 [ 75.117399][ T5319] ? trace_kmalloc+0x1f/0xb0 [ 75.117412][ T5319] ? __kmalloc_noprof+0x42d/0x7e0 [ 75.117428][ T5319] ? hfs_find_init+0xaa/0x300 [ 75.117447][ T5319] hfs_find_init+0x18e/0x300 [ 75.117467][ T5319] hfs_extend_file+0x35c/0x15e0 [ 75.117482][ T5319] ? __pfx_hfs_extend_file+0x10/0x10 [ 75.117495][ T5319] ? __pfx___mutex_trylock_common+0x10/0x10 [ 75.117510][ T5319] ? rcu_is_watching+0x15/0xb0 [ 75.117522][ T5319] ? __asan_memset+0x22/0x50 [ 75.117537][ T5319] ? hfs_brec_find+0x19a/0x510 [ 75.117556][ T5319] hfs_bmap_reserve+0x107/0x430 [ 75.117570][ T5319] __hfs_ext_write_extent+0x1fa/0x470 [ 75.117585][ T5319] __hfs_ext_cache_extent+0x6b/0x9b0 [ 75.117599][ T5319] ? hfs_find_init+0x18e/0x300 [ 75.117615][ T5319] hfs_extend_file+0x39b/0x15e0 [ 75.117628][ T5319] ? __pfx_filemap_get_folios_tag+0x10/0x10 [ 75.117648][ T5319] ? __pfx_hfs_extend_file+0x10/0x10 [ 75.117663][ T5319] ? clean_bdev_aliases+0x62e/0x750 [ 75.117681][ T5319] ? __pfx_clean_bdev_aliases+0x10/0x10 [ 75.117696][ T5319] hfs_get_block+0x412/0xc50 [ 75.117711][ T5319] ? __pfx_hfs_get_block+0x10/0x10 [ 75.117759][ T5319] ? do_raw_spin_unlock+0x4d/0x210 [ 75.117776][ T5319] ? _raw_spin_unlock+0x28/0x50 [ 75.117795][ T5319] __block_write_begin_int+0x6c6/0x1910 [ 75.117815][ T5319] ? __pfx_hfs_get_block+0x10/0x10 [ 75.117829][ T5319] ? __pfx___block_write_begin_int+0x10/0x10 [ 75.117846][ T5319] cont_write_begin+0x737/0xae0 [ 75.117865][ T5319] ? __pfx_cont_write_begin+0x10/0x10 [ 75.117882][ T5319] ? folio_unlock+0x101/0x160 [ 75.117900][ T5319] hfs_write_begin+0x66/0xb0 [ 75.117914][ T5319] ? __pfx_hfs_get_block+0x10/0x10 [ 75.117927][ T5319] cont_write_begin+0x2e7/0xae0 [ 75.117945][ T5319] ? __pfx_cont_write_begin+0x10/0x10 [ 75.117974][ T5319] ? lockdep_hardirqs_on+0x7a/0x110 [ 75.117988][ T5319] hfs_write_begin+0x66/0xb0 [ 75.118002][ T5319] ? __pfx_hfs_get_block+0x10/0x10 [ 75.118016][ T5319] generic_perform_write+0x2e2/0x8f0 [ 75.118032][ T5319] ? __pfx_generic_perform_write+0x10/0x10 [ 75.118045][ T5319] ? file_update_time_flags+0x2cb/0x4d0 [ 75.118061][ T5319] ? __generic_file_write_iter+0xf9/0x230 [ 75.118074][ T5319] ? generic_file_write_iter+0x136/0x680 [ 75.118088][ T5319] generic_file_write_iter+0x14a/0x680 [ 75.118101][ T5319] ? __pfx_generic_file_write_iter+0x10/0x10 [ 75.118113][ T5319] ? __lock_acquire+0x6b5/0x2cf0 [ 75.118132][ T5319] ? __pfx_aa_file_perm+0x10/0x10 [ 75.118147][ T5319] ? preempt_schedule_thunk+0x16/0x30 [ 75.118161][ T5319] ? try_to_wake_up+0x82a/0x1380 [ 75.118180][ T5319] ? vfs_write+0x227/0xb90 [ 75.118195][ T5319] ? vfs_write+0x227/0xb90 [ 75.118212][ T5319] vfs_write+0x61d/0xb90 [ 75.118228][ T5319] ? __pfx_vfs_write+0x10/0x10 [ 75.118245][ T5319] ? __fget_files+0x2a/0x420 [ 75.118258][ T5319] __x64_sys_pwrite64+0x199/0x230 [ 75.118275][ T5319] ? __pfx___x64_sys_pwrite64+0x10/0x10 [ 75.118294][ T5319] do_syscall_64+0xe2/0xf80 [ 75.118308][ T5319] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.118320][ T5319] ? trace_irq_disable+0x37/0x100 [ 75.118337][ T5319] ? clear_bhb_loop+0x60/0xb0 [ 75.118351][ T5319] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 75.118364][ T5319] RIP: 0033:0x7fe92e79aeb9 [ 75.118377][ T5319] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 75.118418][ T5319] RSP: 002b:00007fe92f60b028 EFLAGS: 00000246 ORIG_RAX: 0000000000000012 [ 75.118432][ T5319] RAX: ffffffffffffffda RBX: 00007fe92ea15fa0 RCX: 00007fe92e79aeb9 [ 75.118442][ T5319] RDX: 0000000000000001 RSI: 0000200000000140 RDI: 0000000000000009 [ 75.118450][ T5319] RBP: 00007fe92e808c1f R08: 0000000000000000 R09: 0000000000000000 [ 75.118457][ T5319] R10: 0000000008000c61 R11: 0000000000000246 R12: 0000000000000000 [ 75.118465][ T5319] R13: 00007fe92ea16038 R14: 00007fe92ea15fa0 R15: 00007ffd63062738 [ 75.118477][ T5319] [ 76.851779][ T5299] Bluetooth: hci0: command tx timeout [ 78.930954][ T5299] Bluetooth: hci0: command tx timeout [ 81.010948][ T5299] Bluetooth: hci0: command tx timeout