program: syz_mount_image$hfsplus(&(0x7f0000000040), &(0x7f0000000080)='./file1\x00', 0x400, &(0x7f0000000140)=ANY=[], 0x1, 0x694, &(0x7f0000001100)="$eJzs3U1sHGf9B/DvbnbX3vz/Sp02SQOqRNRIBRGROLGSYi4NCKFIVKgqB8TRSpzGyiatHBc5EYLwfuDCoXeKRG5cQOIeVM7AqVcfKyFx6SmAxKKZnbXXr9l1Yq8tPp9odp5nnpd5nt/M7OzOKnKA/1nXzqXxOLVcO/fmcpFfeTTTWXk0c6efTjKRpJ40eqvU7ia1j5Kr6S35TLGx6q623X4+WJh9++NPVz7p5RrVUtav79Rukyv1LTY+rJacSXKkWj+Ddf1d39Bfa+TuaqszLAJ2th84GLdmku463z21VvJUw1+3wIFVK++bm6/5qeRoksnqc0Dvrti7Zx9qD8c9AAAAANgHL/yy/Ap/bNzjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgMOk9/f/i1W51PvpM6n1//5/q9qWKn2oPR73AAAAAAAAAABgdN/8/w0bPvckT7KcY/18t1b+5v9qmTlRvv5f3s+9zGcx57OcuSxlKYu5mGSqLG+Wr63luaWlxYtDtLy02jIDLS8NOYP27icPAAAAAAAAAIdFY/QmP861td//AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgIKglR3qrcjnRT0+l3kgymaRV1HuY/LWfPpB+/afBXPff3dKmao/3c0wAAAAwJi88yZMs51g/362V3/lPld/7J/N+7mYpC1lKJ/O5UT4L6H3rr688mumsPJq5Uyyb+/3qP0YaRtljes8ett7z6bJGOzezUG45n+t5N53cSL1sWTjdH8/W4/pRMabaG5UhR3ajWhcz/1WaI81qN2pD15wqI1KMqBeR6aptEY3jO0dixKPT31M/9hdTX33yc+J5xny5t3r9t711MZ+fjxSTvbYxEpcGzr5TK6ntEInk83/83Xdude7enrh579zBmdIIJgaeoG2MxMxAJF7e+ZxIM1Ukbh3WSAyaLiNxcjV/Ld/It3MuZ/JWFrOQ72UuS5nPmXw9czmSuep8Ll6ndo7U1XW5t542klZ5XJrVu+jwY1rKXF4t2x7LQr6Vd3Mj87lS/ruUi3m96jGrR/jkEFd9fbR32rNfGHiY/Isk7eHa7YNiYMdX706DZ/10eR0cX7dl7Tp48fnfjxqfrRLFPn4ycETGb2MkLg5E4qWdI/Gb8m3lXufu7cVbc+8Nub/XqnVxHf3sQN0livPlxeJglbn1Z0dR9tLGsslevFrVLy69svV33KLs5GrZ9lfq5VzObFn71JY9XSrLXt6ybKYsOz1Qtu7z1tXe5y0ADryjXzzaav+9/Zf2h+2ftm+135z82sSXJ15ppfnn5lca00deq79S+0M+zA/Wvv8DAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7d+/+g9tznc784oZEt9v94TZFe5hoJ+lvSZ7Wqpmn19mbRCtJmWj0E6P1MzFU5dba0Xnj988y5uaorZLnEqhGdZLdf3D7n91ud98P0xaJ5g7n/FqiW9lU1B2q+dgS/+o+vw7H/MYE7LkLS3feu3Dv/oMvLdyZe2f+nfm7s5cvz07PXr7ytws3Fzrz073XcY8S2AtrN/1xjwQAAAAAAAAAAAAY1n78t4Rtdv2ffZ4qAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcEhdOzdRpc5PF68rj2Y6xdJPr1Ysq9WT1L6f1D5Krqa3ZGqgu9p2+/lgYfbtjz9d+aSXa1RLWb++rl1zN7N4WC05k+RItR40+Qz9Xa/WuxpZqbY6wyJgZ/uBg3H7bwAAAP//2wMQAg==") r0 = creat(&(0x7f0000000000)='./bus\x00', 0x0) io_setup(0x202, &(0x7f0000000200)=0x0) syz_usb_connect(0x0, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="12010000d5e9bd40eb030200c0ba050000010902115c01000000000904000001b504b100090581"], 0x0) r2 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000100), 0x0, 0x0) r3 = ioctl$KVM_CREATE_VM(r2, 0xae01, 0x0) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000540)={0x0, 0x1, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil}) ioctl$KVM_SET_USER_MEMORY_REGION(r3, 0x4020ae46, &(0x7f0000000180)={0x0, 0x1, 0x100000000000000, 0x2000, &(0x7f0000000000/0x2000)=nil}) r4 = syz_open_dev$evdev(&(0x7f0000000000), 0x4, 0x0) io_getevents(r1, 0xa55, 0x7, &(0x7f0000000240)=[{}, {}, {}, {}, {}, {}, {}], &(0x7f0000000140)={0x77359400}) prctl$PR_SET_MM_MAP(0x23, 0xe, &(0x7f0000000080)={&(0x7f0000036000/0x2000)=nil, &(0x7f0000594000/0x4000)=nil, &(0x7f0000f36000/0x2000)=nil, &(0x7f0000918000/0x4000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000ff8000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000ffb000/0x3000)=nil, &(0x7f0000c12000/0x2000)=nil, &(0x7f000003f000/0x1000)=nil, &(0x7f0000ffa000/0x2000)=nil, 0x0, 0x30}, 0x68) sendmsg$NFT_BATCH(0xffffffffffffffff, &(0x7f0000000080)={0x0, 0x0, 0x0}, 0x0) r5 = io_uring_setup(0x5, &(0x7f0000000040)={0x0, 0x2cd0, 0xc000, 0x5, 0xc1}) bpf$MAP_CREATE(0x0, &(0x7f0000000000)=ANY=[@ANYBLOB="22bf000000", @ANYRES32, @ANYBLOB="0200"/19, @ANYRES32=0x0, @ANYRES32, @ANYBLOB="0200200001"], 0x50) r6 = socket$nl_generic(0x10, 0x3, 0x10) r7 = syz_genetlink_get_family_id$ethtool(&(0x7f0000000240), 0xffffffffffffffff) sendmsg$ETHTOOL_MSG_LINKMODES_SET(r6, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000140)={0x44, r7, 0x1, 0x0, 0x0, {}, [@ETHTOOL_A_LINKMODES_HEADER={0x18, 0x1, 0x0, 0x1, [@ETHTOOL_A_HEADER_DEV_NAME={0x14, 0x2, 'syz_tun\x00'}]}, @ETHTOOL_A_LINKMODES_SPEED={0x8}, @ETHTOOL_A_LINKMODES_LANES={0x8, 0x9, 0x1}, @ETHTOOL_A_LINKMODES_AUTONEG={0x5, 0x2, 0xd0}]}, 0x44}}, 0x0) ioctl$sock_ipv6_tunnel_SIOCGET6RD(r0, 0x89f8, &(0x7f00000003c0)={'gre0\x00', &(0x7f0000000340)={'syztnl1\x00', 0x0, 0x7, 0x8000, 0x22e, 0x5, {{0x13, 0x4, 0x3, 0x28, 0x4c, 0x65, 0x0, 0x7, 0x4, 0x0, @private=0xa010102, @local, {[@end, @cipso={0x86, 0x27, 0x3, [{0x7, 0x4, 'Iw'}, {0x91c5afe8af5e3057, 0xb, "3ba2d8b3bff30d5e19"}, {0x2, 0xc, "a407ba138f5ac954a401"}, {0x0, 0x6, "f4520788"}]}, @ra={0x94, 0x4}, @ssrr={0x89, 0xb, 0x11, [@empty, @local]}]}}}}}) sendmsg$ETHTOOL_MSG_PRIVFLAGS_GET(r0, &(0x7f0000000500)={&(0x7f00000001c0)={0x10, 0x0, 0x0, 0x20}, 0xc, &(0x7f00000004c0)={&(0x7f0000000580)=ANY=[@ANYBLOB="a8000000", @ANYRES16=r7, @ANYBLOB="000229bd7000fcdbdf250d0000001c00018008000100", @ANYRES32=0x0, @ANYBLOB="0800030000000800030001000000040001803800018008000300020000000800030002000000080001000000dd9d355ed78bae1fb6c59bff4206bdd0855a217ad420db80ffe13005f46d1b77629e50d880e2d543519690a6b20c542057df234ea22425c0bd080aad56a11b00133336403965d781", @ANYRES32=0x0, @ANYBLOB="08000108", @ANYRES32=r8, @ANYBLOB="1400020064766d7270310000000000000000000020000180080003000200000014000200776731000000000000000000000000001c000180080003000100000008000300030000000800030002000000"], 0xa8}, 0x1, 0x0, 0x0, 0x40810}, 0x40800) setsockopt$sock_int(0xffffffffffffffff, 0x1, 0x6, &(0x7f0000000000)=0x32, 0x4) io_uring_enter(r5, 0x2219, 0x7721, 0x16, 0x0, 0x0) ioctl$EVIOCSKEYCODE_V2(r4, 0x40284504, &(0x7f0000000080)={0x5, 0x0, 0x6, 0x9, "d80004000000000000957f78e83d4a100a000000000020000661e6e66b8b37ff"}) io_submit(r1, 0x3b, &(0x7f0000000540)=[&(0x7f00000000c0)={0x25, 0xe7030000, 0x0, 0x1, 0x0, r0, &(0x7f0000000000), 0x70000}]) open$dir(&(0x7f0000000400)='./file1\x00', 0x108281, 0x10) [ 75.433440][ T4685] Bluetooth: hci0: command tx timeout [ 75.507039][ T5338] loop0: detected capacity change from 0 to 1024 [ 75.820166][ T5336] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 75.972813][ T5336] usb 5-1: config index 0 descriptor too short (expected 23569, got 27) [ 75.976619][ T5336] usb 5-1: config 0 interface 0 altsetting 0 endpoint 0x81 has invalid wMaxPacketSize 0 [ 75.983203][ T5336] usb 5-1: New USB device found, idVendor=03eb, idProduct=0002, bcdDevice=ba.c0 [ 75.987623][ T5336] usb 5-1: New USB device strings: Mfr=5, Product=0, SerialNumber=0 [ 75.991621][ T5336] usb 5-1: Manufacturer: syz [ 76.001042][ T5336] usb 5-1: config 0 descriptor?? [ 76.070705][ T5336] rc_core: IR keymap rc-hauppauge not found [ 76.073439][ T5336] Registered IR keymap rc-empty [ 76.081961][ T5336] rc rc0: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.0/usb5/5-1/5-1:0.0/rc/rc0 [ 76.087880][ T5336] input: IgorPlug-USB IR Receiver as /devices/platform/dummy_hcd.0/usb5/5-1/5-1:0.0/rc/rc0/input5 [ 76.256201][ T5338] [ 76.257289][ T5338] ====================================================== [ 76.260435][ T5338] WARNING: possible circular locking dependency detected [ 76.263531][ T5338] syzkaller #0 Not tainted [ 76.265353][ T5338] ------------------------------------------------------ [ 76.268490][ T5338] syz.0.0/5338 is trying to acquire lock: [ 76.270988][ T5338] ffff88801f5dc0b0 (&tree->tree_lock/1){+.+.}-{4:4}, at: hfsplus_find_init+0x168/0x2d0 [ 76.275380][ T5338] [ 76.275380][ T5338] but task is already holding lock: [ 76.278451][ T5338] ffff8880408f3048 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}, at: hfsplus_file_truncate+0x2a0/0xc10 [ 76.283195][ T5338] [ 76.283195][ T5338] which lock already depends on the new lock. [ 76.283195][ T5338] [ 76.287217][ T5338] [ 76.287217][ T5338] the existing dependency chain (in reverse order) is: [ 76.290667][ T5338] [ 76.290667][ T5338] -> #1 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}: [ 76.294263][ T5338] __mutex_lock+0x187/0x1350 [ 76.296359][ T5338] hfsplus_file_extend+0x1f8/0x1c30 [ 76.298955][ T5338] hfsplus_bmap_reserve+0x125/0x510 [ 76.301352][ T5338] __hfsplus_ext_write_extent+0x28d/0x5b0 [ 76.303911][ T5338] __hfsplus_ext_cache_extent+0x89/0xe30 [ 76.306628][ T5338] hfsplus_file_extend+0x437/0x1c30 [ 76.309142][ T5338] hfsplus_get_block+0x40a/0x1600 [ 76.311555][ T5338] __block_write_begin_int+0x6b5/0x1900 [ 76.314186][ T5338] cont_write_begin+0x78c/0xb50 [ 76.316484][ T5338] hfsplus_write_begin+0x66/0xb0 [ 76.318801][ T5338] generic_perform_write+0x2c5/0x900 [ 76.321183][ T5338] generic_file_write_iter+0x117/0x550 [ 76.323859][ T5338] aio_write+0x535/0x7a0 [ 76.325956][ T5338] io_submit_one+0x775/0x1430 [ 76.328289][ T5338] __se_sys_io_submit+0x185/0x320 [ 76.330744][ T5338] do_syscall_64+0xec/0xf80 [ 76.332984][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.335713][ T5338] [ 76.335713][ T5338] -> #0 (&tree->tree_lock/1){+.+.}-{4:4}: [ 76.339040][ T5338] __lock_acquire+0x15a6/0x2cf0 [ 76.341436][ T5338] lock_acquire+0x107/0x340 [ 76.343590][ T5338] __mutex_lock+0x187/0x1350 [ 76.345479][ T5338] hfsplus_find_init+0x168/0x2d0 [ 76.347612][ T5338] hfsplus_file_truncate+0x387/0xc10 [ 76.350258][ T5338] hfsplus_setattr+0x1c4/0x270 [ 76.352598][ T5338] notify_change+0xc1a/0xf40 [ 76.354883][ T5338] do_truncate+0x1a4/0x220 [ 76.357059][ T5338] path_openat+0x359d/0x3dd0 [ 76.359251][ T5338] do_filp_open+0x1fa/0x410 [ 76.361382][ T5338] do_sys_openat2+0x121/0x200 [ 76.363675][ T5338] __x64_sys_open+0x11e/0x150 [ 76.366081][ T5338] do_syscall_64+0xec/0xf80 [ 76.368271][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.371084][ T5338] [ 76.371084][ T5338] other info that might help us debug this: [ 76.371084][ T5338] [ 76.375513][ T5338] Possible unsafe locking scenario: [ 76.375513][ T5338] [ 76.378643][ T5338] CPU0 CPU1 [ 76.380783][ T5338] ---- ---- [ 76.383043][ T5338] lock(&HFSPLUS_I(inode)->extents_lock); [ 76.385489][ T5338] lock(&tree->tree_lock/1); [ 76.388456][ T5338] lock(&HFSPLUS_I(inode)->extents_lock); [ 76.392188][ T5338] lock(&tree->tree_lock/1); [ 76.394122][ T5338] [ 76.394122][ T5338] *** DEADLOCK *** [ 76.394122][ T5338] [ 76.397565][ T5338] 3 locks held by syz.0.0/5338: [ 76.399699][ T5338] #0: ffff888043bbe420 (sb_writers#12){.+.+}-{0:0}, at: mnt_want_write+0x41/0x90 [ 76.403418][ T5338] #1: ffff8880408f3238 (&sb->s_type->i_mutex_key#24){+.+.}-{4:4}, at: do_truncate+0x171/0x220 [ 76.407577][ T5338] #2: ffff8880408f3048 (&HFSPLUS_I(inode)->extents_lock){+.+.}-{4:4}, at: hfsplus_file_truncate+0x2a0/0xc10 [ 76.412270][ T5338] [ 76.412270][ T5338] stack backtrace: [ 76.414848][ T5338] CPU: 0 UID: 0 PID: 5338 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.414865][ T5338] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.414872][ T5338] Call Trace: [ 76.414879][ T5338] [ 76.414886][ T5338] dump_stack_lvl+0xe8/0x150 [ 76.414904][ T5338] print_circular_bug+0x2e2/0x300 [ 76.414919][ T5338] check_noncircular+0x12e/0x150 [ 76.414933][ T5338] __lock_acquire+0x15a6/0x2cf0 [ 76.414944][ T5338] ? _raw_spin_unlock_irqrestore+0x30/0x80 [ 76.414958][ T5338] ? lockdep_hardirqs_on+0x7b/0x110 [ 76.414968][ T5338] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 76.414983][ T5338] ? stack_depot_save_flags+0x3f3/0x810 [ 76.414998][ T5338] ? hfsplus_find_init+0x168/0x2d0 [ 76.415012][ T5338] lock_acquire+0x107/0x340 [ 76.415022][ T5338] ? hfsplus_find_init+0x168/0x2d0 [ 76.415038][ T5338] __mutex_lock+0x187/0x1350 [ 76.415048][ T5338] ? hfsplus_find_init+0x168/0x2d0 [ 76.415063][ T5338] ? hfsplus_find_init+0x168/0x2d0 [ 76.415077][ T5338] ? __pfx___mutex_lock+0x10/0x10 [ 76.415111][ T5338] ? rcu_is_watching+0x15/0xb0 [ 76.415126][ T5338] ? trace_kmalloc+0x1f/0xb0 [ 76.415139][ T5338] ? __kmalloc_noprof+0x43e/0x800 [ 76.415154][ T5338] ? hfsplus_find_init+0x8c/0x2d0 [ 76.415168][ T5338] hfsplus_find_init+0x168/0x2d0 [ 76.415182][ T5338] hfsplus_file_truncate+0x387/0xc10 [ 76.415197][ T5338] ? __pfx_hfsplus_file_truncate+0x10/0x10 [ 76.415209][ T5338] ? unmap_mapping_range+0xde/0x170 [ 76.415221][ T5338] ? __pfx_unmap_mapping_range+0x10/0x10 [ 76.415232][ T5338] ? truncate_setsize+0xcf/0xf0 [ 76.415245][ T5338] hfsplus_setattr+0x1c4/0x270 [ 76.415255][ T5338] ? __pfx_hfsplus_setattr+0x10/0x10 [ 76.415265][ T5338] notify_change+0xc1a/0xf40 [ 76.415282][ T5338] do_truncate+0x1a4/0x220 [ 76.415296][ T5338] ? __pfx_do_truncate+0x10/0x10 [ 76.415308][ T5338] ? apparmor_file_truncate+0x23e/0x2d0 [ 76.415325][ T5338] path_openat+0x359d/0x3dd0 [ 76.415345][ T5338] ? __pfx_path_openat+0x10/0x10 [ 76.415362][ T5338] do_filp_open+0x1fa/0x410 [ 76.415375][ T5338] ? __pfx_do_filp_open+0x10/0x10 [ 76.415391][ T5338] ? _raw_spin_unlock+0x28/0x50 [ 76.415400][ T5338] ? alloc_fd+0x64c/0x6c0 [ 76.415408][ T5338] do_sys_openat2+0x121/0x200 [ 76.415415][ T5338] ? __se_sys_futex+0x36f/0x400 [ 76.415421][ T5338] ? __pfx_do_sys_openat2+0x10/0x10 [ 76.415429][ T5338] ? rcu_is_watching+0x15/0xb0 [ 76.415437][ T5338] __x64_sys_open+0x11e/0x150 [ 76.415444][ T5338] do_syscall_64+0xec/0xf80 [ 76.415450][ T5338] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.415457][ T5338] ? clear_bhb_loop+0x60/0xb0 [ 76.415463][ T5338] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.415472][ T5338] RIP: 0033:0x7f36ba98f7c9 [ 76.415483][ T5338] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.415492][ T5338] RSP: 002b:00007f36bb7bc038 EFLAGS: 00000246 ORIG_RAX: 0000000000000002 [ 76.415504][ T5338] RAX: ffffffffffffffda RBX: 00007f36babe5fa0 RCX: 00007f36ba98f7c9 [ 76.415512][ T5338] RDX: 0000000000000010 RSI: 0000000000108281 RDI: 0000200000000400 [ 76.415519][ T5338] RBP: 00007f36baa13f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.415525][ T5338] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.415531][ T5338] R13: 00007f36babe6038 R14: 00007f36babe5fa0 R15: 00007ffde6d28dd8 [ 76.415541][ T5338] [ 76.623208][ T9] usb 5-1: USB disconnect, device number 2