[ext4?] kernel BUG in ext4_write_inline_data_end (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: 95647568244a UPSTREAM: usb: gadget: f_hid: fix f_hidg life..
git tree: android12-5.4
console output: https://syzkaller.appspot.com/x/log.txt?x=15a5f001480000
kernel config: https://syzkaller.appspot.com/x/.config?x=8dc6bbfc90d8f09a
dashboard link: https://syzkaller.appspot.com/bug?extid=ba461b83903ea68a8198
compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/650dbcfbfe7e/disk-95647568.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/98a166337984/vmlinux-95647568.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9f968475c528/bzImage-95647568.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ba461b...@syzkaller.appspotmail.com

EXT4-fs (loop5): mounted filesystem without journal. Opts: ,errors=continue
------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:763!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5677 Comm: syz-executor.5 Not tainted 5.4.225-syzkaller-00025-g95647568244a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
RIP: 0010:ext4_write_inline_data_end+0x4ce/0x4e0 fs/ext4/ext4.h:3237
Code: ff ff 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c d4 fd ff ff 4c 89 e7 e8 01 d4 d1 ff e9 c7 fd ff ff e8 a7 37 7a ff e8 42 62 a3 ff <0f> 0b e8 3b 62 a3 ff 0f 0b 66 0f 1f 84 00 00 00 00 00 55 41 57 41
RSP: 0018:ffff8881de0a7760 EFLAGS: 00010293
RAX: ffffffff81c21cce RBX: 0000000000000000 RCX: ffff8881f32c4ec0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8881de0a7870 R08: ffffffff81c219c4 R09: ffffed103543970c
R10: ffffed103543970c R11: 1ffff1103543970b R12: 0000000c00080000
R13: ffff8881aa1cb808 R14: ffffea00069aaf00 R15: ffff8881aa1cb908
FS: 00007fd0983ea700(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000100 CR3: 00000001e306c000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_write_end+0x1cd/0xe40 fs/ext4/inode.c:1453
generic_perform_write+0x400/0x5a0 mm/filemap.c:3322
__generic_file_write_iter+0x239/0x490 mm/filemap.c:3440
ext4_file_write_iter+0x495/0x10e0 fs/ext4/file.c:270
call_write_iter include/linux/fs.h:1981 [inline]
new_sync_write fs/read_write.c:483 [inline]
__vfs_write+0x5e3/0x780 fs/read_write.c:496
vfs_write+0x210/0x4f0 fs/read_write.c:558
ksys_write+0x198/0x2c0 fs/read_write.c:611
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Modules linked in:
---[ end trace c17c384b44a696a0 ]---
RIP: 0010:ext4_write_inline_data_end+0x4ce/0x4e0 fs/ext4/ext4.h:3237
Code: ff ff 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c d4 fd ff ff 4c 89 e7 e8 01 d4 d1 ff e9 c7 fd ff ff e8 a7 37 7a ff e8 42 62 a3 ff <0f> 0b e8 3b 62 a3 ff 0f 0b 66 0f 1f 84 00 00 00 00 00 55 41 57 41
RSP: 0018:ffff8881de0a7760 EFLAGS: 00010293
RAX: ffffffff81c21cce RBX: 0000000000000000 RCX: ffff8881f32c4ec0
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8881de0a7870 R08: ffffffff81c219c4 R09: ffffed103543970c
R10: ffffed103543970c R11: 1ffff1103543970b R12: 0000000c00080000
R13: ffff8881aa1cb808 R14: ffffea00069aaf00 R15: ffff8881aa1cb908
FS: 00007fd0983ea700(0000) GS:ffff8881f6e00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000100 CR3: 00000001e306c000 CR4: 00000000003406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: 95647568244a UPSTREAM: usb: gadget: f_hid: fix f_hidg life..
git tree: android12-5.4

console output: https://syzkaller.appspot.com/x/log.txt?x=171b12c1480000

kernel config: https://syzkaller.appspot.com/x/.config?x=8dc6bbfc90d8f09a
dashboard link: https://syzkaller.appspot.com/bug?extid=ba461b83903ea68a8198
compiler: Debian clang version 13.0.1-6~deb11u1, GNU ld (GNU Binutils for Debian) 2.35.2

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14e52acd480000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/650dbcfbfe7e/disk-95647568.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/98a166337984/vmlinux-95647568.xz
kernel image: https://storage.googleapis.com/syzbot-assets/9f968475c528/bzImage-95647568.xz

mounted in repro: https://storage.googleapis.com/syzbot-assets/e21bb3489c2c/mount_0.gz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ba461b...@syzkaller.appspotmail.com

------------[ cut here ]------------
kernel BUG at fs/ext4/inline.c:763!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN

CPU: 1 PID: 641 Comm: syz-executor.2 Not tainted 5.4.225-syzkaller-00025-g95647568244a #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
RIP: 0010:ext4_write_inline_data_end+0x4ce/0x4e0 fs/ext4/ext4.h:3237
Code: ff ff 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c d4 fd ff ff 4c 89 e7 e8 01 d4 d1 ff e9 c7 fd ff ff e8 a7 37 7a ff e8 42 62 a3 ff <0f> 0b e8 3b 62 a3 ff 0f 0b 66 0f 1f 84 00 00 00 00 00 55 41 57 41

RSP: 0018:ffff8881e5d17760 EFLAGS: 00010293
RAX: ffffffff81c21cce RBX: 0000000000000000 RCX: ffff8881e6112f40

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000

RBP: ffff8881e5d17870 R08: ffffffff81c219c4 R09: ffffed103b2d7151
R10: ffffed103b2d7151 R11: 1ffff1103b2d7150 R12: 0000008c00080000
R13: ffff8881d96b8a30 R14: ffffea000760d680 R15: ffff8881d96b8b30
FS: 00007efecabf7700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 0000000000000000 CR3: 00000001e89e1000 CR4: 00000000003406e0

DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
ext4_write_end+0x1cd/0xe40 fs/ext4/inode.c:1453
generic_perform_write+0x400/0x5a0 mm/filemap.c:3322
__generic_file_write_iter+0x239/0x490 mm/filemap.c:3440
ext4_file_write_iter+0x495/0x10e0 fs/ext4/file.c:270
call_write_iter include/linux/fs.h:1981 [inline]
new_sync_write fs/read_write.c:483 [inline]
__vfs_write+0x5e3/0x780 fs/read_write.c:496
vfs_write+0x210/0x4f0 fs/read_write.c:558
ksys_write+0x198/0x2c0 fs/read_write.c:611
do_syscall_64+0xcb/0x1c0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x5c/0xc1
Modules linked in:

---[ end trace e4ebf3e9c5f3d09c ]---

RIP: 0010:ext4_write_inline_data_end+0x4ce/0x4e0 fs/ext4/ext4.h:3237
Code: ff ff 44 89 e1 80 e1 07 80 c1 03 38 c1 0f 8c d4 fd ff ff 4c 89 e7 e8 01 d4 d1 ff e9 c7 fd ff ff e8 a7 37 7a ff e8 42 62 a3 ff <0f> 0b e8 3b 62 a3 ff 0f 0b 66 0f 1f 84 00 00 00 00 00 55 41 57 41

RSP: 0018:ffff8881e5d17760 EFLAGS: 00010293
RAX: ffffffff81c21cce RBX: 0000000000000000 RCX: ffff8881e6112f40

RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000

RBP: ffff8881e5d17870 R08: ffffffff81c219c4 R09: ffffed103b2d7151
R10: ffffed103b2d7151 R11: 1ffff1103b2d7150 R12: 0000008c00080000
R13: ffff8881d96b8a30 R14: ffffea000760d680 R15: ffff8881d96b8b30
FS: 00007efecabf7700(0000) GS:ffff8881f6f00000(0000) knlGS:0000000000000000

CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033

CR2: 00007fff155f7f48 CR3: 00000001e89e1000 CR4: 00000000003406e0