program: mkdirat(0xffffffffffffff9c, &(0x7f0000002040)='./file0\x00', 0x0) mkdirat(0xffffffffffffff9c, &(0x7f0000000340)='./file1\x00', 0x2) syz_mount_image$hfsplus(&(0x7f0000000040), &(0x7f0000000080)='./file1\x00', 0x400, &(0x7f0000000140)=ANY=[], 0x1, 0x694, &(0x7f0000001100)="$eJzs3U1sHGf9B/DvbnbX3vz/Sp02SQOqRNRIBRGROLGSYi4NCKFIVKgqB8TRSpzGyiatHBc5EYLwfuDCoXeKRG5cQOIeVM7AqVcfKyFx6SmAxKKZnbXXr9l1Yq8tPp9odp5nnpd5nt/M7OzOKnKA/1nXzqXxOLVcO/fmcpFfeTTTWXk0c6efTjKRpJ40eqvU7ia1j5Kr6S35TLGx6q623X4+WJh9++NPVz7p5RrVUtav79Rukyv1LTY+rJacSXKkWj+Ddf1d39Bfa+TuaqszLAJ2th84GLdmku463z21VvJUw1+3wIFVK++bm6/5qeRoksnqc0Dvrti7Zx9qD8c9AAAAANgHL/yy/Ap/bNzjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgMOk9/f/i1W51PvpM6n1//5/q9qWKn2oPR73AAAAAAAAAABgdN/8/w0bPvckT7KcY/18t1b+5v9qmTlRvv5f3s+9zGcx57OcuSxlKYu5mGSqLG+Wr63luaWlxYtDtLy02jIDLS8NOYP27icPAAAAAAAAAIdFY/QmP861td//AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgIKglR3qrcjnRT0+l3kgymaRV1HuY/LWfPpB+/afBXPff3dKmao/3c0wAAAAwJi88yZMs51g/362V3/lPld/7J/N+7mYpC1lKJ/O5UT4L6H3rr688mumsPJq5Uyyb+/3qP0YaRtljes8ett7z6bJGOzezUG45n+t5N53cSL1sWTjdH8/W4/pRMabaG5UhR3ajWhcz/1WaI81qN2pD15wqI1KMqBeR6aptEY3jO0dixKPT31M/9hdTX33yc+J5xny5t3r9t711MZ+fjxSTvbYxEpcGzr5TK6ntEInk83/83Xdude7enrh579zBmdIIJgaeoG2MxMxAJF7e+ZxIM1Ukbh3WSAyaLiNxcjV/Ld/It3MuZ/JWFrOQ72UuS5nPmXw9czmSuep8Ll6ndo7U1XW5t542klZ5XJrVu+jwY1rKXF4t2x7LQr6Vd3Mj87lS/ruUi3m96jGrR/jkEFd9fbR32rNfGHiY/Isk7eHa7YNiYMdX706DZ/10eR0cX7dl7Tp48fnfjxqfrRLFPn4ycETGb2MkLg5E4qWdI/Gb8m3lXufu7cVbc+8Nub/XqnVxHf3sQN0livPlxeJglbn1Z0dR9tLGsslevFrVLy69svV33KLs5GrZ9lfq5VzObFn71JY9XSrLXt6ybKYsOz1Qtu7z1tXe5y0ADryjXzzaav+9/Zf2h+2ftm+135z82sSXJ15ppfnn5lca00deq79S+0M+zA/Wvv8DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7d+/+g9tznc784oZEt9v94TZFe5hoJ+lvSZ7Wqpmn19mbRCtJmWj0E6P1MzFU5dba0Xnj988y5uaorZLnEqhGdZLdf3D7n91ud98P0xaJ5g7n/FqiW9lU1B2q+dgS/+o+vw7H/MYE7LkLS3feu3Dv/oMvLdyZe2f+nfm7s5cvz07PXr7ytws3Fzrz073XcY8S2AtrN/1xjwQAAAAAAAAAAAAY1n78t4Rtdv2ffZ4qAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcEhdOzdRpc5PF68rj2Y6xdJPr1Ysq9WT1L6f1D5Krqa3ZGqgu9p2+/lgYfbtjz9d+aSXa1RLWb++rl1zN7N4WC05k+RItR40+Qz9Xa/WuxpZqbY6wyJgZ/uBg3H7bwAAAP//2wMQAg==") r0 = creat(&(0x7f0000000000)='./bus\x00', 0x0) io_setup(0x202, &(0x7f0000000200)=0x0) io_submit(r1, 0x3b, &(0x7f0000000540)=[&(0x7f00000000c0)={0x25, 0xe7030000, 0x0, 0x1, 0x0, r0, &(0x7f0000000000), 0x70000}]) mkdir(&(0x7f0000000300)='./bus\x00', 0x0) mount$overlay(0x0, &(0x7f00000000c0)='./bus\x00', &(0x7f0000000480), 0x1000000, &(0x7f0000000400)={[{@upperdir={'upperdir', 0x3d, './file1'}}, {@lowerdir={'lowerdir', 0x3d, './file0'}}, {@workdir={'workdir', 0x3d, './bus'}}]}) r2 = open(&(0x7f0000000140)='./file0\x00', 0x0, 0x0) mknodat$loop(r2, &(0x7f0000001600)='./file1\x00', 0x0, 0x0) chdir(&(0x7f00000003c0)='./bus\x00') open(&(0x7f0000000440)='./file1\x00', 0x0, 0x73) linkat(r2, &(0x7f0000000100)='./file1\x00', r2, &(0x7f0000000240)='./file0\x00', 0x0) unlink(&(0x7f0000000280)='./file1\x00') openat(0xffffffffffffff9c, &(0x7f0000000280)='./file0\x00', 0x40037, 0x120) [ 74.423148][ T4681] Bluetooth: hci0: command tx timeout [ 74.477295][ T5335] loop0: detected capacity change from 0 to 1024 [ 74.564556][ T5335] overlay: ./file1 is not a directory [ 74.569038][ T5335] [ 74.570377][ T5335] ====================================================== [ 74.573229][ T5335] WARNING: possible circular locking dependency detected [ 74.576231][ T5335] syzkaller #0 Not tainted [ 74.578039][ T5335] ------------------------------------------------------ [ 74.580830][ T5335] syz.0.0/5335 is trying to acquire lock: [ 74.583085][ T5335] ffff8880114e80b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfsplus_find_init+0x168/0x2d0 [ 74.586965][ T5335] [ 74.586965][ T5335] but task is already holding lock: [ 74.589967][ T5335] ffff888011c03048 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}, at: hfsplus_get_block+0x398/0x1600 [ 74.594138][ T5335] [ 74.594138][ T5335] which lock already depends on the new lock. [ 74.594138][ T5335] [ 74.598265][ T5335] [ 74.598265][ T5335] the existing dependency chain (in reverse order) is: [ 74.601819][ T5335] [ 74.601819][ T5335] -> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}: [ 74.605171][ T5335] __mutex_lock+0x187/0x1350 [ 74.607081][ T5335] hfsplus_file_extend+0x1f8/0x1c30 [ 74.609300][ T5335] hfsplus_bmap_reserve+0x125/0x510 [ 74.611456][ T5335] __hfsplus_ext_write_extent+0x28d/0x5b0 [ 74.614077][ T5335] __hfsplus_ext_cache_extent+0x89/0xe30 [ 74.616631][ T5335] hfsplus_file_extend+0x437/0x1c30 [ 74.618999][ T5335] hfsplus_get_block+0x40a/0x1600 [ 74.621394][ T5335] __block_write_begin_int+0x6b5/0x1900 [ 74.623895][ T5335] cont_write_begin+0x78c/0xb50 [ 74.626228][ T5335] hfsplus_write_begin+0x66/0xb0 [ 74.628639][ T5335] generic_perform_write+0x2c5/0x900 [ 74.631176][ T5335] generic_file_write_iter+0x117/0x550 [ 74.633777][ T5335] aio_write+0x535/0x7a0 [ 74.635829][ T5335] io_submit_one+0x775/0x1430 [ 74.638175][ T5335] __se_sys_io_submit+0x185/0x320 [ 74.640523][ T5335] do_syscall_64+0xfa/0xf80 [ 74.642642][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.645371][ T5335] [ 74.645371][ T5335] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 74.648672][ T5335] __lock_acquire+0x15a6/0x2cf0 [ 74.651083][ T5335] lock_acquire+0x117/0x340 [ 74.653220][ T5335] __mutex_lock+0x187/0x1350 [ 74.655322][ T5335] hfsplus_find_init+0x168/0x2d0 [ 74.657477][ T5335] hfsplus_get_block+0x8dc/0x1600 [ 74.659739][ T5335] block_read_full_folio+0x29f/0x830 [ 74.662105][ T5335] read_pages+0x35d/0x580 [ 74.664019][ T5335] page_cache_ra_unbounded+0x750/0x990 [ 74.666348][ T5335] filemap_get_pages+0x468/0x1dc0 [ 74.668586][ T5335] filemap_read+0x3f6/0x11a0 [ 74.670660][ T5335] __kernel_read+0x4cf/0x960 [ 74.672926][ T5335] integrity_kernel_read+0x89/0xd0 [ 74.675090][ T5335] ima_calc_file_hash+0x85e/0x16f0 [ 74.677424][ T5335] ima_collect_measurement+0x428/0x8f0 [ 74.680066][ T5335] process_measurement+0x111e/0x1a70 [ 74.682659][ T5335] ima_file_check+0xd9/0x130 [ 74.684979][ T5335] security_file_post_open+0xbb/0x290 [ 74.687591][ T5335] path_openat+0x3456/0x3dd0 [ 74.689853][ T5335] do_filp_open+0x1fa/0x410 [ 74.692173][ T5335] do_sys_openat2+0x121/0x200 [ 74.695217][ T5335] __x64_sys_open+0x11e/0x150 [ 74.697830][ T5335] do_syscall_64+0xfa/0xf80 [ 74.700346][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.703689][ T5335] [ 74.703689][ T5335] other info that might help us debug this: [ 74.703689][ T5335] [ 74.708509][ T5335] Possible unsafe locking scenario: [ 74.708509][ T5335] [ 74.711821][ T5335] CPU0 CPU1 [ 74.714170][ T5335] ---- ---- [ 74.716608][ T5335] lock(&HFSPLUS_I(inode)->extents_lock); [ 74.719166][ T5335] lock(&tree->tree_lock/1); [ 74.722139][ T5335] lock(&HFSPLUS_I(inode)->extents_lock); [ 74.725623][ T5335] lock(&tree->tree_lock/1); [ 74.727722][ T5335] [ 74.727722][ T5335] *** DEADLOCK *** [ 74.727722][ T5335] [ 74.731250][ T5335] 3 locks held by syz.0.0/5335: [ 74.733428][ T5335] #0: ffff8880388464a8 (&ima_iint_mutex_key[depth]){+.+.}-{4:4}, at: process_measurement+0x74e/0x1a70 [ 74.738076][ T5335] #1: ffff888011c033d8 (mapping.invalidate_lock#3){.+.+}-{4:4}, at: page_cache_ra_unbounded+0x1cf/0x990 [ 74.742770][ T5335] #2: ffff888011c03048 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}, at: hfsplus_get_block+0x398/0x1600 [ 74.747913][ T5335] [ 74.747913][ T5335] stack backtrace: [ 74.750352][ T5335] CPU: 0 UID: 0 PID: 5335 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 74.750368][ T5335] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 74.750375][ T5335] Call Trace: [ 74.750382][ T5335] [ 74.750388][ T5335] dump_stack_lvl+0x189/0x250 [ 74.750408][ T5335] ? __pfx_dump_stack_lvl+0x10/0x10 [ 74.750421][ T5335] ? __pfx__printk+0x10/0x10 [ 74.750437][ T5335] ? print_lock_name+0xde/0x100 [ 74.750452][ T5335] print_circular_bug+0x2e2/0x300 [ 74.750466][ T5335] check_noncircular+0x12e/0x150 [ 74.750477][ T5335] __lock_acquire+0x15a6/0x2cf0 [ 74.750491][ T5335] ? hfsplus_find_init+0x168/0x2d0 [ 74.750502][ T5335] lock_acquire+0x117/0x340 [ 74.750510][ T5335] ? hfsplus_find_init+0x168/0x2d0 [ 74.750529][ T5335] ? ima_file_check+0xd9/0x130 [ 74.750546][ T5335] ? path_openat+0x3456/0x3dd0 [ 74.750569][ T5335] ? do_sys_openat2+0x121/0x200 [ 74.750584][ T5335] __mutex_lock+0x187/0x1350 [ 74.750597][ T5335] ? hfsplus_find_init+0x168/0x2d0 [ 74.750616][ T5335] ? hfsplus_find_init+0x168/0x2d0 [ 74.750633][ T5335] ? __pfx___mutex_lock+0x10/0x10 [ 74.750646][ T5335] ? rcu_is_watching+0x15/0xb0 [ 74.750660][ T5335] ? trace_kmalloc+0x1f/0xb0 [ 74.750674][ T5335] ? __kmalloc_noprof+0x43e/0x800 [ 74.750689][ T5335] ? hfsplus_find_init+0x8c/0x2d0 [ 74.750706][ T5335] hfsplus_find_init+0x168/0x2d0 [ 74.750721][ T5335] hfsplus_get_block+0x8dc/0x1600 [ 74.750734][ T5335] ? __pfx_hfsplus_get_block+0x10/0x10 [ 74.750747][ T5335] ? _raw_spin_unlock+0x28/0x50 [ 74.750761][ T5335] ? block_read_full_folio+0x672/0x830 [ 74.750778][ T5335] block_read_full_folio+0x29f/0x830 [ 74.750794][ T5335] ? __pfx_hfsplus_get_block+0x10/0x10 [ 74.750805][ T5335] ? __pfx_hfsplus_read_folio+0x10/0x10 [ 74.750815][ T5335] read_pages+0x35d/0x580 [ 74.750831][ T5335] ? __pfx_read_pages+0x10/0x10 [ 74.750846][ T5335] ? filemap_add_folio+0x35f/0x540 [ 74.750861][ T5335] page_cache_ra_unbounded+0x750/0x990 [ 74.750879][ T5335] filemap_get_pages+0x468/0x1dc0 [ 74.750893][ T5335] ? __lock_acquire+0x6b6/0x2cf0 [ 74.750909][ T5335] ? __pfx_filemap_get_pages+0x10/0x10 [ 74.750923][ T5335] ? __lock_acquire+0x6b6/0x2cf0 [ 74.750939][ T5335] ? __pfx___might_resched+0x10/0x10 [ 74.750959][ T5335] filemap_read+0x3f6/0x11a0 [ 74.750980][ T5335] ? __pfx_filemap_read+0x10/0x10 [ 74.750995][ T5335] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 74.751015][ T5335] ? generic_file_read_iter+0x8f/0x510 [ 74.751030][ T5335] ? __asan_memset+0x22/0x50 [ 74.751043][ T5335] ? iov_iter_kvec+0xb8/0x180 [ 74.751060][ T5335] __kernel_read+0x4cf/0x960 [ 74.751076][ T5335] ? __pfx___kernel_read+0x10/0x10 [ 74.751095][ T5335] integrity_kernel_read+0x89/0xd0 [ 74.751107][ T5335] ? __pfx_integrity_kernel_read+0x10/0x10 [ 74.751118][ T5335] ? __kmalloc_cache_noprof+0x3e2/0x700 [ 74.751133][ T5335] ? ima_calc_file_hash+0x820/0x16f0 [ 74.751146][ T5335] ? __asan_memcpy+0x40/0x70 [ 74.751160][ T5335] ima_calc_file_hash+0x85e/0x16f0 [ 74.751176][ T5335] ? __lock_acquire+0x6b6/0x2cf0 [ 74.751187][ T5335] ? __pfx_ima_calc_file_hash+0x10/0x10 [ 74.751209][ T5335] ? stack_depot_save_flags+0x422/0x850 [ 74.751226][ T5335] ? kasan_save_track+0x4f/0x80 [ 74.751240][ T5335] ? kasan_save_track+0x3e/0x80 [ 74.751254][ T5335] ? make_vfsgid+0x49/0xa0 [ 74.751269][ T5335] ? generic_fillattr+0x63d/0x9a0 [ 74.751280][ T5335] ? hfsplus_getattr+0x235/0x2f0 [ 74.751293][ T5335] ima_collect_measurement+0x428/0x8f0 [ 74.751310][ T5335] ? __pfx_ima_collect_measurement+0x10/0x10 [ 74.751327][ T5335] ? kasan_quarantine_put+0xdd/0x220 [ 74.751341][ T5335] ? lockdep_hardirqs_on+0x98/0x140 [ 74.751352][ T5335] ? hfsplus_getxattr+0x118/0x180 [ 74.751363][ T5335] ? kfree+0x1c0/0x660 [ 74.751379][ T5335] ? __pfx_ima_get_hash_algo+0x10/0x10 [ 74.751394][ T5335] process_measurement+0x111e/0x1a70 [ 74.751407][ T5335] ? kasan_quarantine_put+0xdd/0x220 [ 74.751425][ T5335] ? __pfx_process_measurement+0x10/0x10 [ 74.751437][ T5335] ? tomoyo_check_open_permission+0x325/0x3b0 [ 74.751454][ T5335] ? tomoyo_check_open_permission+0x16a/0x3b0 [ 74.751481][ T5335] ima_file_check+0xd9/0x130 [ 74.751496][ T5335] ? __pfx_ima_file_check+0x10/0x10 [ 74.751511][ T5335] security_file_post_open+0xbb/0x290 [ 74.751527][ T5335] path_openat+0x3456/0x3dd0 [ 74.751545][ T5335] ? __pfx_stack_trace_save+0x10/0x10 [ 74.751569][ T5335] ? stack_depot_save_flags+0x40/0x850 [ 74.751587][ T5335] ? kmem_cache_alloc_noprof+0x37d/0x710 [ 74.751601][ T5335] ? getname_flags+0xb8/0x540 [ 74.751612][ T5335] ? __pfx_path_openat+0x10/0x10 [ 74.751627][ T5335] ? __lock_acquire+0x6b6/0x2cf0 [ 74.751642][ T5335] do_filp_open+0x1fa/0x410 [ 74.751657][ T5335] ? __pfx_do_filp_open+0x10/0x10 [ 74.751675][ T5335] ? _raw_spin_unlock+0x28/0x50 [ 74.751689][ T5335] ? alloc_fd+0x64c/0x6c0 [ 74.751701][ T5335] do_sys_openat2+0x121/0x200 [ 74.751713][ T5335] ? __se_sys_futex+0x36f/0x400 [ 74.751725][ T5335] ? __pfx_do_sys_openat2+0x10/0x10 [ 74.751739][ T5335] __x64_sys_open+0x11e/0x150 [ 74.751752][ T5335] do_syscall_64+0xfa/0xf80 [ 74.751762][ T5335] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.751772][ T5335] ? clear_bhb_loop+0x60/0xb0 [ 74.751784][ T5335] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 74.751795][ T5335] RIP: 0033:0x7f1b53d8f7c9 [ 74.751807][ T5335] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 74.751816][ T5335] RSP: 002b:00007f1b54c8d038 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 74.751829][ T5335] RAX: ffffffffffffffda RBX: 00007f1b53fe5fa0 RCX: 00007f1b53d8f7c9 [ 74.751837][ T5335] RDX: 0000000000000073 RSI: 0000000000000000 RDI: 0000200000000440 [ 74.751845][ T5335] RBP: 00007f1b53e13f91 R08: 0000000000000000 R09: 0000000000000000 [ 74.751852][ T5335] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 74.751859][ T5335] R13: 00007f1b53fe6038 R14: 00007f1b53fe5fa0 R15: 00007fff99236e48 [ 74.751871][ T5335] [ 75.016059][ T25] audit: type=1800 audit(1765699135.185:2): pid=5335 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed comm="syz.0.0" name="file1" dev="loop0" ino=20 res=0 errno=0