[BUG] ext4: BUG_ON in ext4_write_inline_data (fs/ext4/inline.c:240)

From: Zw Tang

Date: Tue Apr 21 2026 - 07:34:07 EST

Hi,

I am reporting a kernel BUG in ext4 triggered by a syzkaller reproducer on
Linux 7.0.0-08391-g1d51b370a0f8.

The first fatal issue happens in the ext4 inline data write path:
sendfile64 -> ext4_file_write_iter -> ext4_da_write_end ->
ext4_write_inline_data_end -> ext4_write_inline_data.

The crash is reported as:

kernel BUG at fs/ext4/inline.c:240

and RIP points to:

ext4_write_inline_data+0x3d0/0x490

This looks like an ext4 inline-data boundary/state inconsistency triggered
while writing to an ext4 image crafted by syzkaller. The later
KASAN: slab-use-after-free in rwsem_down_write_slowpath() appears to be a
secondary effect after the primary ext4 BUG, likely during teardown/unlink
after the filesystem failure.

Reproducer:
C reproducer: pastebin.com/raw/3LmK5Kxg
console output: pastebin.com/raw/C0XjNMXp
kernel config: pastebin.com/raw/aq1V3cLk

Kernel:
HEAD commit:
git tree: <e.g. torvalds/linux>
kernel version: 7.0.0-08391-g1d51b370a0f8 #1 PREEMPT(lazy) (QEMU)

Relevant log:

[ 1329.147750] kernel BUG at fs/ext4/inline.c:240!
[ 1329.148692] Oops: invalid opcode: 0000 [#1] SMP KASAN
[ 1329.149543] CPU: 0 UID: 0 PID: 334 Comm: repro1 Tainted: G W
7.0.0-08391-g1d51b370a0f8 #1 PREEMPT(lazy)
[ 1329.153249] RIP: 0010+0x3d0/0x490
[ 1329.167978] ext4_write_inline_data_end+0x293/0xc90
[ 1329.170566] ext4_da_write_end+0x521/0xec0
[ 1329.176842] ext4_buffered_write_iter+0x11a/0x430
[ 1329.177610] ext4_file_write_iter+0x561/0x1840
[ 1329.185052] iter_file_splice_write+0xa33/0x11c0
[ 1329.190820] direct_splice_actor+0x18f/0x7a0
[ 1329.198893] do_splice_direct+0x41/0x50
[ 1329.200276] do_sendfile+0xa86/0xda0
[ 1329.203110] __x64_sys_sendfile64+0x1cf/0x210

There is also an ext4 metadata inconsistency message right after the BUG:

[ 1329.221770] EXT4-fs error (device loop1):
ext4_mb_generate_buddy:1314: group 0, block bitmap and bg descriptor
inconsistent: 25 vs 150994969 free clusters

and later a secondary report:

[ 1329.274881] BUG: KASAN: slab-use-after-free in
rwsem_down_write_slowpath+0x15e9/0x1640

Based on the log, I believe the primary issue to investigate is the BUG in
fs/ext4/inline.c, while the later rwsem report is probably fallout after
the ext4 failure.

Please let me know if more information is needed.

Thanks.