[BUG] ext4: kernel BUG in ext4_do_writepages during writeback on crafted ext4 image

From: ZW Tang

Date: Mon Jun 29 2026 - 03:17:02 EST


Hi,

I am reporting a kernel BUG triggered by a syzkaller C reproducer on
Linux 7.1.0-rc5. The crash happens in the ext4 writeback path while a
writeback worker is flushing an ext4 filesystem image mounted by the
reproducer.

The system hits a BUG_ON in ext4_do_writepages():

kernel BUG at fs/ext4/inode.c:2825!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI

The reproducer mounts crafted ext4 images through syz_mount_image$ext4,
creates/truncates a file on the mounted filesystem, and then performs
file operations such as sendfile() and mmap(MAP_SHARED). The crash is
then triggered asynchronously from the writeback worker.

This looks like a possible ext4 writeback state inconsistency involving
delayed allocation / journalled-data handling. In particular,
ext4_do_writepages() appears to enter a path where journalled data should
not be present, but the internal ext4 invariant is violated and the
kernel hits BUG_ON.

Reproducer:
C reproducer: https://pastebin.com/Qmq84vS2
console output: https://pastebin.com/Y8KsMt6r
kernel config: https://pastebin.com/raw/fUwrL2uz

Kernel:
HEAD commit:e7ae89a0c97c
git tree: torvalds/linux
kernel version: 7.1.0-rc5 #2 PREEMPT(lazy) (QEMU Ubuntu 24.10)

Crash log:

kernel BUG at fs/ext4/inode.c:2825!
Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 2419 Comm: kworker/u8:8 Not tainted 7.1.0-rc5 #2
PREEMPT(lazy)
Hardware name: QEMU Ubuntu 24.10 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
Workqueue: writeback wb_workfn (flush-7:1)
RIP: 0010:ext4_do_writepages+0x2682/0x3580 inode.c:-1

Call Trace:

ext4_writepages+0x2d7/0x590 inode.c:-1
do_writepages+0x1f6/0x500
__writeback_single_inode+0xb5/0xa90 fs-writeback.c:-1
writeback_sb_inodes+0x5d1/0xd60 fs-writeback.c:-1
wb_writeback+0x175/0x820 fs-writeback.c:-1
wb_workfn+0x1de/0xa10
process_scheduled_works+0x997/0x11d0 workqueue.c:-1
worker_thread+0x453/0xa50 workqueue.c:-1
kthread+0x37b/0x4a0 kthread.c:-1
ret_from_fork+0x435/0x710
ret_from_fork_asm+0x1a/0x30

Modules linked in:
---[ end trace 0000000000000000 ]---

Thanks