kernel/trace/ring_buffer.c | 2 ++ 1 file changed, 2 insertions(+)
The return value from `__rb_map_vma()`, which rejects writable or
executable mappings (VM_WRITE, VM_EXEC, or !VM_MAYSHARE), was being
ignored. As a result the caller of `__rb_map_vma` always returned 0
even when the mapping had actually failed, allowing it to proceed
with an invalid VMA.
Reported-by: syzbot+ddc001b92c083dbf2b97@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?id=194151be8eaebd826005329b2e123aecae714bdb
Signed-off-by: Ankit Khushwaha <ankitkhushwaha.linux@gmail.com>
---
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4ff71af020ae
---
kernel/trace/ring_buffer.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 43460949ad3f..4efb90364f48 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -7271,6 +7271,8 @@ int ring_buffer_map(struct trace_buffer *buffer, int cpu,
cpu_buffer->subbuf_ids = NULL;
rb_free_meta_page(cpu_buffer);
atomic_dec(&cpu_buffer->resize_disabled);
+ /* VM failed to be mapped */
+ return err;
}
return 0;
--
2.51.0On Tue, 7 Oct 2025 22:42:56 +0530 Ankit Khushwaha <ankitkhushwaha.linux@gmail.com> wrote: Note, tracing subsystem expects the subject to start with a capital letter: ring buffer: Propagate __rb_map_vma return value to caller > The return value from `__rb_map_vma()`, which rejects writable or > executable mappings (VM_WRITE, VM_EXEC, or !VM_MAYSHARE), was being > ignored. As a result the caller of `__rb_map_vma` always returned 0 > even when the mapping had actually failed, allowing it to proceed > with an invalid VMA. > > Reported-by: syzbot+ddc001b92c083dbf2b97@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?id=194151be8eaebd826005329b2e123aecae714bdb > Signed-off-by: Ankit Khushwaha <ankitkhushwaha.linux@gmail.com> > --- > > #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4ff71af020ae > > --- > kernel/trace/ring_buffer.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c > index 43460949ad3f..4efb90364f48 100644 > --- a/kernel/trace/ring_buffer.c > +++ b/kernel/trace/ring_buffer.c > @@ -7271,6 +7271,8 @@ int ring_buffer_map(struct trace_buffer *buffer, int cpu, > cpu_buffer->subbuf_ids = NULL; > rb_free_meta_page(cpu_buffer); > atomic_dec(&cpu_buffer->resize_disabled); > + /* VM failed to be mapped */ No need to add the comment. It's obvious what happened. > + return err; Don't return here. > } > > return 0; Change this to: return err; as after that if statement, err will be 0 on success or the value you want to return. -- Steve
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+ddc001b92c083dbf2b97@syzkaller.appspotmail.com Tested-by: syzbot+ddc001b92c083dbf2b97@syzkaller.appspotmail.com Tested on: commit: 4ff71af0 Merge tag 'net-6.17-rc8' of git://git.kernel... git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=17676892580000 kernel config: https://syzkaller.appspot.com/x/.config?x=595e5938a1dd5b4e dashboard link: https://syzkaller.appspot.com/bug?extid=ddc001b92c083dbf2b97 compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=1249d1e2580000 Note: testing is done by a robot and is best-effort only.
© 2016 - 2026 Red Hat, Inc.