program: syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x3004048, &(0x7f0000000100)=ANY=[], 0x11, 0x2c6, &(0x7f0000005bc0)="$eJzs3btuE08Ux/HfjJ3E/3+isCFBSJSBSNAgCA2iMUKueAIqBMRGirCCgCAuVUBUCEFPR8Er8BA0IF4AKioeIFSLZmbt9WXXNpbjjcP3I8XatWd2z3gvc46laAXgn3Wt9v3jpZ/uz0gllaTXVyQrqSKVJZ3Qycrjnd3t3WajPmhDJd/D/RmFnqavzdZOI6ur6+d7JCK3VtZS53vB4niDRK44jq/+KDoIFM5f/RmstKD5dL0yxZhG8WLMfnsTjmPWmH3t66mWi44DAFCsZP63IZPXUpK/WyttJNO+zw8O2/w/rv2iAzhw8cBPO+Z/X2XFxh3fY/6jtN7zJZz73LaqxFH2PNez7tNH25NgmmFVpY/F/nd3u9k4v3W/Wbd6qWqio9maf62HU7dlSLTrGbXpACOM3WRnlL5etXNuDJsh/ieSuuJfHXOPYzOfzVdz00R6r3o7/yvHxh0mf6SiniMV4r+Qv0U/ysi1UnLbqFartqvJit/JKXWWEsNGWcmuSNQ6o1bU/QNBNCxO3+t4T68wuotDeq1m9tpsreX0Wuvq5UbTPpvz93fQzFtzw6zrlz6p1pH/WxffhgZemelVYzbCVOC/8TCe+ezdlf02o76Zo/9yaX+LC3mh/+69p13/EA++zSHPG93RZS0/evb8XqnZbDx0C7czFh4std+ZeyVltil4QXvpOwuKvb7GrUlpmoGdm+gG3f1jaGN3lR2Kg3KkF2pfpnsiFbFQ8P0JU5Ee9KIjQUFc3mVC/ZfWK+WQ7LmXKDNPH/GHgGSLscux2xVc2jcOGbmk//+qglvMr+D6a66+mtHXXKfPSmdG32OUxHlEmJq+6Ra//wMAAAAAAAAAAAAAAAAAAMyaafw7QdFjBAAAAAAAAAAAAAAAAAAAAABg1rWf/6vW83812vN/e5+7Msnn/77bUfbzfwFM0p8AAAD//0gLf7E=") r0 = socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000200), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r0, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r0, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)={0x24, r1, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r2}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_FLUSH_PMKSA(r0, &(0x7f0000000580)={0x0, 0x0, &(0x7f0000000540)={&(0x7f0000000500)={0x1c, r1, 0x1, 0x70bd29, 0x25dfdbff, {{}, {@val={0x8, 0x3, r2}, @void}}}, 0x1c}, 0x1, 0x0, 0x0, 0x40000}, 0x20008050) r3 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) creat(&(0x7f0000000600)='./bus\x00', 0x6) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) pwrite64(r3, &(0x7f0000000140)='2', 0x1, 0x8080c61) creat(&(0x7f0000000300)='./bus\x00', 0x4) mkdir(&(0x7f0000000300)='./file0\x00', 0xfffffffffffffffe) mkdir(&(0x7f0000000040)='./file0/bus\x00', 0x0) lstat(&(0x7f0000000080)='./file0\x00', &(0x7f00000000c0)={0x0, 0x0, 0x0, 0x0, 0x0}) fchownat(0xffffffffffffff9c, &(0x7f0000000000)='./file0\x00', r4, 0x0, 0x0) lchown(&(0x7f00000000c0)='./file0/bus\x00', 0xee00, 0x0) rmdir(&(0x7f0000000100)='./file0/bus\x00') unlinkat(0xffffffffffffff9c, &(0x7f0000000c40)='./file1\x00', 0x0) [ 87.440616][ T4655] Bluetooth: hci0: command tx timeout [ 87.495921][ T5327] loop0: detected capacity change from 0 to 64 [ 87.519098][ T5327] ======================================================= [ 87.519098][ T5327] WARNING: The mand mount option has been deprecated and [ 87.519098][ T5327] and is ignored by this kernel. Remove the mand [ 87.519098][ T5327] option from the mount to silence this warning. [ 87.519098][ T5327] ======================================================= [ 88.428515][ T5327] hfs: request for non-existent node 8 in B*Tree [ 88.432437][ T5327] hfs: request for non-existent node 8 in B*Tree [ 88.492615][ T42] kworker/u4:3: attempt to access beyond end of device [ 88.492615][ T42] loop0: rw=1, sector=4169, nr_sectors = 1 limit=64 [ 88.518729][ T5327] [ 88.519908][ T5327] ====================================================== [ 88.522984][ T5327] WARNING: possible circular locking dependency detected [ 88.525927][ T5327] syzkaller #0 Not tainted [ 88.527856][ T5327] ------------------------------------------------------ [ 88.530730][ T5327] syz.0.0/5327 is trying to acquire lock: [ 88.533240][ T5327] ffff888012f8a0a8 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 88.537425][ T5327] [ 88.537425][ T5327] but task is already holding lock: [ 88.540727][ T5327] ffff88800e5f80f0 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 88.545469][ T5327] [ 88.545469][ T5327] which lock already depends on the new lock. [ 88.545469][ T5327] [ 88.550124][ T5327] [ 88.550124][ T5327] the existing dependency chain (in reverse order) is: [ 88.554024][ T5327] [ 88.554024][ T5327] -> #1 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}: [ 88.558069][ T5327] __mutex_lock+0x1a3/0x1550 [ 88.560552][ T5327] hfs_extend_file+0xf2/0x15e0 [ 88.562950][ T5327] hfs_bmap_reserve+0x107/0x430 [ 88.565440][ T5327] __hfs_ext_write_extent+0x1fa/0x470 [ 88.568233][ T5327] __hfs_ext_cache_extent+0x6b/0x9b0 [ 88.570964][ T5327] hfs_extend_file+0x39b/0x15e0 [ 88.573414][ T5327] hfs_get_block+0x412/0xc50 [ 88.575727][ T5327] __block_write_begin_int+0x6c6/0x1910 [ 88.578560][ T5327] cont_write_begin+0x737/0xae0 [ 88.580928][ T5327] hfs_write_begin+0x66/0xb0 [ 88.583259][ T5327] cont_write_begin+0x2e7/0xae0 [ 88.585744][ T5327] hfs_write_begin+0x66/0xb0 [ 88.588115][ T5327] generic_perform_write+0x2e2/0x8f0 [ 88.590819][ T5327] generic_file_write_iter+0x14a/0x680 [ 88.593549][ T5327] vfs_write+0x61d/0xb90 [ 88.595712][ T5327] __x64_sys_pwrite64+0x199/0x230 [ 88.598318][ T5327] do_syscall_64+0x15f/0xf80 [ 88.600681][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.603553][ T5327] [ 88.603553][ T5327] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 88.607134][ T5327] __lock_acquire+0x15a5/0x2cf0 [ 88.609548][ T5327] lock_acquire+0x106/0x350 [ 88.611760][ T5327] __mutex_lock+0x1a3/0x1550 [ 88.614008][ T5327] hfs_find_init+0x18e/0x300 [ 88.616336][ T5327] hfs_extend_file+0x35c/0x15e0 [ 88.618693][ T5327] hfs_bmap_reserve+0x107/0x430 [ 88.621089][ T5327] hfs_cat_create+0x20f/0x800 [ 88.623421][ T5327] hfs_mkdir+0x79/0xe0 [ 88.625465][ T5327] vfs_mkdir+0x413/0x630 [ 88.627451][ T5327] filename_mkdirat+0x285/0x510 [ 88.629699][ T5327] __se_sys_mkdir+0x34/0x150 [ 88.631901][ T5327] do_syscall_64+0x15f/0xf80 [ 88.634075][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.636632][ T5327] [ 88.636632][ T5327] other info that might help us debug this: [ 88.636632][ T5327] [ 88.641086][ T5327] Possible unsafe locking scenario: [ 88.641086][ T5327] [ 88.644559][ T5327] CPU0 CPU1 [ 88.646933][ T5327] ---- ---- [ 88.649301][ T5327] lock(&HFS_I(tree->inode)->extents_lock); [ 88.651962][ T5327] lock(&tree->tree_lock/1); [ 88.655286][ T5327] lock(&HFS_I(tree->inode)->extents_lock); [ 88.659021][ T5327] lock(&tree->tree_lock/1); [ 88.661293][ T5327] [ 88.661293][ T5327] *** DEADLOCK *** [ 88.661293][ T5327] [ 88.664927][ T5327] 4 locks held by syz.0.0/5327: [ 88.667193][ T5327] #0: ffff888012f98410 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 88.671276][ T5327] #1: ffff88800e5a7ad0 (&type->i_mutex_dir_key#8/1){+.+.}-{4:4}, at: filename_create+0x200/0x370 [ 88.676016][ T5327] #2: ffff888012f880a8 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 88.680372][ T5327] #3: ffff88800e5f80f0 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 88.685483][ T5327] [ 88.685483][ T5327] stack backtrace: [ 88.688242][ T5327] CPU: 0 UID: 0 PID: 5327 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 88.688259][ T5327] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 88.688294][ T5327] Call Trace: [ 88.688301][ T5327] [ 88.688313][ T5327] dump_stack_lvl+0xe8/0x150 [ 88.688330][ T5327] print_circular_bug+0x2e1/0x300 [ 88.688349][ T5327] check_noncircular+0x12e/0x150 [ 88.688368][ T5327] __lock_acquire+0x15a5/0x2cf0 [ 88.688382][ T5327] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 88.688403][ T5327] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 88.688422][ T5327] ? stack_depot_save_flags+0x3f3/0x810 [ 88.688479][ T5327] ? kasan_save_track+0x4f/0x80 [ 88.688493][ T5327] ? kasan_save_track+0x3e/0x80 [ 88.688508][ T5327] ? hfs_find_init+0x18e/0x300 [ 88.688524][ T5327] lock_acquire+0x106/0x350 [ 88.688536][ T5327] ? hfs_find_init+0x18e/0x300 [ 88.688555][ T5327] __mutex_lock+0x1a3/0x1550 [ 88.688568][ T5327] ? hfs_find_init+0x18e/0x300 [ 88.688587][ T5327] ? hfs_find_init+0x18e/0x300 [ 88.688603][ T5327] ? __pfx___mutex_lock+0x10/0x10 [ 88.688616][ T5327] ? rcu_is_watching+0x15/0xb0 [ 88.688632][ T5327] ? __kmalloc_noprof+0x37d/0x760 [ 88.688647][ T5327] ? kasan_save_track+0x4f/0x80 [ 88.688661][ T5327] ? hfs_find_init+0xaa/0x300 [ 88.688677][ T5327] ? __kmalloc_noprof+0x1b8/0x760 [ 88.688691][ T5327] hfs_find_init+0x18e/0x300 [ 88.688707][ T5327] hfs_extend_file+0x35c/0x15e0 [ 88.688722][ T5327] ? __pfx_hfs_extend_file+0x10/0x10 [ 88.688733][ T5327] ? __mutex_lock+0x319/0x1550 [ 88.688745][ T5327] ? hfs_find_init+0x18e/0x300 [ 88.688759][ T5327] ? __pfx___mutex_lock+0x10/0x10 [ 88.688770][ T5327] ? rcu_is_watching+0x15/0xb0 [ 88.688784][ T5327] hfs_bmap_reserve+0x107/0x430 [ 88.688805][ T5327] hfs_cat_create+0x20f/0x800 [ 88.688823][ T5327] ? do_raw_spin_lock+0x12b/0x2f0 [ 88.688839][ T5327] ? __pfx_hfs_cat_create+0x10/0x10 [ 88.688861][ T5327] ? hfs_new_inode+0x92d/0xc70 [ 88.688875][ T5327] hfs_mkdir+0x79/0xe0 [ 88.688886][ T5327] vfs_mkdir+0x413/0x630 [ 88.688903][ T5327] filename_mkdirat+0x285/0x510 [ 88.688920][ T5327] ? __pfx_filename_mkdirat+0x10/0x10 [ 88.688936][ T5327] ? do_getname+0x151/0x250 [ 88.688952][ T5327] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.688965][ T5327] __se_sys_mkdir+0x34/0x150 [ 88.688980][ T5327] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.688991][ T5327] do_syscall_64+0x15f/0xf80 [ 88.689003][ T5327] ? trace_irq_disable+0x3b/0x140 [ 88.689021][ T5327] ? clear_bhb_loop+0x40/0x90 [ 88.689034][ T5327] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 88.689046][ T5327] RIP: 0033:0x7f597bb9cdd9 [ 88.689059][ T5327] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 88.689069][ T5327] RSP: 002b:00007f597c9befe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000053 [ 88.689084][ T5327] RAX: ffffffffffffffda RBX: 00007f597be15fa0 RCX: 00007f597bb9cdd9 [ 88.689093][ T5327] RDX: 0000000000000000 RSI: fffffffffffffffe RDI: 0000200000000300 [ 88.689101][ T5327] RBP: 00007f597bc32d69 R08: 0000000000000000 R09: 0000000000000000 [ 88.689108][ T5327] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 88.689140][ T5327] R13: 00007f597be16038 R14: 00007f597be15fa0 R15: 00007ffc50a88608 [ 88.689154][ T5327] [ 88.847222][ T42] Buffer I/O error on dev loop0, logical block 4169, lost async page write [ 88.861187][ T42] kworker/u4:3: attempt to access beyond end of device [ 88.861187][ T42] loop0: rw=1, sector=4170, nr_sectors = 1 limit=64 qemu-system-x86_64: ahci: PRDT length for NCQ command (0x0) is smaller than the requested size (0xc2000) [ 88.877394][ T42] Buffer I/O error on dev loop0, logical block 4170, lost async page write [ 88.881745][ T42] kworker/u4:3: attempt to access beyond end of device [ 88.881745][ T42] loop0: rw=1, sector=4172, nr_sectors = 1 limit=64 [ 88.886857][ T42] Buffer I/O error on dev loop0, logical block 4172, lost async page write [ 88.890800][ T42] kworker/u4:3: attempt to access beyond end of device [ 88.890800][ T42] loop0: rw=1, sector=4173, nr_sectors = 1 limit=64 [ 88.896452][ T42] Buffer I/O error on dev loop0, logical block 4173, lost async page write [ 88.900560][ T42] kworker/u4:3: attempt to access beyond end of device [ 88.900560][ T42] loop0: rw=1, sector=4174, nr_sectors = 1 limit=64 [ 88.906630][ T42] Buffer I/O error on dev loop0, logical block 4174, lost async page write [ 88.910395][ T42] kworker/u4:3: attempt to access beyond end of device [ 88.910395][ T42] loop0: rw=1, sector=4175, nr_sectors = 1 limit=64 [ 88.915707][ T42] Buffer I/O error on dev loop0, logical block 4175, lost async page write [ 88.919063][ T42] kworker/u4:3: attempt to access beyond end of device [ 88.919063][ T42] loop0: rw=1, sector=4176, nr_sectors = 1 limit=64 [ 88.925018][ T42] Buffer I/O error on dev loop0, logical block 4176, lost async page write [ 88.928939][ T42] kworker/u4:3: attempt to access beyond end of device [ 88.928939][ T42] loop0: rw=1, sector=4177, nr_sectors = 1 limit=64 [ 88.935151][ T42] Buffer I/O error on dev loop0, logical block 4177, lost async page write [ 88.949814][ T42] kworker/u4:3: attempt to access beyond end of device [ 88.949814][ T42] loop0: rw=1, sector=4200, nr_sectors = 1 limit=64 [ 88.959895][ T42] Buffer I/O error on dev loop0, logical block 4200, lost async page write [ 88.966808][ T42] kworker/u4:3: attempt to access beyond end of device [ 88.966808][ T42] loop0: rw=1, sector=4201, nr_sectors = 1 limit=64 [ 88.980303][ T42] Buffer I/O error on dev loop0, logical block 4201, lost async page write