program: r0 = socket(0x10, 0x3, 0x0) getsockopt$netlink(r0, 0x10e, 0x2, &(0x7f0000000180)=""/190, &(0x7f0000000000)=0xbe) syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x3004048, &(0x7f0000000100)=ANY=[], 0x11, 0x2c6, &(0x7f0000005bc0)="$eJzs3btuE08Ux/HfjJ3E/3+isCFBSJSBSNAgCA2iMUKueAIqBMRGirCCgCAuVUBUCEFPR8Er8BA0IF4AKioeIFSLZmbt9WXXNpbjjcP3I8XatWd2z3gvc46laAXgn3Wt9v3jpZ/uz0gllaTXVyQrqSKVJZ3Qycrjnd3t3WajPmhDJd/D/RmFnqavzdZOI6ur6+d7JCK3VtZS53vB4niDRK44jq/+KDoIFM5f/RmstKD5dL0yxZhG8WLMfnsTjmPWmH3t66mWi44DAFCsZP63IZPXUpK/WyttJNO+zw8O2/w/rv2iAzhw8cBPO+Z/X2XFxh3fY/6jtN7zJZz73LaqxFH2PNez7tNH25NgmmFVpY/F/nd3u9k4v3W/Wbd6qWqio9maf62HU7dlSLTrGbXpACOM3WRnlL5etXNuDJsh/ieSuuJfHXOPYzOfzVdz00R6r3o7/yvHxh0mf6SiniMV4r+Qv0U/ysi1UnLbqFartqvJit/JKXWWEsNGWcmuSNQ6o1bU/QNBNCxO3+t4T68wuotDeq1m9tpsreX0Wuvq5UbTPpvz93fQzFtzw6zrlz6p1pH/WxffhgZemelVYzbCVOC/8TCe+ezdlf02o76Zo/9yaX+LC3mh/+69p13/EA++zSHPG93RZS0/evb8XqnZbDx0C7czFh4std+ZeyVltil4QXvpOwuKvb7GrUlpmoGdm+gG3f1jaGN3lR2Kg3KkF2pfpnsiFbFQ8P0JU5Ee9KIjQUFc3mVC/ZfWK+WQ7LmXKDNPH/GHgGSLscux2xVc2jcOGbmk//+qglvMr+D6a66+mtHXXKfPSmdG32OUxHlEmJq+6Ra//wMAAAAAAAAAAAAAAAAAAMyaafw7QdFjBAAAAAAAAAAAAAAAAAAAAABg1rWf/6vW83812vN/e5+7Msnn/77bUfbzfwFM0p8AAAD//0gLf7E=") r1 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) mkdir(&(0x7f0000000400)='./file0\x00', 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x0) mkdir(&(0x7f00000004c0)='./bus\x00', 0x92) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000080), 0x0, &(0x7f0000000200)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@upperdir={'upperdir', 0x3d, './file1'}}, {@metacopy_on}, {@verity_on}]}) r2 = open(&(0x7f0000000140)='./file0\x00', 0x0, 0x0) mknodat$loop(r2, &(0x7f0000001600)='./file1\x00', 0x0, 0x0) chdir(&(0x7f0000000140)='./bus\x00') rename(&(0x7f0000000100)='./file1\x00', &(0x7f00000001c0)='./file0\x00') openat$dir(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x140, 0x82) open(&(0x7f0000000040)='./bus\x00', 0x64842, 0x0) creat(&(0x7f0000000100)='./bus\x00', 0x0) bpf$PROG_LOAD(0x5, &(0x7f00000000c0)={0x0, 0xc, &(0x7f0000000440)=ANY=[@ANYBLOB="1800000000000000000000000000000018110000", @ANYRES32], 0x0, 0x0, 0x0, 0x0, 0x0, 0x62, '\x00', 0x0, @fallback, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0x94) bpf$PROG_LOAD(0x5, &(0x7f00000003c0)={0x3, 0x10, &(0x7f0000000480)=@framed={{}, [@snprintf={{}, {}, {0x7, 0x0, 0xb, 0x8, 0x0, 0x0, 0x1234}}]}, &(0x7f0000000500)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, @sched_cls, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, 0xa0) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) socket$unix(0x1, 0x2, 0x0) pwrite64(r1, &(0x7f0000000140)='2', 0x1, 0x8080c61) unlinkat(0xffffffffffffff9c, &(0x7f0000000c40)='./file1\x00', 0x0) setsockopt$netlink_NETLINK_TX_RING(r0, 0x10e, 0xc, &(0x7f0000000040)={0x802}, 0x10) socket$l2tp6(0xa, 0x2, 0x73) sendmsg$nl_route(r0, &(0x7f0000000140)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)=@ipmr_getroute={0x1c, 0x1a, 0x1, 0x70bd25, 0x0, {0x80, 0x80, 0x0, 0x0, 0xfd, 0x0, 0xfe, 0x8, 0x2000}}, 0x1c}, 0x1, 0x0, 0x0, 0x804}, 0x0) [ 85.591971][ T4679] Bluetooth: hci0: command tx timeout [ 85.617724][ T5339] loop0: detected capacity change from 0 to 64 [ 85.639909][ T5339] ======================================================= [ 85.639909][ T5339] WARNING: The mand mount option has been deprecated and [ 85.639909][ T5339] and is ignored by this kernel. Remove the mand [ 85.639909][ T5339] option from the mount to silence this warning. [ 85.639909][ T5339] ======================================================= [ 85.752380][ T5339] [ 85.753496][ T5339] ============================================ [ 85.756160][ T5339] WARNING: possible recursive locking detected [ 85.758963][ T5339] syzkaller #0 Not tainted [ 85.760976][ T5339] -------------------------------------------- [ 85.763854][ T5339] syz.0.0/5339 is trying to acquire lock: [ 85.767315][ T5339] ffff888036fe80f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xda/0x14c0 [ 85.772255][ T5339] [ 85.772255][ T5339] but task is already holding lock: [ 85.775364][ T5339] ffff888036fe8778 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xda/0x14c0 [ 85.779621][ T5339] [ 85.779621][ T5339] other info that might help us debug this: [ 85.782884][ T5339] Possible unsafe locking scenario: [ 85.782884][ T5339] [ 85.785963][ T5339] CPU0 [ 85.787277][ T5339] ---- [ 85.788621][ T5339] lock(&HFS_I(tree->inode)->extents_lock); [ 85.791047][ T5339] lock(&HFS_I(tree->inode)->extents_lock); [ 85.793717][ T5339] [ 85.793717][ T5339] *** DEADLOCK *** [ 85.793717][ T5339] [ 85.797102][ T5339] May be due to missing lock nesting notation [ 85.797102][ T5339] [ 85.800695][ T5339] 5 locks held by syz.0.0/5339: [ 85.802905][ T5339] #0: ffff888035d56420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 85.806932][ T5339] #1: ffff888036fe8fa0 (&type->i_mutex_dir_key#8){+.+.}-{4:4}, at: path_openat+0x8da/0x3830 [ 85.811272][ T5339] #2: ffff88803e2f20b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x2c0 [ 85.816083][ T5339] #3: ffff888036fe8778 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xda/0x14c0 [ 85.820770][ T5339] #4: ffff88803e2f00b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x2c0 [ 85.824035][ T5339] [ 85.824035][ T5339] stack backtrace: [ 85.826437][ T5339] CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.826451][ T5339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.826460][ T5339] Call Trace: [ 85.826468][ T5339] [ 85.826474][ T5339] dump_stack_lvl+0x189/0x250 [ 85.826492][ T5339] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.826505][ T5339] ? __pfx__printk+0x10/0x10 [ 85.826521][ T5339] ? print_lock_name+0xde/0x100 [ 85.826537][ T5339] print_deadlock_bug+0x28b/0x2a0 [ 85.826552][ T5339] validate_chain+0x1a3f/0x2140 [ 85.826564][ T5339] ? rcu_is_watching+0x15/0xb0 [ 85.826578][ T5339] ? rcu_is_watching+0x15/0xb0 [ 85.826589][ T5339] ? lock_release+0x4b/0x3e0 [ 85.826599][ T5339] ? lock_release+0x4b/0x3e0 [ 85.826609][ T5339] ? look_up_lock_class+0x74/0x170 [ 85.826668][ T5339] ? register_lock_class+0x51/0x320 [ 85.826680][ T5339] __lock_acquire+0xab9/0xd20 [ 85.826693][ T5339] ? hfs_extend_file+0xda/0x14c0 [ 85.826710][ T5339] lock_acquire+0x120/0x360 [ 85.826720][ T5339] ? hfs_extend_file+0xda/0x14c0 [ 85.826739][ T5339] __mutex_lock+0x187/0x1350 [ 85.826755][ T5339] ? hfs_extend_file+0xda/0x14c0 [ 85.826771][ T5339] ? lockdep_unlock+0x89/0x120 [ 85.826780][ T5339] ? hfs_extend_file+0xda/0x14c0 [ 85.826795][ T5339] ? __pfx___mutex_lock+0x10/0x10 [ 85.826814][ T5339] hfs_extend_file+0xda/0x14c0 [ 85.826830][ T5339] ? __pfx_hfs_extend_file+0x10/0x10 [ 85.826845][ T5339] ? __pfx___mutex_trylock_common+0x10/0x10 [ 85.826860][ T5339] ? rcu_is_watching+0x15/0xb0 [ 85.826872][ T5339] ? trace_contention_end+0x39/0x120 [ 85.826886][ T5339] ? __asan_memset+0x22/0x50 [ 85.826897][ T5339] ? hfs_brec_find+0x1a7/0x510 [ 85.826910][ T5339] hfs_bmap_reserve+0x107/0x430 [ 85.826927][ T5339] __hfs_ext_write_extent+0x1fa/0x470 [ 85.826943][ T5339] __hfs_ext_cache_extent+0x6b/0x9b0 [ 85.826959][ T5339] ? hfs_find_init+0x18e/0x2c0 [ 85.826970][ T5339] hfs_extend_file+0x31e/0x14c0 [ 85.826987][ T5339] ? __pfx_hfs_extend_file+0x10/0x10 [ 85.827007][ T5339] ? __mutex_lock+0x335/0x1350 [ 85.827027][ T5339] ? __pfx___mutex_lock+0x10/0x10 [ 85.827044][ T5339] hfs_bmap_reserve+0x107/0x430 [ 85.827061][ T5339] hfs_cat_create+0x1c5/0x730 [ 85.827078][ T5339] ? do_raw_spin_lock+0x121/0x290 [ 85.827093][ T5339] ? __pfx_hfs_cat_create+0x10/0x10 [ 85.827110][ T5339] ? _raw_spin_unlock+0x28/0x50 [ 85.827122][ T5339] ? hfs_new_inode+0x837/0xbd0 [ 85.827139][ T5339] hfs_create+0x66/0xe0 [ 85.827153][ T5339] ? __pfx_hfs_create+0x10/0x10 [ 85.827166][ T5339] path_openat+0x14f1/0x3830 [ 85.827186][ T5339] ? __pfx_path_openat+0x10/0x10 [ 85.827199][ T5339] do_filp_open+0x1fa/0x410 [ 85.827210][ T5339] ? __lock_acquire+0xab9/0xd20 [ 85.827220][ T5339] ? __pfx_do_filp_open+0x10/0x10 [ 85.827235][ T5339] ? _raw_spin_unlock+0x28/0x50 [ 85.827248][ T5339] ? alloc_fd+0x64c/0x6c0 [ 85.827262][ T5339] do_sys_openat2+0x121/0x1c0 [ 85.827278][ T5339] ? __se_sys_futex+0x36f/0x400 [ 85.827293][ T5339] ? __pfx_do_sys_openat2+0x10/0x10 [ 85.827309][ T5339] ? rcu_is_watching+0x15/0xb0 [ 85.827322][ T5339] __x64_sys_creat+0x8f/0xc0 [ 85.827333][ T5339] do_syscall_64+0xfa/0x3b0 [ 85.827347][ T5339] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.827362][ T5339] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.827372][ T5339] ? clear_bhb_loop+0x60/0xb0 [ 85.827384][ T5339] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.827397][ T5339] RIP: 0033:0x7ff0ab78eec9 [ 85.827408][ T5339] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.827418][ T5339] RSP: 002b:00007ff0ac649038 EFLAGS: 00000246 ORIG_RAX: 0000000000000055 [ 85.827431][ T5339] RAX: ffffffffffffffda RBX: 00007ff0ab9e5fa0 RCX: 00007ff0ab78eec9 [ 85.827439][ T5339] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000200000000100 [ 85.827446][ T5339] RBP: 00007ff0ab811f91 R08: 0000000000000000 R09: 0000000000000000 [ 85.827453][ T5339] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.827460][ T5339] R13: 00007ff0ab9e6038 R14: 00007ff0ab9e5fa0 R15: 00007ffdd9e80f98 [ 85.827471][ T5339] [ 86.498910][ T5340] hfs: request for non-existent node 8 in B*Tree [ 86.501629][ T5340] hfs: request for non-existent node 8 in B*Tree [ 86.521971][ T10] cfg80211: failed to load regulatory.db [ 86.533409][ T12] kworker/u4:0: attempt to access beyond end of device [ 86.533409][ T12] loop0: rw=1, sector=4165, nr_sectors = 1 limit=64 [ 86.538863][ T12] Buffer I/O error on dev loop0, logical block 4165, lost async page write [ 86.561640][ T12] kworker/u4:0: attempt to access beyond end of device [ 86.561640][ T12] loop0: rw=1, sector=4166, nr_sectors = 1 limit=64 [ 86.568397][ T12] Buffer I/O error on dev loop0, logical block 4166, lost async page write [ 86.604670][ T12] kworker/u4:0: attempt to access beyond end of device [ 86.604670][ T12] loop0: rw=1, sector=4167, nr_sectors = 1 limit=64 [ 86.610330][ T12] Buffer I/O error on dev loop0, logical block 4167, lost async page write [ 86.627727][ T12] kworker/u4:0: attempt to access beyond end of device [ 86.627727][ T12] loop0: rw=1, sector=4168, nr_sectors = 1 limit=64 [ 86.634674][ T12] Buffer I/O error on dev loop0, logical block 4168, lost async page write [ 86.638557][ T12] kworker/u4:0: attempt to access beyond end of device [ 86.638557][ T12] loop0: rw=1, sector=4169, nr_sectors = 1 limit=64 [ 86.645049][ T12] Buffer I/O error on dev loop0, logical block 4169, lost async page write [ 86.648833][ T12] kworker/u4:0: attempt to access beyond end of device [ 86.648833][ T12] loop0: rw=1, sector=4170, nr_sectors = 1 limit=64 [ 86.655278][ T12] Buffer I/O error on dev loop0, logical block 4170, lost async page write [ 86.659125][ T12] kworker/u4:0: attempt to access beyond end of device [ 86.659125][ T12] loop0: rw=1, sector=4172, nr_sectors = 1 limit=64 [ 86.665087][ T12] Buffer I/O error on dev loop0, logical block 4172, lost async page write [ 86.668520][ T12] kworker/u4:0: attempt to access beyond end of device [ 86.668520][ T12] loop0: rw=1, sector=4173, nr_sectors = 1 limit=64 [ 86.674361][ T12] Buffer I/O error on dev loop0, logical block 4173, lost async page write [ 86.698622][ T12] kworker/u4:0: attempt to access beyond end of device [ 86.698622][ T12] loop0: rw=1, sector=27855, nr_sectors = 1 limit=64 [ 86.721364][ T12] Buffer I/O error on dev loop0, logical block 27855, lost async page write [ 86.731680][ T12] kworker/u4:0: attempt to access beyond end of device [ 86.731680][ T12] loop0: rw=1, sector=27856, nr_sectors = 1 limit=64 [ 86.763856][ T12] Buffer I/O error on dev loop0, logical block 27856, lost async page write