program: r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004bc311ec8500000075000000a70000000800000095"], &(0x7f0000000380)='syzkaller\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x90) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10) syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x30000c8, &(0x7f0000000100)=ANY=[], 0x11, 0x2d1, &(0x7f0000000280)="$eJzs3b9u01AUx/HfddI2pVVxaRESY6ESLAjKgliCUCaegAkBTZAqoiKgiD9TQUwIwc7GwCvwECwgXgAmJh6gTEb32o6T2I7dqI0b+H6kRnbia58bX9vnRKquAPy3rrd+fLr8y/4Zqaaa9Oaq5ElqSHVJJ3Wq8WR7Z2un22mP2lHNtbB/RmFLk9pmc7uT1dS2cy0ivl2ra7H/vdDCeJ1EriAIrv2sOghUzl39GTxpTrPJemOCMZXxcsx2uwccx7Qxe9rTMy1VHQcAoFrR898LM3ktRvm750nr0WPf5QdH7fk/rr2qAzh0wchP+57/rsoKjD2/x91HSb3nSjj7uRdXiWWOPDO07tJHbyjBNEVVpYvFm7+31e1c2HzQbXt6pWakb7NV99oOh26sINq1jNp0hBJ9N9kZpatXvRnbh40w/qeSBuJfGfOIKWWvTPPFfDO3jK8Pavfyv3pg7GlyZ8ofOlNh/Bfz9+h66dutFN02ms2mN7DJsjvIafWXEkW9bGRXJIpH1LIGfyDwi+J0rU4MtQp7d6mg1Upmq414LafV6kAr25veaM4/3mEz78xNs6bf+qxWX/7v2fjWNfLKTK4asx4OOPeNh/2ZzT5c3e3TT43P9OXS+xbn8kL/M3xPu/ExGH2bQ563uqsrWnr8/MX9WrfbeWQX7mQsPFzsvTPzWsrcpuIF7SbvzClwUhvHD6VJBnb+QHdo7x+FG9ur7EiclH96ofX1sAbSfDRMq+9phfcmTExy0quOBBWxeZcJ67+kXqmHyZ598TPz9JLlRrTHwObYvQouaRuEGbmkY/uq4BbyK7h0zZWqGV3NdeacdLb8Ef0ozmlm+hL4lr7rNr//AwAAAAAAAAAAAAAAAAAATJtJ/DtB1X0EAAAAAAAAAAAAAAAAAAAAAGDa9eb/VTz/r8rN/zs878pBzv/7flvZ8//GcuaaAbAvfwMAAP//QTZ8Yw==") r1 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) (async) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) (async, rerun: 64) r2 = syz_open_dev$dri(&(0x7f00000002c0), 0x20, 0x0) (rerun: 64) ioctl$DRM_IOCTL_MODE_CREATE_LEASE(r2, 0xc01864c6, &(0x7f0000000480)={0x0, 0x0, 0x0, 0x0, 0xffffffffffffffff}) mmap$binder(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x1, 0x11, r3, 0x100000000) mmap$xdp(&(0x7f0000800000/0x800000)=nil, 0x800006, 0x7000001, 0x6e073, 0xffffffffffffffff, 0x0) (async, rerun: 64) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) (rerun: 64) open(&(0x7f0000000080)='./bus\x00', 0x14d27e, 0x0) (async) r4 = open(&(0x7f0000000180)='./bus\x00', 0x14927e, 0x0) (async, rerun: 64) ioctl$BTRFS_IOC_DEV_INFO(r0, 0xd000941e, &(0x7f0000000580)={0x0, "534284feba647df7f37adb882f8914a2"}) (rerun: 64) ioctl$BTRFS_IOC_RESIZE(r4, 0x50009403, &(0x7f0000000100)={{r2}, {@val={r5}, @actul_num={@void, 0x10000, 0x65}}}) (async) pwrite64(r1, &(0x7f0000000140)='2', 0x1, 0x8080c61) r6 = open(&(0x7f0000000240)='./file1\x00', 0x145142, 0x0) ftruncate(r6, 0x2007ffc) r7 = landlock_create_ruleset(&(0x7f0000000040)={0x0, 0x2}, 0x10, 0x0) landlock_restrict_self(r7, 0x0) (async) r8 = socket$inet6(0xa, 0x3, 0x3a) connect$inet6(r8, &(0x7f00000000c0)={0xa, 0x0, 0x0, @empty, 0x6}, 0x1c) (async) r9 = syz_open_procfs$pagemap(0x0, &(0x7f0000000180)) ioctl$PAGEMAP_SCAN(r9, 0xc0606610, &(0x7f0000000240)={0x60, 0x1, &(0x7f0000ffc000/0x4000)=nil, &(0x7f0000ffd000/0x3000)=nil, 0x7, 0x0, 0x0, 0xfffffffffffffff8, 0x0, 0x5, 0x41, 0x2}) [ 84.431971][ T5300] Bluetooth: hci0: command tx timeout [ 84.548613][ T5323] loop0: detected capacity change from 0 to 64 [ 84.628665][ T5323] ======================================================= [ 84.628665][ T5323] WARNING: The mand mount option has been deprecated and [ 84.628665][ T5323] and is ignored by this kernel. Remove the mand [ 84.628665][ T5323] option from the mount to silence this warning. [ 84.628665][ T5323] ======================================================= [ 84.803573][ T5324] [ 84.804757][ T5324] ============================================ [ 84.807371][ T5324] WARNING: possible recursive locking detected [ 84.809973][ T5324] syzkaller #0 Not tainted [ 84.811892][ T5324] -------------------------------------------- [ 84.814230][ T5324] syz.0.0/5324 is trying to acquire lock: [ 84.816588][ T5324] ffff8880124080f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 84.820814][ T5324] [ 84.820814][ T5324] but task is already holding lock: [ 84.823612][ T5324] ffff888012408778 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 84.827870][ T5324] [ 84.827870][ T5324] other info that might help us debug this: [ 84.831497][ T5324] Possible unsafe locking scenario: [ 84.831497][ T5324] [ 84.834718][ T5324] CPU0 [ 84.836136][ T5324] ---- [ 84.837572][ T5324] lock(&HFS_I(tree->inode)->extents_lock); [ 84.840105][ T5324] lock(&HFS_I(tree->inode)->extents_lock); [ 84.842599][ T5324] [ 84.842599][ T5324] *** DEADLOCK *** [ 84.842599][ T5324] [ 84.845897][ T5324] May be due to missing lock nesting notation [ 84.845897][ T5324] [ 84.849082][ T5324] 5 locks held by syz.0.0/5324: [ 84.850971][ T5324] #0: ffff88801f1be420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 84.854612][ T5324] #1: ffff888012408fa0 (&type->i_mutex_dir_key#8){+.+.}-{4:4}, at: path_openat+0xb53/0x3e20 [ 84.860411][ T5324] #2: ffff8880442e40b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 84.864567][ T5324] #3: ffff888012408778 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 84.869242][ T5324] #4: ffff8880442e60b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 84.873469][ T5324] [ 84.873469][ T5324] stack backtrace: [ 84.876017][ T5324] CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 84.876033][ T5324] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 84.876040][ T5324] Call Trace: [ 84.876048][ T5324] [ 84.877561][ T5324] dump_stack_lvl+0xe8/0x150 [ 84.877633][ T5324] print_deadlock_bug+0x279/0x290 [ 84.877703][ T5324] __lock_acquire+0x253f/0x2cf0 [ 84.877715][ T5324] ? lock_release+0x4b/0x3a0 [ 84.877724][ T5324] ? lock_release+0x4b/0x3a0 [ 84.877733][ T5324] ? is_bpf_text_address+0x292/0x2b0 [ 84.877762][ T5324] ? hfs_extend_file+0xf2/0x15e0 [ 84.877773][ T5324] lock_acquire+0x106/0x330 [ 84.877787][ T5324] ? hfs_extend_file+0xf2/0x15e0 [ 84.877801][ T5324] __mutex_lock+0x19f/0x1300 [ 84.877886][ T5324] ? hfs_extend_file+0xf2/0x15e0 [ 84.877894][ T5324] ? stack_trace_save+0xa9/0x100 [ 84.877933][ T5324] ? __pfx_stack_trace_save+0x10/0x10 [ 84.877942][ T5324] ? check_path+0x21/0x40 [ 84.877948][ T5324] ? check_noncircular+0xda/0x150 [ 84.877954][ T5324] ? hfs_extend_file+0xf2/0x15e0 [ 84.877962][ T5324] ? __pfx___mutex_lock+0x10/0x10 [ 84.877969][ T5324] ? __lock_acquire+0x146e/0x2cf0 [ 84.877978][ T5324] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 84.877990][ T5324] hfs_extend_file+0xf2/0x15e0 [ 84.877999][ T5324] ? __pfx_hfs_extend_file+0x10/0x10 [ 84.878007][ T5324] ? __pfx___mutex_trylock_common+0x10/0x10 [ 84.878014][ T5324] ? rcu_is_watching+0x15/0xb0 [ 84.878026][ T5324] ? trace_contention_end+0x39/0x100 [ 84.878034][ T5324] ? __asan_memset+0x22/0x50 [ 84.878068][ T5324] ? hfs_brec_find+0x19a/0x510 [ 84.878085][ T5324] hfs_bmap_reserve+0x107/0x430 [ 84.878099][ T5324] __hfs_ext_write_extent+0x1fa/0x470 [ 84.878112][ T5324] __hfs_ext_cache_extent+0x6b/0x9b0 [ 84.878126][ T5324] ? hfs_find_init+0x18e/0x300 [ 84.878136][ T5324] hfs_extend_file+0x39b/0x15e0 [ 84.878145][ T5324] ? __pfx_hfs_extend_file+0x10/0x10 [ 84.878152][ T5324] ? __mutex_lock+0x319/0x1300 [ 84.878161][ T5324] ? __pfx___mutex_lock+0x10/0x10 [ 84.878169][ T5324] hfs_bmap_reserve+0x107/0x430 [ 84.878177][ T5324] hfs_cat_create+0x20f/0x800 [ 84.878185][ T5324] ? do_raw_spin_lock+0x12b/0x2f0 [ 84.878193][ T5324] ? __pfx_hfs_cat_create+0x10/0x10 [ 84.878202][ T5324] ? _raw_spin_unlock+0x28/0x50 [ 84.878211][ T5324] ? hfs_new_inode+0x838/0xbd0 [ 84.878220][ T5324] hfs_create+0x66/0xe0 [ 84.878227][ T5324] ? __pfx_hfs_create+0x10/0x10 [ 84.878234][ T5324] path_openat+0x18dd/0x3e20 [ 84.878248][ T5324] ? __pfx_path_openat+0x10/0x10 [ 84.878259][ T5324] do_filp_open+0x22d/0x490 [ 84.878267][ T5324] ? __pfx_do_filp_open+0x10/0x10 [ 84.878278][ T5324] ? _raw_spin_unlock+0x28/0x50 [ 84.878287][ T5324] ? alloc_fd+0x64b/0x6c0 [ 84.878298][ T5324] do_sys_openat2+0x12f/0x220 [ 84.878306][ T5324] ? __pfx_do_sys_openat2+0x10/0x10 [ 84.878314][ T5324] ? __task_pid_nr_ns+0x28/0x490 [ 84.878352][ T5324] __x64_sys_open+0x11e/0x150 [ 84.878363][ T5324] do_syscall_64+0xe2/0xf80 [ 84.878375][ T5324] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.878383][ T5324] ? trace_irq_disable+0x37/0x100 [ 84.878425][ T5324] ? clear_bhb_loop+0x60/0xb0 [ 84.878436][ T5324] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 84.878446][ T5324] RIP: 0033:0x7fed9739aeb9 [ 84.878456][ T5324] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 84.878489][ T5324] RSP: 002b:00007fed9819e028 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 84.878501][ T5324] RAX: ffffffffffffffda RBX: 00007fed97616090 RCX: 00007fed9739aeb9 [ 84.878509][ T5324] RDX: 0000000000000000 RSI: 000000000014927e RDI: 0000200000000180 [ 84.878516][ T5324] RBP: 00007fed97408c1f R08: 0000000000000000 R09: 0000000000000000 [ 84.878522][ T5324] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 84.878529][ T5324] R13: 00007fed97616128 R14: 00007fed97616090 R15: 00007ffe107b1c08 [ 84.878538][ T5324] [ 85.054831][ T5324] syz.0.0: attempt to access beyond end of device [ 85.054831][ T5324] loop0: rw=8388608, sector=66, nr_sectors = 1 limit=64 [ 85.060541][ T5324] Buffer I/O error on dev loop0, logical block 66, async page read [ 85.063946][ T5324] syz.0.0: attempt to access beyond end of device [ 85.063946][ T5324] loop0: rw=8388608, sector=67, nr_sectors = 1 limit=64 [ 85.069579][ T5324] Buffer I/O error on dev loop0, logical block 67, async page read [ 85.073087][ T5324] syz.0.0: attempt to access beyond end of device [ 85.073087][ T5324] loop0: rw=8388608, sector=68, nr_sectors = 1 limit=64 [ 85.078612][ T5324] Buffer I/O error on dev loop0, logical block 68, async page read [ 85.082101][ T5324] syz.0.0: attempt to access beyond end of device [ 85.082101][ T5324] loop0: rw=8388608, sector=69, nr_sectors = 1 limit=64 [ 85.087849][ T5324] Buffer I/O error on dev loop0, logical block 69, async page read [ 85.091343][ T5324] syz.0.0: attempt to access beyond end of device [ 85.091343][ T5324] loop0: rw=8388608, sector=70, nr_sectors = 1 limit=64 [ 85.096933][ T5324] Buffer I/O error on dev loop0, logical block 70, async page read [ 85.101466][ T5324] syz.0.0: attempt to access beyond end of device [ 85.101466][ T5324] loop0: rw=8388608, sector=66, nr_sectors = 1 limit=64 [ 85.107072][ T5324] Buffer I/O error on dev loop0, logical block 66, async page read [ 85.110525][ T5324] syz.0.0: attempt to access beyond end of device [ 85.110525][ T5324] loop0: rw=8388608, sector=67, nr_sectors = 1 limit=64 [ 85.116227][ T5324] Buffer I/O error on dev loop0, logical block 67, async page read [ 85.119573][ T5324] syz.0.0: attempt to access beyond end of device [ 85.119573][ T5324] loop0: rw=8388608, sector=68, nr_sectors = 1 limit=64 [ 85.124874][ T5324] Buffer I/O error on dev loop0, logical block 68, async page read [ 85.128093][ T5324] syz.0.0: attempt to access beyond end of device [ 85.128093][ T5324] loop0: rw=8388608, sector=69, nr_sectors = 1 limit=64 [ 85.133410][ T5324] Buffer I/O error on dev loop0, logical block 69, async page read [ 85.136892][ T5324] syz.0.0: attempt to access beyond end of device [ 85.136892][ T5324] loop0: rw=8388608, sector=70, nr_sectors = 1 limit=64 [ 85.142707][ T5324] Buffer I/O error on dev loop0, logical block 70, async page read [ 85.650515][ T5324] hfs: request for non-existent node 6 in B*Tree [ 85.653642][ T5324] hfs: request for non-existent node 6 in B*Tree [ 85.706940][ T5324] hfs: request for non-existent node 7 in B*Tree [ 85.709725][ T5324] hfs: request for non-existent node 7 in B*Tree