Dear Linux Kernel Developers, I’ve encountered a kernel BUG in the Ext4 filesystem on Linux 6.14.0-rc4 during an inline data write, which may indicate a regression from prior fixes. Here are the details: Kernel commit: v6.14-rc4 (Commits on Feb 24, 2025) Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config Kernel Log: https://github.com/Strforexc/LinuxKernelbug/blob/main/bug_ext4_write_inline_data/log0 Reproduce.c: https://github.com/Strforexc/LinuxKernelbug/blob/main/bug_ext4_write_inline_data/repro.cprog A kernel BUG is triggered at fs/ext4/inline.c:235 in ext4_write_inline_data, causing an invalid opcode exception. This occurs during a sendfile64 operation writing inline data, likely due to an assertion failure (BUG_ON). Location: The BUG occurs at a BUG_ON in ext4_write_inline_data, likely BUG_ON(pos + len > EXT4_I(inode)->i_inline_size) (line 231), with pos=96 and len=97 (total 193 bytes). Cause: The write exceeds the inode’s inline size , triggering the assertion. Higher-level calls fail to validate the size, allowing an oversized request. Context: Syzkaller’s sendfile64 crafted a write to an inline Ext4 inode, exposing this issue. Regression: Ext4 inline data handling has had prior fixes . This BUG suggests a regression where size validation was weakened, allowing invalid writes to reach the assertion. Impact: The BUG causes a kernel panic (DoS). While not directly exploitable beyond that, it indicates a validation gap. Request: Could Ext4 maintainers investigate? This appears to be a regression from prior inline data fixes. Suggested Add size validation in ext4_da_write_end or ext4_file_write_iter before calling ext4_write_inline_data. Our knowledge of the kernel is somewhat limited, and we'd appreciate it if you could determine if there is such an issue. If this issue doesn't have an impact, please ignore it ☺. If you fix this issue, please add the following tag to the commit: Reported-by: Zhizhuo Tang strforexctzzchange@xxxxxxxxxxx, Jianzhou Zhao xnxc22xnxc22@xxxxxx, Haoran Liu <cherest_san@xxxxxxx> =========================================================================== ------------[ cut here ]------------ kernel BUG at fs/ext4/inline.c:235! Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 UID: 0 PID: 12157 Comm: syz.0.58 Not tainted 6.14.0-rc4 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:ext4_write_inline_data+0x346/0x3e0 fs/ext4/inline.c:235 Code: d0 f6 4b ff e8 cb f6 4b ff 42 8d 6c 25 c4 41 bd 3c 00 00 00 45 29 e5 e9 e8 fe ff ff e8 b3 f6 4b ff 90 0f 0b e8 ab f6 4b ff 90 <0f> 0b e8 63 95 ac ff e9 fb fd ff ff 4c 89 f7 e8 56 95 ac ff e9 96 RSP: 0018:ffffc900043e7628 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888012c251f0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000060 R13: 0000000000000061 R14: ffff888012c2579a R15: ffffc900043e76c0 FS: 00007f2c042b2640(0000) GS:ffff88807ee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc99327fc00 CR3: 000000006a448000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ext4_write_inline_data_end+0x25f/0xc20 fs/ext4/inline.c:774 ext4_da_write_end+0x201/0x2d0 fs/ext4/inode.c:3080 generic_perform_write+0x51c/0x910 mm/filemap.c:4204 ext4_buffered_write_iter+0x11a/0x440 fs/ext4/file.c:299 ext4_file_write_iter+0x350/0x420 fs/ext4/file.c:717 iter_file_splice_write+0xa0a/0x1080 fs/splice.c:743 do_splice_from fs/splice.c:941 [inline] direct_splice_actor+0x194/0x6f0 fs/splice.c:1164 splice_direct_to_actor+0x343/0x9c0 fs/splice.c:1108 do_splice_direct_actor fs/splice.c:1207 [inline] do_splice_direct+0x176/0x250 fs/splice.c:1233 do_sendfile+0xa79/0xd90 fs/read_write.c:1363 __do_sys_sendfile64 fs/read_write.c:1424 [inline] __se_sys_sendfile64 fs/read_write.c:1410 [inline] __x64_sys_sendfile64+0x1de/0x220 fs/read_write.c:1410 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcb/0x260 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2c033b85ad Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f2c042b1f98 EFLAGS: 00000246 ORIG_RAX: 0000000000000028 RAX: ffffffffffffffda RBX: 00007f2c03646080 RCX: 00007f2c033b85ad RDX: 0000000000000000 RSI: 0000000000000007 RDI: 0000000000000006 RBP: 00007f2c0346a8d6 R08: 0000000000000000 R09: 0000000000000000 R10: 000080001d00c0d0 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f2c03646080 R15: 00007f2c04292000 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:ext4_write_inline_data+0x346/0x3e0 fs/ext4/inline.c:235 Code: d0 f6 4b ff e8 cb f6 4b ff 42 8d 6c 25 c4 41 bd 3c 00 00 00 45 29 e5 e9 e8 fe ff ff e8 b3 f6 4b ff 90 0f 0b e8 ab f6 4b ff 90 <0f> 0b e8 63 95 ac ff e9 fb fd ff ff 4c 89 f7 e8 56 95 ac ff e9 96 RSP: 0018:ffffc900043e7628 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888012c251f0 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000060 R13: 0000000000000061 R14: ffff888012c2579a R15: ffffc900043e76c0 FS: 00007f2c042b2640(0000) GS:ffff88802b600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f2680f65e70 CR3: 000000006a448000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 ================================================================== Regards, Strforexc
