program: r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0) syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x30000c8, &(0x7f0000000100)=ANY=[], 0x11, 0x2c6, &(0x7f0000005bc0)="$eJzs3btuE08Ux/HfjJ3E/3+isCFBSJSBSNAgCA2iMUKueAIqBMRGirCCgCAuVUBUCEFPR8Er8BA0IF4AKioeIFSLZmbt9WXXNpbjjcP3I8XatWd2z3gvc46laAXgn3Wt9v3jpZ/uz0gllaTXVyQrqSKVJZ3Qycrjnd3t3WajPmhDJd/D/RmFnqavzdZOI6ur6+d7JCK3VtZS53vB4niDRK44jq/+KDoIFM5f/RmstKD5dL0yxZhG8WLMfnsTjmPWmH3t66mWi44DAFCsZP63IZPXUpK/WyttJNO+zw8O2/w/rv2iAzhw8cBPO+Z/X2XFxh3fY/6jtN7zJZz73LaqxFH2PNez7tNH25NgmmFVpY/F/nd3u9k4v3W/Wbd6qWqio9maf62HU7dlSLTrGbXpACOM3WRnlL5etXNuDJsh/ieSuuJfHXOPYzOfzVdz00R6r3o7/yvHxh0mf6SiniMV4r+Qv0U/ysi1UnLbqFartqvJit/JKXWWEsNGWcmuSNQ6o1bU/QNBNCxO3+t4T68wuotDeq1m9tpsreX0Wuvq5UbTPpvz93fQzFtzw6zrlz6p1pH/WxffhgZemelVYzbCVOC/8TCe+ezdlf02o76Zo/9yaX+LC3mh/+69p13/EA++zSHPG93RZS0/evb8XqnZbDx0C7czFh4std+ZeyVltil4QXvpOwuKvb7GrUlpmoGdm+gG3f1jaGN3lR2Kg3KkF2pfpnsiFbFQ8P0JU5Ee9KIjQUFc3mVC/ZfWK+WQ7LmXKDNPH/GHgGSLscux2xVc2jcOGbmk//+qglvMr+D6a66+mtHXXKfPSmdG32OUxHlEmJq+6Ra//wMAAAAAAAAAAAAAAAAAAMyaafw7QdFjBAAAAAAAAAAAAAAAAAAAAABg1rWf/6vW83812vN/e5+7Msnn/77bUfbzfwFM0p8AAAD//0gLf7E=") r2 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x42, 0x0) (async) prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) (async) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) pwrite64(r2, &(0x7f0000000140)='2', 0x1, 0x8080c61) (async, rerun: 64) r3 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x143042, 0x0) (rerun: 64) sendfile(r3, r3, 0x0, 0x80000000) (async) r4 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x2) ioctl$KVM_SET_MSRS(r4, 0x4008ae89, &(0x7f0000000180)={0x1, 0x0, [{0x11, 0x0, 0x7fff}]}) r5 = socket$nl_generic(0x10, 0x3, 0x10) (async, rerun: 32) r6 = openat$comedi(0xffffffffffffff9c, &(0x7f0000000140)='/dev/comedi4\x00', 0x2, 0x0) (rerun: 32) mmap(&(0x7f0000000000/0x3000)=nil, 0x3000, 0x1000009, 0x13, r6, 0x0) (async, rerun: 64) ioctl$COMEDI_BUFCONFIG(r6, 0x8020640d, &(0x7f0000000000)={0x0, 0x200, 0x8001, 0x9}) (async, rerun: 64) r7 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r5, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) (async, rerun: 32) syz_mount_image$fuse(0x0, &(0x7f00000000c0)='./bus\x00', 0x3000009, 0x0, 0x1, 0x0, 0x0) (rerun: 32) mkdirat(0xffffffffffffff9c, &(0x7f0000000100)='./file0\x00', 0x181) (async, rerun: 32) mkdirat(0xffffffffffffff9c, &(0x7f0000000080)='./file1\x00', 0x1c0) (async, rerun: 32) ioctl$AUTOFS_DEV_IOCTL_ISMOUNTPOINT(r2, 0xc018937e, &(0x7f0000000280)={{0x1, 0x1, 0x18, r2, {0x1}}, './file0\x00'}) (async) mount$overlay(0x0, &(0x7f0000000340)='./bus\x00', &(0x7f0000000b80), 0x200008, &(0x7f0000000240)={[{@workdir={'workdir', 0x3d, './bus'}}, {@lowerdir={'lowerdir', 0x3d, './file1'}}, {@upperdir={'upperdir', 0x3d, './file0'}}]}) (async) syz_mount_image$fuse(&(0x7f00000001c0), &(0x7f00000002c0)='./bus\x00', 0x322020, &(0x7f0000000440)=ANY=[], 0x1, 0x0, 0x0) (async) r9 = open(&(0x7f0000000780)='./bus\x00', 0x14107e, 0x0) ioctl$FS_IOC_SETFLAGS(r9, 0x40086602, &(0x7f0000000140)=0x20) sendmsg$NL80211_CMD_SET_INTERFACE(r5, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r7, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}}, 0x9}}, 0x80c0) (async) sendmsg$NL80211_CMD_CONNECT(r5, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x30, r7, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r8}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}, @NL80211_ATTR_BG_SCAN_PERIOD={0x6, 0x98, 0x9}]}, 0x30}}, 0x0) [ 85.086441][ T5337] Bluetooth: hci0: command tx timeout [ 85.172214][ T5359] loop0: detected capacity change from 0 to 64 [ 85.215382][ T5359] ======================================================= [ 85.215382][ T5359] WARNING: The mand mount option has been deprecated and [ 85.215382][ T5359] and is ignored by this kernel. Remove the mand [ 85.215382][ T5359] option from the mount to silence this warning. [ 85.215382][ T5359] ======================================================= [ 85.349446][ T5366] [ 85.350674][ T5366] ============================================ [ 85.353430][ T5366] WARNING: possible recursive locking detected [ 85.356038][ T5366] syzkaller #0 Not tainted [ 85.358031][ T5366] -------------------------------------------- [ 85.360861][ T5366] syz.0.0/5366 is trying to acquire lock: [ 85.363303][ T5366] ffff8880332600f8 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xda/0x1230 [ 85.367942][ T5366] [ 85.367942][ T5366] but task is already holding lock: [ 85.370969][ T5366] ffff888033260778 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xda/0x1230 [ 85.375448][ T5366] [ 85.375448][ T5366] other info that might help us debug this: [ 85.378843][ T5366] Possible unsafe locking scenario: [ 85.378843][ T5366] [ 85.382071][ T5366] CPU0 [ 85.383497][ T5366] ---- [ 85.384946][ T5366] lock(&HFS_I(tree->inode)->extents_lock); [ 85.387631][ T5366] lock(&HFS_I(tree->inode)->extents_lock); [ 85.390249][ T5366] [ 85.390249][ T5366] *** DEADLOCK *** [ 85.390249][ T5366] [ 85.393779][ T5366] May be due to missing lock nesting notation [ 85.393779][ T5366] [ 85.397345][ T5366] 5 locks held by syz.0.0/5366: [ 85.399468][ T5366] #0: ffff888040f18428 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 85.403422][ T5366] #1: ffff888033260fa0 (&type->i_mutex_dir_key#8/1){+.+.}-{4:4}, at: filename_create+0x1f8/0x3c0 [ 85.407966][ T5366] #2: ffff888036cf40b0 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x184/0x200 [ 85.412239][ T5366] #3: ffff888033260778 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xda/0x1230 [ 85.416802][ T5366] #4: ffff888036cf60b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x184/0x200 [ 85.420789][ T5366] [ 85.420789][ T5366] stack backtrace: [ 85.423220][ T5366] CPU: 0 UID: 0 PID: 5366 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.423237][ T5366] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.423244][ T5366] Call Trace: [ 85.423252][ T5366] [ 85.423258][ T5366] dump_stack_lvl+0x189/0x250 [ 85.423277][ T5366] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.423290][ T5366] ? __pfx__printk+0x10/0x10 [ 85.423306][ T5366] ? print_lock_name+0xde/0x100 [ 85.423321][ T5366] print_deadlock_bug+0x28b/0x2a0 [ 85.423335][ T5366] validate_chain+0x1a3f/0x2140 [ 85.423347][ T5366] ? rcu_is_watching+0x15/0xb0 [ 85.423359][ T5366] ? rcu_is_watching+0x15/0xb0 [ 85.423369][ T5366] ? lock_release+0x4b/0x3e0 [ 85.423385][ T5366] ? lock_release+0x4b/0x3e0 [ 85.423399][ T5366] ? look_up_lock_class+0x74/0x170 [ 85.423459][ T5366] ? register_lock_class+0x51/0x320 [ 85.423476][ T5366] __lock_acquire+0xab9/0xd20 [ 85.423494][ T5366] ? hfs_extend_file+0xda/0x1230 [ 85.423509][ T5366] lock_acquire+0x120/0x360 [ 85.423524][ T5366] ? hfs_extend_file+0xda/0x1230 [ 85.423541][ T5366] __mutex_lock+0x187/0x1350 [ 85.423557][ T5366] ? hfs_extend_file+0xda/0x1230 [ 85.423573][ T5366] ? lockdep_unlock+0x89/0x120 [ 85.423587][ T5366] ? hfs_extend_file+0xda/0x1230 [ 85.423600][ T5366] ? __pfx___mutex_lock+0x10/0x10 [ 85.423619][ T5366] hfs_extend_file+0xda/0x1230 [ 85.423635][ T5366] ? __pfx_hfs_extend_file+0x10/0x10 [ 85.423649][ T5366] ? __pfx___mutex_trylock_common+0x10/0x10 [ 85.423663][ T5366] ? rcu_is_watching+0x15/0xb0 [ 85.423674][ T5366] ? trace_contention_end+0x39/0x120 [ 85.423685][ T5366] ? __mutex_lock+0x335/0x1350 [ 85.423701][ T5366] ? hfs_brec_find+0x18e/0x500 [ 85.423713][ T5366] hfs_bmap_reserve+0x107/0x430 [ 85.423757][ T5366] __hfs_ext_write_extent+0x1fa/0x470 [ 85.423775][ T5366] __hfs_ext_cache_extent+0x6b/0x9b0 [ 85.423790][ T5366] ? hfs_find_init+0x184/0x200 [ 85.423801][ T5366] hfs_extend_file+0x316/0x1230 [ 85.423817][ T5366] ? __pfx_hfs_extend_file+0x10/0x10 [ 85.423830][ T5366] ? __mutex_lock+0x335/0x1350 [ 85.423850][ T5366] ? __pfx___mutex_lock+0x10/0x10 [ 85.423867][ T5366] hfs_bmap_reserve+0x107/0x430 [ 85.423884][ T5366] hfs_cat_create+0x1b3/0x640 [ 85.423897][ T5366] ? do_raw_spin_lock+0x121/0x290 [ 85.423911][ T5366] ? __pfx_hfs_cat_create+0x10/0x10 [ 85.423928][ T5366] ? _raw_spin_unlock+0x28/0x50 [ 85.423940][ T5366] ? hfs_new_inode+0x7c9/0xba0 [ 85.423957][ T5366] hfs_mkdir+0x6c/0xe0 [ 85.423971][ T5366] vfs_mkdir+0x303/0x510 [ 85.423985][ T5366] do_mkdirat+0x247/0x590 [ 85.423998][ T5366] ? __pfx_do_mkdirat+0x10/0x10 [ 85.424010][ T5366] ? getname_flags+0x1e5/0x540 [ 85.424026][ T5366] __x64_sys_mkdirat+0x87/0xa0 [ 85.424038][ T5366] do_syscall_64+0xfa/0x3b0 [ 85.424054][ T5366] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.424068][ T5366] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.424079][ T5366] ? clear_bhb_loop+0x60/0xb0 [ 85.424092][ T5366] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.424104][ T5366] RIP: 0033:0x7f372538d457 [ 85.424122][ T5366] Code: 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 02 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.424132][ T5366] RSP: 002b:00007f37261c8e68 EFLAGS: 00000246 ORIG_RAX: 0000000000000102 [ 85.424145][ T5366] RAX: ffffffffffffffda RBX: 00007f37261c8ef0 RCX: 00007f372538d457 [ 85.424154][ T5366] RDX: 00000000000001ff RSI: 00002000000000c0 RDI: 00000000ffffff9c [ 85.424161][ T5366] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 [ 85.424168][ T5366] R10: 0000000000000000 R11: 0000000000000246 R12: 00002000000000c0 [ 85.424175][ T5366] R13: 00007f37261c8eb0 R14: 0000000000000000 R15: 0000000000000000 [ 85.424187][ T5366] [ 85.600115][ T5366] syz.0.0: attempt to access beyond end of device [ 85.600115][ T5366] loop0: rw=0, sector=66, nr_sectors = 1 limit=64 [ 85.606048][ T5366] Buffer I/O error on dev loop0, logical block 66, async page read [ 85.610018][ T5366] syz.0.0: attempt to access beyond end of device [ 85.610018][ T5366] loop0: rw=0, sector=67, nr_sectors = 1 limit=64 [ 85.615847][ T5366] Buffer I/O error on dev loop0, logical block 67, async page read [ 85.620017][ T5366] syz.0.0: attempt to access beyond end of device [ 85.620017][ T5366] loop0: rw=0, sector=68, nr_sectors = 1 limit=64 [ 85.625662][ T5366] Buffer I/O error on dev loop0, logical block 68, async page read [ 85.629376][ T5366] syz.0.0: attempt to access beyond end of device [ 85.629376][ T5366] loop0: rw=0, sector=69, nr_sectors = 1 limit=64 [ 85.635536][ T5366] Buffer I/O error on dev loop0, logical block 69, async page read [ 85.639373][ T5366] syz.0.0: attempt to access beyond end of device [ 85.639373][ T5366] loop0: rw=0, sector=70, nr_sectors = 1 limit=64 [ 85.644851][ T5366] Buffer I/O error on dev loop0, logical block 70, async page read [ 85.648725][ T5366] syz.0.0: attempt to access beyond end of device [ 85.648725][ T5366] loop0: rw=0, sector=66, nr_sectors = 1 limit=64 [ 85.654213][ T5366] Buffer I/O error on dev loop0, logical block 66, async page read [ 85.657360][ T5366] syz.0.0: attempt to access beyond end of device [ 85.657360][ T5366] loop0: rw=0, sector=67, nr_sectors = 1 limit=64 [ 85.662843][ T5366] Buffer I/O error on dev loop0, logical block 67, async page read [ 85.666057][ T5366] syz.0.0: attempt to access beyond end of device [ 85.666057][ T5366] loop0: rw=0, sector=68, nr_sectors = 1 limit=64 [ 85.672011][ T5366] Buffer I/O error on dev loop0, logical block 68, async page read [ 85.675560][ T5366] syz.0.0: attempt to access beyond end of device [ 85.675560][ T5366] loop0: rw=0, sector=69, nr_sectors = 1 limit=64 [ 85.680814][ T5366] Buffer I/O error on dev loop0, logical block 69, async page read [ 85.683868][ T5366] syz.0.0: attempt to access beyond end of device [ 85.683868][ T5366] loop0: rw=0, sector=70, nr_sectors = 1 limit=64 [ 85.689276][ T5366] Buffer I/O error on dev loop0, logical block 70, async page read