program:
r0 = openat$fuse(0xffffffffffffff9c, &(0x7f0000002000), 0x2, 0x0)
syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x3004048, &(0x7f0000000100)=ANY=[], 0x11, 0x2c6, &(0x7f0000005bc0)="$eJzs3btuE08Ux/HfjJ3E/3+isCFBSJSBSNAgCA2iMUKueAIqBMRGirCCgCAuVUBUCEFPR8Er8BA0IF4AKioeIFSLZmbt9WXXNpbjjcP3I8XatWd2z3gvc46laAXgn3Wt9v3jpZ/uz0gllaTXVyQrqSKVJZ3Qycrjnd3t3WajPmhDJd/D/RmFnqavzdZOI6ur6+d7JCK3VtZS53vB4niDRK44jq/+KDoIFM5f/RmstKD5dL0yxZhG8WLMfnsTjmPWmH3t66mWi44DAFCsZP63IZPXUpK/WyttJNO+zw8O2/w/rv2iAzhw8cBPO+Z/X2XFxh3fY/6jtN7zJZz73LaqxFH2PNez7tNH25NgmmFVpY/F/nd3u9k4v3W/Wbd6qWqio9maf62HU7dlSLTrGbXpACOM3WRnlL5etXNuDJsh/ieSuuJfHXOPYzOfzVdz00R6r3o7/yvHxh0mf6SiniMV4r+Qv0U/ysi1UnLbqFartqvJit/JKXWWEsNGWcmuSNQ6o1bU/QNBNCxO3+t4T68wuotDeq1m9tpsreX0Wuvq5UbTPpvz93fQzFtzw6zrlz6p1pH/WxffhgZemelVYzbCVOC/8TCe+ezdlf02o76Zo/9yaX+LC3mh/+69p13/EA++zSHPG93RZS0/evb8XqnZbDx0C7czFh4std+ZeyVltil4QXvpOwuKvb7GrUlpmoGdm+gG3f1jaGN3lR2Kg3KkF2pfpnsiFbFQ8P0JU5Ee9KIjQUFc3mVC/ZfWK+WQ7LmXKDNPH/GHgGSLscux2xVc2jcOGbmk//+qglvMr+D6a66+mtHXXKfPSmdG32OUxHlEmJq+6Ra//wMAAAAAAAAAAAAAAAAAAMyaafw7QdFjBAAAAAAAAAAAAAAAAAAAAABg1rWf/6vW83812vN/e5+7Msnn/77bUfbzfwFM0p8AAAD//0gLf7E=")
r1 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0)
r2 = creat(&(0x7f0000000600)='./bus\x00', 0x6)
prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0)
sendmsg$IPCTNL_MSG_CT_DELETE(r2, &(0x7f0000000280)={&(0x7f00000000c0)={0x10, 0x0, 0x0, 0x10}, 0xc, &(0x7f0000000100)={&(0x7f0000000440)={0x9c, 0x2, 0x1, 0x101, 0x0, 0x0, {0x2}, [@CTA_STATUS={0x8, 0x3, 0x1, 0x0, 0x3002}, @CTA_SYNPROXY={0xc, 0x18, 0x0, 0x1, [@CTA_SYNPROXY_TSOFF={0x8, 0x3, 0x1, 0x0, 0x45}]}, @CTA_TUPLE_ORIG={0x5c, 0x1, 0x0, 0x1, [@CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5, 0x1, 0x21}}, @CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @local}, {0x14, 0x4, @rand_addr=' \x01\x00'}}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5, 0x1, 0x21}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5, 0x1, 0x2f}}, @CTA_TUPLE_ZONE={0x6}]}, @CTA_ZONE={0x6, 0x12, 0x1, 0x0, 0x2}, @CTA_MARK_MASK={0x8, 0x15, 0x1, 0x0, 0x1}, @CTA_MARK={0x8, 0x8, 0x1, 0x0, 0x7}]}, 0x9c}}, 0x4080)
sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7)
pwrite64(r1, &(0x7f0000000140)='2', 0x1, 0x8080c61)
creat(&(0x7f0000000300)='./bus\x00', 0x4)
unlinkat(0xffffffffffffff9c, &(0x7f0000000c40)='./file1\x00', 0x0)
r3 = memfd_secret(0x80000)
finit_module(r3, 0x0, 0x3)
syz_mount_image$fuse(&(0x7f0000002040), &(0x7f0000002080)='./file0\x00', 0x0, &(0x7f0000000380)={{'fd', 0x3d, r0}, 0x2c, {'rootmode', 0x3d, 0xc000}, 0x2c, {}, 0x2c, {}, 0x2c, {[], [{@dont_measure}, {@permit_directio}, {@defcontext={'defcontext', 0x3d, 'unconfined_u'}}]}}, 0x3e, 0x0, 0x0)
ioctl$AUTOFS_DEV_IOCTL_ASKUMOUNT(0xffffffffffffffff, 0xc018937d, &(0x7f0000000180)={{0x1, 0x1, 0x18}, '\x00'})
r4 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000140), 0x0, 0x0)
ioctl$TIOCSETD(r4, 0x5423, &(0x7f0000000340)=0xe)
r5 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
ioctl$EVIOCGPROP(r5, 0x40047438, &(0x7f0000000180)=""/246)
ioctl$PPPIOCGFLAGS1(r5, 0x8004745a, &(0x7f0000000080))
mount$fuseblk(&(0x7f0000000000), &(0x7f0000000040)='./file0\x00', &(0x7f0000000080), 0x1, &(0x7f0000000180)={{'fd', 0x3d, r0}, 0x2c, {'rootmode', 0x3d, 0x8000}})

[   88.474589][ T4684] Bluetooth: hci0: command tx timeout
[   88.800626][ T5339] loop0: detected capacity change from 0 to 64
[   88.836325][ T5339] =======================================================
[   88.836325][ T5339] WARNING: The mand mount option has been deprecated and
[   88.836325][ T5339]          and is ignored by this kernel. Remove the mand
[   88.836325][ T5339]          option from the mount to silence this warning.
[   88.836325][ T5339] =======================================================
[   89.665263][ T5339] hfs: request for non-existent node 8 in B*Tree
[   89.668477][ T5339] hfs: request for non-existent node 8 in B*Tree
[   89.738620][  T951] kworker/u4:8: attempt to access beyond end of device
[   89.738620][  T951] loop0: rw=8388609, sector=4169, nr_sectors = 1 limit=64
[   89.763058][  T951] Buffer I/O error on dev loop0, logical block 4169, lost async page write
[   89.776519][ T5339] 
[   89.777683][ T5339] ======================================================
[   89.780766][ T5339] WARNING: possible circular locking dependency detected
[   89.783876][ T5339] syzkaller #0 Not tainted
[   89.785938][ T5339] ------------------------------------------------------
[   89.788792][ T5339] syz.0.0/5339 is trying to acquire lock:
[   89.791116][ T5339] ffff888011bb00b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300
[   89.795137][ T5339] 
[   89.795137][ T5339] but task is already holding lock:
[   89.798443][ T5339] ffff888011e30778 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xda/0x1540
[   89.803177][ T5339] 
[   89.803177][ T5339] which lock already depends on the new lock.
[   89.803177][ T5339] 
[   89.807882][ T5339] 
[   89.807882][ T5339] the existing dependency chain (in reverse order) is:
[   89.811806][ T5339] 
[   89.811806][ T5339] -> #1 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}:
[   89.815817][ T5339]        __mutex_lock+0x187/0x1350
[   89.818301][ T5339]        hfs_extend_file+0xda/0x1540
[   89.820718][ T5339]        hfs_bmap_reserve+0x107/0x430
[   89.823115][ T5339]        __hfs_ext_write_extent+0x1fa/0x470
[   89.825754][ T5339]        __hfs_ext_cache_extent+0x6b/0x9b0
[   89.828346][ T5339]        hfs_extend_file+0x31e/0x1540
[   89.830569][ T5339]        hfs_get_block+0x3d7/0xbd0
[   89.833081][ T5339]        __block_write_begin_int+0x6b5/0x1900
[   89.835878][ T5339]        cont_write_begin+0x78c/0xb50
[   89.838288][ T5339]        hfs_write_begin+0x66/0xb0
[   89.840737][ T5339]        cont_write_begin+0x2fd/0xb50
[   89.843104][ T5339]        hfs_write_begin+0x66/0xb0
[   89.845474][ T5339]        generic_perform_write+0x2c5/0x900
[   89.848129][ T5339]        generic_file_write_iter+0x117/0x550
[   89.850797][ T5339]        vfs_write+0x5c9/0xb30
[   89.852953][ T5339]        __x64_sys_pwrite64+0x193/0x220
[   89.855538][ T5339]        do_syscall_64+0xfa/0xf80
[   89.857807][ T5339]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.860691][ T5339] 
[   89.860691][ T5339] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}:
[   89.864204][ T5339]        __lock_acquire+0x15a6/0x2cf0
[   89.866636][ T5339]        lock_acquire+0x117/0x340
[   89.868892][ T5339]        __mutex_lock+0x187/0x1350
[   89.871161][ T5339]        hfs_find_init+0x18e/0x300
[   89.873602][ T5339]        hfs_extend_file+0x2f6/0x1540
[   89.876051][ T5339]        hfs_bmap_reserve+0x107/0x430
[   89.878441][ T5339]        hfs_cat_create+0x1c5/0x770
[   89.880776][ T5339]        hfs_mkdir+0x6c/0xe0
[   89.883389][ T5339]        vfs_mkdir+0x512/0x5b0
[   89.885773][ T5339]        do_mkdirat+0x276/0x4b0
[   89.888040][ T5339]        __x64_sys_mkdirat+0x87/0xa0
[   89.890796][ T5339]        do_syscall_64+0xfa/0xf80
[   89.893922][ T5339]        entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.897756][ T5339] 
[   89.897756][ T5339] other info that might help us debug this:
[   89.897756][ T5339] 
[   89.903920][ T5339]  Possible unsafe locking scenario:
[   89.903920][ T5339] 
[   89.907598][ T5339]        CPU0                    CPU1
[   89.910617][ T5339]        ----                    ----
[   89.913728][ T5339]   lock(&HFS_I(tree->inode)->extents_lock);
[   89.916943][ T5339]                                lock(&tree->tree_lock/1);
[   89.920880][ T5339]                                lock(&HFS_I(tree->inode)->extents_lock);
[   89.924678][ T5339]   lock(&tree->tree_lock/1);
[   89.926648][ T5339] 
[   89.926648][ T5339]  *** DEADLOCK ***
[   89.926648][ T5339] 
[   89.930257][ T5339] 4 locks held by syz.0.0/5339:
[   89.932451][ T5339]  #0: ffff888011bb4420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90
[   89.936248][ T5339]  #1: ffff888011e30fa0 (&type->i_mutex_dir_key#8/1){+.+.}-{4:4}, at: filename_create+0x1fb/0x360
[   89.941523][ T5339]  #2: ffff88801273e0b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300
[   89.945644][ T5339]  #3: ffff888011e30778 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xda/0x1540
[   89.950736][ T5339] 
[   89.950736][ T5339] stack backtrace:
[   89.953327][ T5339] CPU: 0 UID: 0 PID: 5339 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   89.953343][ T5339] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   89.953351][ T5339] Call Trace:
[   89.953359][ T5339]  <TASK>
[   89.953364][ T5339]  dump_stack_lvl+0x189/0x250
[   89.953384][ T5339]  ? __pfx_dump_stack_lvl+0x10/0x10
[   89.953398][ T5339]  ? __pfx__printk+0x10/0x10
[   89.953415][ T5339]  ? print_lock_name+0xde/0x100
[   89.953431][ T5339]  print_circular_bug+0x2e2/0x300
[   89.953446][ T5339]  check_noncircular+0x12e/0x150
[   89.953460][ T5339]  __lock_acquire+0x15a6/0x2cf0
[   89.953475][ T5339]  ? hfs_find_init+0x18e/0x300
[   89.953487][ T5339]  lock_acquire+0x117/0x340
[   89.953497][ T5339]  ? hfs_find_init+0x18e/0x300
[   89.953512][ T5339]  __mutex_lock+0x187/0x1350
[   89.953524][ T5339]  ? hfs_find_init+0x18e/0x300
[   89.953538][ T5339]  ? hfs_find_init+0x18e/0x300
[   89.953547][ T5339]  ? __pfx___mutex_lock+0x10/0x10
[   89.953555][ T5339]  ? rcu_is_watching+0x15/0xb0
[   89.953565][ T5339]  ? trace_kmalloc+0x1f/0xb0
[   89.953578][ T5339]  ? __kmalloc_noprof+0x43e/0x800
[   89.953593][ T5339]  ? hfs_find_init+0xaa/0x300
[   89.953606][ T5339]  hfs_find_init+0x18e/0x300
[   89.953619][ T5339]  hfs_extend_file+0x2f6/0x1540
[   89.953637][ T5339]  ? __pfx_hfs_extend_file+0x10/0x10
[   89.953649][ T5339]  ? __mutex_lock+0x335/0x1350
[   89.953664][ T5339]  ? __pfx___mutex_lock+0x10/0x10
[   89.953676][ T5339]  hfs_bmap_reserve+0x107/0x430
[   89.953693][ T5339]  hfs_cat_create+0x1c5/0x770
[   89.953708][ T5339]  ? do_raw_spin_lock+0x121/0x290
[   89.953721][ T5339]  ? __pfx_hfs_cat_create+0x10/0x10
[   89.953736][ T5339]  ? hfs_new_inode+0x837/0xbd0
[   89.953753][ T5339]  hfs_mkdir+0x6c/0xe0
[   89.953767][ T5339]  vfs_mkdir+0x512/0x5b0
[   89.953784][ T5339]  do_mkdirat+0x276/0x4b0
[   89.953799][ T5339]  ? __pfx_do_mkdirat+0x10/0x10
[   89.953821][ T5339]  ? getname_flags+0x1e5/0x540
[   89.953833][ T5339]  __x64_sys_mkdirat+0x87/0xa0
[   89.953847][ T5339]  do_syscall_64+0xfa/0xf80
[   89.953858][ T5339]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.953869][ T5339]  ? clear_bhb_loop+0x60/0xb0
[   89.953881][ T5339]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.953892][ T5339] RIP: 0033:0x7f02f258df17
[   89.953904][ T5339] Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   89.953913][ T5339] RSP: 002b:00007f02f34c3e68 EFLAGS: 00000246 ORIG_RAX: 0000000000000102
[   89.953926][ T5339] RAX: ffffffffffffffda RBX: 00007f02f34c3ef0 RCX: 00007f02f258df17
[   89.953936][ T5339] RDX: 00000000000001ff RSI: 0000200000002080 RDI: 00000000ffffff9c
[   89.953943][ T5339] RBP: 0000200000002040 R08: 0000000000000000 R09: 0000000000000000
[   89.953950][ T5339] R10: 0000200000002040 R11: 0000000000000246 R12: 0000200000002080
[   89.953957][ T5339] R13: 00007f02f34c3eb0 R14: 0000000000000000 R15: 0000200000000380
[   89.953968][ T5339]  </TASK>
[   90.087451][ T5339] fuse: Unknown parameter 'dont_measure'
[   90.092800][ T5339] /dev/loop0: Can't open blockdev
[   90.097022][  T951] kworker/u4:8: attempt to access beyond end of device
[   90.097022][  T951] loop0: rw=8388609, sector=4170, nr_sectors = 1 limit=64
[   90.111757][  T951] Buffer I/O error on dev loop0, logical block 4170, lost async page write
[   90.115905][  T951] kworker/u4:8: attempt to access beyond end of device
[   90.115905][  T951] loop0: rw=8388609, sector=4172, nr_sectors = 1 limit=64
[   90.121896][  T951] Buffer I/O error on dev loop0, logical block 4172, lost async page write
[   90.126292][  T951] kworker/u4:8: attempt to access beyond end of device
[   90.126292][  T951] loop0: rw=8388609, sector=4173, nr_sectors = 1 limit=64
[   90.132581][  T951] Buffer I/O error on dev loop0, logical block 4173, lost async page write
[   90.136888][  T951] kworker/u4:8: attempt to access beyond end of device
[   90.136888][  T951] loop0: rw=8388609, sector=4174, nr_sectors = 1 limit=64
[   90.143100][  T951] Buffer I/O error on dev loop0, logical block 4174, lost async page write
[   90.147441][  T951] kworker/u4:8: attempt to access beyond end of device
[   90.147441][  T951] loop0: rw=8388609, sector=4175, nr_sectors = 1 limit=64
[   90.153242][  T951] Buffer I/O error on dev loop0, logical block 4175, lost async page write
[   90.157571][  T951] kworker/u4:8: attempt to access beyond end of device
[   90.157571][  T951] loop0: rw=8388609, sector=4176, nr_sectors = 1 limit=64
[   90.163545][  T951] Buffer I/O error on dev loop0, logical block 4176, lost async page write
[   90.168109][  T951] kworker/u4:8: attempt to access beyond end of device
[   90.168109][  T951] loop0: rw=8388609, sector=4177, nr_sectors = 1 limit=64
[   90.174495][  T951] Buffer I/O error on dev loop0, logical block 4177, lost async page write
[   90.195406][  T951] kworker/u4:8: attempt to access beyond end of device
[   90.195406][  T951] loop0: rw=8388609, sector=4200, nr_sectors = 1 limit=64
[   90.214269][  T951] Buffer I/O error on dev loop0, logical block 4200, lost async page write
[   90.219180][  T951] kworker/u4:8: attempt to access beyond end of device
[   90.219180][  T951] loop0: rw=8388609, sector=4201, nr_sectors = 1 limit=64
[   90.235212][  T951] Buffer I/O error on dev loop0, logical block 4201, lost async page write