program: mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.net/syz0\x00', 0x1ff) r0 = syz_mount_image$hfs(&(0x7f00000001c0), &(0x7f0000000180)='./file1\x00', 0x30000c8, &(0x7f0000000100)=ANY=[], 0x11, 0x2d1, &(0x7f0000000280)="$eJzs3b9u01AUx/HfddI2pVVxaRESY6ESLAjKgliCUCaegAkBTZAqoiKgiD9TQUwIwc7GwCvwECwgXgAmJh6gTEb32o6T2I7dqI0b+H6kRnbia58bX9vnRKquAPy3rrd+fLr8y/4Zqaaa9Oaq5ElqSHVJJ3Wq8WR7Z2un22mP2lHNtbB/RmFLk9pmc7uT1dS2cy0ivl2ra7H/vdDCeJ1EriAIrv2sOghUzl39GTxpTrPJemOCMZXxcsx2uwccx7Qxe9rTMy1VHQcAoFrR898LM3ktRvm750nr0WPf5QdH7fk/rr2qAzh0wchP+57/rsoKjD2/x91HSb3nSjj7uRdXiWWOPDO07tJHbyjBNEVVpYvFm7+31e1c2HzQbXt6pWakb7NV99oOh26sINq1jNp0hBJ9N9kZpatXvRnbh40w/qeSBuJfGfOIKWWvTPPFfDO3jK8Pavfyv3pg7GlyZ8ofOlNh/Bfz9+h66dutFN02ms2mN7DJsjvIafWXEkW9bGRXJIpH1LIGfyDwi+J0rU4MtQp7d6mg1Upmq414LafV6kAr25veaM4/3mEz78xNs6bf+qxWX/7v2fjWNfLKTK4asx4OOPeNh/2ZzT5c3e3TT43P9OXS+xbn8kL/M3xPu/ExGH2bQ563uqsrWnr8/MX9WrfbeWQX7mQsPFzsvTPzWsrcpuIF7SbvzClwUhvHD6VJBnb+QHdo7x+FG9ur7EiclH96ofX1sAbSfDRMq+9phfcmTExy0quOBBWxeZcJ67+kXqmHyZ598TPz9JLlRrTHwObYvQouaRuEGbmkY/uq4BbyK7h0zZWqGV3NdeacdLb8Ef0ozmlm+hL4lr7rNr//AwAAAAAAAAAAAAAAAAAATJtJ/DtB1X0EAAAAAAAAAAAAAAAAAAAAAGDa9eb/VTz/r8rN/zs878pBzv/7flvZ8//GcuaaAbAvfwMAAP//QTZ8Yw==") prlimit64(0x0, 0xe, &(0x7f0000000140)={0x8, 0x8b}, 0x0) sched_setscheduler(0x0, 0x1, &(0x7f0000000080)=0x7) r1 = open(&(0x7f0000000240)='./file1\x00', 0x145142, 0x0) ftruncate(r1, 0x2007ffc) r2 = openat(r0, &(0x7f0000000580)='./bus\x00', 0xc4842, 0x1ef) r3 = openat$nullb(0xffffffffffffff9c, &(0x7f0000000540), 0x44800, 0x0) sendfile(r2, r3, 0x0, 0xfffe82) r4 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000), 0x200002, 0x0) openat$cgroup_procs(r4, &(0x7f00000001c0)='tasks\x00', 0x2, 0x0) mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040)='./cgroup.net/syz0\x00', 0x1ff) r5 = openat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000040), 0x200002, 0x0) r6 = io_uring_setup(0xf08, &(0x7f0000000000)={0x0, 0xe9ce, 0x400, 0x20004, 0x3}) io_uring_register$IORING_REGISTER_PERSONALITY(r6, 0x9, 0x0, 0x0) io_uring_register$IORING_REGISTER_PERSONALITY(r6, 0x9, 0x0, 0x0) r7 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f0000000040)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0x0, 0x7fff7ffc}]}) close_range(r7, 0xffffffffffffffff, 0x200000000000000) ioctl$BTRFS_IOC_BALANCE_CTL(r4, 0x40049421, 0x0) r8 = openat$cgroup_devices(r5, &(0x7f00000001c0)='devices.deny\x00', 0x2, 0x0) write$cgroup_devices(r8, &(0x7f00000000c0)=ANY=[@ANYBLOB='b *:4\tw'], 0xa) r9 = syz_mount_image$hfsplus(&(0x7f0000000080), &(0x7f0000000140)='./file1\x00', 0x3000c00, &(0x7f0000000200)=ANY=[], 0x1, 0x654, &(0x7f0000000a40)="$eJzs3c9vHGf9B/D3rje2N99+UzdN2hRVitVIgLBI/EMumAsBIeRDhapy4GwlTmNlkxbbRW6FqMvPaw/5A8rBN05I3COVCxe49epjJQSXXjCnRTM7a29tr38Ux2uX1yuafZ6ZZ+Z5Ps9nZ3Z214o2wP+s+Yk0nqSW+YnX1or1zY2Z1ubGzMNuPclIknrS6BSp/avdbn+c3E5nyUvFxqq7Wr9xHi/NvfHJZ5ufdtYa1VLuXz/ouKNZr5aMJxmqypPq785h/Y0e1l1te4ZFwm50EweDdiFJu/SPx50tP/3LM9stPZr7HX3omQ+cA7XOfXOPseRidaEX7wM6d8XOPftcWx90AAAAAHAKnt3KVtZyadBxAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwHlS/f5/rVrq3fp4at3f/x+utqWqny3Xj7f7k6cVBwAAAAAAAACcoutb2cpaLnXX27Xyb/6vlCtXysf/yztZyWKWczNrWchqVrOcqSRjPR0Nry2sri5PHeHI6X2PnD4k0JGqbJ7MvAEAAAAAAADgS+aXmd/5+z8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJwFtWSoU5TLlW59LPVGktEkw8V+68nfuvXz7MmgAwAAAIBT8OxWtrKWS931dq38zP9C+bl/NO/kUVazlNW0spi75XcBnU/99c2NmdbmxszDYtnb7/f+eawwyh7T+e5h/5GvlXs0cy9L5ZabuZO30srd1MsjC9e68ewf1wdFTLXvVo4Y2d2qLGb+YVXu8f6xJtvPMb9MGSszcmE7I5NVbEU2njs4E8d8dnaPNJX6drBXdo20axJfKOcXq7KYz2/75Xwgdmdiuufse+HgnCdf+9MffnK/9ejB/XsrE2dnSgdbr8qhqmyXj829mZjpycSLX8ZM9DVZZuLq9vp8fpgfZyLjeT3LWcrPspDVLGY8PyhrC9X5XOu55Ptk6vbn1l4/LJLh6gztPFnHi+mV8thLWcqP8lbuZjGvlv+mM5VvZTazmet5hq8e4ZW23ueqb///vsHf+HpVaSb5XVWeDUVen+vJa+9r7ljZ1rtlJ0uXT/5+1PhKVSnG+FVVng27MzHVk4nnD87E78uXlZXWowfL9xfePtpwlz+sKsV19JszdZcozpfLxZNVrn3+7Cjant+3bapsu7LdVt/TdnW7rXOlrve9Uoer93B7e5ou217ct22mbLvW07bf+y0AzryL37g43Px786/Nj5q/bt5vvjb6/ZFvj7w8nAt/vvCdxuTQV+sv1/6Yj/KLnc//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAF7fy7nsPFlqtxeVdlXa7/X6fpvNc6f6c2SkO+tIzyaCmPJzkbGT+3+12u9pSOwvxHFxpF0bSfupjNZLs13S9d8sHAzl/BvzCBDx1t1Yfvn1r5d33vrn0cOHNxTcXH83Nzs5Nzs2+OnPr3lJrcbLzOOgogadh56Y/6EgAAAAAAAAAAACAozqZ/zPQTNJ/n/6jj57mVAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBzan4ijSepZWry5mSxvrkx0yqWbn1nz0aSepLaz5Pax8ntdJaM9XRX6zfO46W5Nz75bPPTnb4a3f3rBx13NOvVkvEkQ1V5Uv3d+a/7q23PsEjYjW7iYND+EwAA//9nMgTf") r10 = bpf$BPF_PROG_GET_FD_BY_ID(0xd, &(0x7f0000000100)={0xffffffffffffffff}, 0x4) bpf$BPF_PROG_QUERY(0x10, &(0x7f0000000300)={@fallback=r9, 0x4, 0x1, 0x4, &(0x7f0000000200)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0], 0x8, 0x0, &(0x7f0000000240)=[0x0], &(0x7f0000000280), &(0x7f00000002c0)=[0x0], 0x0}, 0x40) ioctl$sock_ipv6_tunnel_SIOCDELTUNNEL(0xffffffffffffffff, 0x89f2, &(0x7f0000000400)={'syztnl2\x00', &(0x7f0000000380)={'ip6_vti0\x00', 0x0, 0x29, 0x8, 0x80, 0x8, 0x0, @private0, @mcast1, 0x81, 0x8, 0x1ff, 0x7}}) bpf$BPF_PROG_DETACH(0x9, &(0x7f0000000340)=ANY=[@ANYRES32=r12, @ANYRES32=r10, @ANYBLOB="0300000024203ab7a9e62ab1", @ANYRES32, @ANYBLOB, @ANYRES64=r11], 0x20) openat(0xffffffffffffff9c, &(0x7f0000000040)='./file1\x00', 0x101042, 0x0) open(&(0x7f0000000080)='./bus\x00', 0x400141042, 0x0) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000080)='cgroup.controllers\x00', 0x275a, 0x0) openat$cgroup_ro(0xffffffffffffff9c, &(0x7f00000000c0)='memory.events\x00', 0x275a, 0x0) [ 91.591851][ T4654] Bluetooth: hci0: command tx timeout [ 91.696615][ T5323] loop0: detected capacity change from 0 to 64 [ 91.735609][ T5323] ======================================================= [ 91.735609][ T5323] WARNING: The mand mount option has been deprecated and [ 91.735609][ T5323] and is ignored by this kernel. Remove the mand [ 91.735609][ T5323] option from the mount to silence this warning. [ 91.735609][ T5323] ======================================================= [ 91.826379][ T1372] cfg80211: failed to load regulatory.db [ 91.870241][ T25] audit: type=1800 audit(1779447842.412:2): pid=5323 uid=0 auid=4294967295 ses=4294967295 subj=unconfined op=collect_data cause=failed(directio) comm="syz.0.0" name="file1" dev="loop0" ino=22 res=0 errno=0 [ 92.518587][ T5323] hfs: request for non-existent node 8 in B*Tree [ 92.522403][ T5323] hfs: request for non-existent node 8 in B*Tree [ 92.575557][ T179] kworker/u4:6: attempt to access beyond end of device [ 92.575557][ T179] loop0: rw=1, sector=4169, nr_sectors = 1 limit=64 [ 92.696126][ T5323] [ 92.697289][ T5323] ====================================================== [ 92.700193][ T5323] WARNING: possible circular locking dependency detected [ 92.703112][ T5323] syzkaller #0 Not tainted [ 92.705033][ T5323] ------------------------------------------------------ [ 92.707811][ T5323] syz.0.0/5323 is trying to acquire lock: [ 92.710246][ T5323] ffff8880433a20a8 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 92.714219][ T5323] [ 92.714219][ T5323] but task is already holding lock: [ 92.717164][ T5323] ffff8880432a40f0 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 92.721446][ T5323] [ 92.721446][ T5323] which lock already depends on the new lock. [ 92.721446][ T5323] [ 92.725740][ T5323] [ 92.725740][ T5323] the existing dependency chain (in reverse order) is: [ 92.729409][ T5323] [ 92.729409][ T5323] -> #1 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}: [ 92.733142][ T5323] __mutex_lock+0x1a3/0x1550 [ 92.736078][ T5323] hfs_extend_file+0xf2/0x15e0 [ 92.738197][ T5323] hfs_bmap_reserve+0x107/0x430 [ 92.740378][ T5323] __hfs_ext_write_extent+0x1fa/0x470 [ 92.742671][ T5323] __hfs_ext_cache_extent+0x6b/0x9b0 [ 92.745129][ T5323] hfs_extend_file+0x39b/0x15e0 [ 92.747976][ T5323] hfs_get_block+0x412/0xc50 [ 92.750470][ T5323] __block_write_begin_int+0x6c6/0x1910 [ 92.753116][ T5323] cont_write_begin+0x737/0xae0 [ 92.755422][ T5323] hfs_write_begin+0x66/0xb0 [ 92.757608][ T5323] cont_write_begin+0x2e7/0xae0 [ 92.759973][ T5323] hfs_write_begin+0x66/0xb0 [ 92.762067][ T5323] hfs_file_truncate+0x1cf/0xb70 [ 92.764357][ T5323] hfs_inode_setattr+0x4a9/0x670 [ 92.766670][ T5323] notify_change+0xc1a/0xf40 [ 92.769136][ T5323] do_truncate+0x1c2/0x250 [ 92.771239][ T5323] do_ftruncate+0x490/0x540 [ 92.773347][ T5323] __x64_sys_ftruncate+0x8f/0xe0 [ 92.775762][ T5323] do_syscall_64+0x15f/0xf80 [ 92.777908][ T5323] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.780360][ T5323] [ 92.780360][ T5323] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 92.783711][ T5323] __lock_acquire+0x15a5/0x2cf0 [ 92.786036][ T5323] lock_acquire+0x106/0x350 [ 92.788797][ T5323] __mutex_lock+0x1a3/0x1550 [ 92.791823][ T5323] hfs_find_init+0x18e/0x300 [ 92.793972][ T5323] hfs_extend_file+0x35c/0x15e0 [ 92.796334][ T5323] hfs_bmap_reserve+0x107/0x430 [ 92.798657][ T5323] hfs_cat_create+0x20f/0x800 [ 92.800797][ T5323] hfs_create+0x75/0xe0 [ 92.802842][ T5323] path_openat+0x1395/0x3860 [ 92.805110][ T5323] do_file_open+0x23e/0x4a0 [ 92.807264][ T5323] do_sys_openat2+0x113/0x200 [ 92.809657][ T5323] __x64_sys_openat+0x138/0x170 [ 92.812046][ T5323] do_syscall_64+0x15f/0xf80 [ 92.814282][ T5323] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.816977][ T5323] [ 92.816977][ T5323] other info that might help us debug this: [ 92.816977][ T5323] [ 92.821244][ T5323] Possible unsafe locking scenario: [ 92.821244][ T5323] [ 92.824358][ T5323] CPU0 CPU1 [ 92.826705][ T5323] ---- ---- [ 92.829040][ T5323] lock(&HFS_I(tree->inode)->extents_lock); [ 92.831594][ T5323] lock(&tree->tree_lock/1); [ 92.834640][ T5323] lock(&HFS_I(tree->inode)->extents_lock); [ 92.838258][ T5323] lock(&tree->tree_lock/1); [ 92.840870][ T5323] [ 92.840870][ T5323] *** DEADLOCK *** [ 92.840870][ T5323] [ 92.844926][ T5323] 4 locks held by syz.0.0/5323: [ 92.847010][ T5323] #0: ffff888033b0c410 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 92.851166][ T5323] #1: ffff8880435c7ad0 (&type->i_mutex_dir_key#8){++++}-{4:4}, at: path_openat+0xb4c/0x3860 [ 92.855387][ T5323] #2: ffff8880433a00a8 (&tree->tree_lock){+.+.}-{4:4}, at: hfs_find_init+0x18e/0x300 [ 92.859357][ T5323] #3: ffff8880432a40f0 (&HFS_I(tree->inode)->extents_lock){+.+.}-{4:4}, at: hfs_extend_file+0xf2/0x15e0 [ 92.863897][ T5323] [ 92.863897][ T5323] stack backtrace: [ 92.866383][ T5323] CPU: 0 UID: 0 PID: 5323 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 92.866400][ T5323] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 92.866407][ T5323] Call Trace: [ 92.866414][ T5323] [ 92.866421][ T5323] dump_stack_lvl+0xe8/0x150 [ 92.866438][ T5323] print_circular_bug+0x2e1/0x300 [ 92.866456][ T5323] check_noncircular+0x12e/0x150 [ 92.866471][ T5323] __lock_acquire+0x15a5/0x2cf0 [ 92.866483][ T5323] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 92.866498][ T5323] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 92.866514][ T5323] ? stack_depot_save_flags+0x3f3/0x810 [ 92.866576][ T5323] ? kasan_save_track+0x4f/0x80 [ 92.866586][ T5323] ? kasan_save_track+0x3e/0x80 [ 92.866594][ T5323] ? hfs_find_init+0x18e/0x300 [ 92.866605][ T5323] lock_acquire+0x106/0x350 [ 92.866615][ T5323] ? hfs_find_init+0x18e/0x300 [ 92.866630][ T5323] __mutex_lock+0x1a3/0x1550 [ 92.866647][ T5323] ? hfs_find_init+0x18e/0x300 [ 92.866663][ T5323] ? hfs_find_init+0x18e/0x300 [ 92.866677][ T5323] ? __pfx___mutex_lock+0x10/0x10 [ 92.866693][ T5323] ? rcu_is_watching+0x15/0xb0 [ 92.866707][ T5323] ? __kmalloc_noprof+0x37d/0x760 [ 92.866719][ T5323] ? kasan_save_track+0x4f/0x80 [ 92.866731][ T5323] ? hfs_find_init+0xaa/0x300 [ 92.866751][ T5323] ? __kmalloc_noprof+0x1b8/0x760 [ 92.866764][ T5323] hfs_find_init+0x18e/0x300 [ 92.866780][ T5323] hfs_extend_file+0x35c/0x15e0 [ 92.866794][ T5323] ? __pfx_hfs_extend_file+0x10/0x10 [ 92.866804][ T5323] ? __mutex_lock+0x319/0x1550 [ 92.866821][ T5323] ? hfs_find_init+0x18e/0x300 [ 92.866834][ T5323] ? __pfx___mutex_lock+0x10/0x10 [ 92.866850][ T5323] ? rcu_is_watching+0x15/0xb0 [ 92.866863][ T5323] hfs_bmap_reserve+0x107/0x430 [ 92.866883][ T5323] hfs_cat_create+0x20f/0x800 [ 92.866892][ T5323] ? do_raw_spin_lock+0x12b/0x2f0 [ 92.866902][ T5323] ? __pfx_hfs_cat_create+0x10/0x10 [ 92.866911][ T5323] ? _raw_spin_unlock+0x28/0x50 [ 92.866919][ T5323] ? hfs_new_inode+0x92d/0xc70 [ 92.866928][ T5323] hfs_create+0x75/0xe0 [ 92.866934][ T5323] ? __pfx_hfs_create+0x10/0x10 [ 92.866940][ T5323] path_openat+0x1395/0x3860 [ 92.866953][ T5323] ? __pfx_path_openat+0x10/0x10 [ 92.866961][ T5323] ? __x64_sys_openat+0x138/0x170 [ 92.866971][ T5323] do_file_open+0x23e/0x4a0 [ 92.866979][ T5323] ? __pfx_do_file_open+0x10/0x10 [ 92.866990][ T5323] ? _raw_spin_unlock+0x28/0x50 [ 92.866998][ T5323] ? alloc_fd+0x64b/0x6c0 [ 92.867006][ T5323] do_sys_openat2+0x113/0x200 [ 92.867013][ T5323] ? __se_sys_futex+0x3a8/0x450 [ 92.867022][ T5323] ? __pfx_do_sys_openat2+0x10/0x10 [ 92.867030][ T5323] __x64_sys_openat+0x138/0x170 [ 92.867037][ T5323] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.867045][ T5323] do_syscall_64+0x15f/0xf80 [ 92.867056][ T5323] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.867062][ T5323] ? clear_bhb_loop+0x40/0x90 [ 92.867070][ T5323] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 92.867105][ T5323] RIP: 0033:0x7f73fb99ce59 [ 92.867114][ T5323] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 92.867121][ T5323] RSP: 002b:00007f73fc8bafe8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 92.867131][ T5323] RAX: ffffffffffffffda RBX: 00007f73fbc15fa0 RCX: 00007f73fb99ce59 [ 92.867136][ T5323] RDX: 000000000000275a RSI: 00002000000000c0 RDI: ffffffffffffff9c [ 92.867142][ T5323] RBP: 00007f73fba32d6f R08: 0000000000000000 R09: 0000000000000000 [ 92.867147][ T5323] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 92.867151][ T5323] R13: 00007f73fbc16038 R14: 00007f73fbc15fa0 R15: 00007fff3cb30908 [ 92.867159][ T5323] [ 93.025235][ T179] Buffer I/O error on dev loop0, logical block 4169, lost async page write [ 93.042788][ T179] kworker/u4:6: attempt to access beyond end of device [ 93.042788][ T179] loop0: rw=1, sector=4170, nr_sectors = 1 limit=64 [ 93.058202][ T179] Buffer I/O error on dev loop0, logical block 4170, lost async page write