From nobody Mon Dec 1 23:33:43 2025 Received: from relay.hostedemail.com (smtprelay0016.hostedemail.com [216.40.44.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA00127462 for ; Wed, 26 Nov 2025 00:41:14 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=216.40.44.16 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764117677; cv=none; b=P9U4dXQsIteZag8pwCBBRygXI0E5kqh9VoXwdEdPg3CMHY9qKUl+YtubfM88CFq2yT3XO6iFk0rVGsnwH+uCYg60Baa37AEltwyaLUtPh2Fr13gMDN6ktq1YbPbcWrJ6TthNzznXMADwgGQXVB7vN2stRSR4hPLx/F2PXC1KlRo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764117677; c=relaxed/simple; bh=klZWz+1gojYFCMV3+cRSmxXIMGCQale/cgsuMwYeG9Y=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type; b=orRAowskm6NpWbkLXT2a3qRt31p5qhviTzTjvkD0cfru7DRrIfKrZl8uCY2ngjy2qQHW5UMQs9VxZ76ce1z69BaCdFKKRuRKpTGsX4syXNRxyutCHjazVJmk/9aqfYWISHL2AI/uxnT08Z1E/kdlu/BDB1v+8IyvPhldeZKhaCQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=goodmis.org; spf=pass smtp.mailfrom=goodmis.org; arc=none smtp.client-ip=216.40.44.16 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=goodmis.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=goodmis.org Received: from omf05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay01.hostedemail.com (Postfix) with ESMTP id 5147312D1F; Wed, 26 Nov 2025 00:41:13 +0000 (UTC) Received: from [HIDDEN] (Authenticated sender: rostedt@goodmis.org) by omf05.hostedemail.com (Postfix) with ESMTPA id CC8492000E; Wed, 26 Nov 2025 00:41:11 +0000 (UTC) Date: Tue, 25 Nov 2025 19:41:51 -0500 From: Steven Rostedt To: LKML Cc: Masami Hiramatsu , Mathieu Desnoyers , Deepanshu Kartikey Subject: [for-linus][PATCH] tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs Message-ID: <20251125194151.3ca9b873@gandalf.local.home> X-Mailer: Claws Mail 3.20.0git84 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspamout07 X-Rspamd-Queue-Id: CC8492000E X-Stat-Signature: 59j5j8ig6inpxy99qap6ed7c8kkhxpip X-Session-Marker: 726F737465647440676F6F646D69732E6F7267 X-Session-ID: U2FsdGVkX1/qdFrqVvAJaniNgmQF7VHNa3t+iVEqssM= X-HE-Tag: 1764117671-866585 X-HE-Meta: U2FsdGVkX1/DDF58LNGTtL9YtVMIxY9qhXHsvX5cThXLpNNngkii9G15DD0c+uRXY25I2TuInt55lRsiQVwjNCYMQ2IEiB8jhsh5lJXytH64fEB4qILunrpNeYih33FwnauwIxxd3lkn1GHPXmVYCE6JPpTSIl9cbcDxea1h/YbBkKIuYhYXiFxLPhfFZu3vGOt3nRBCjUzvIkcjLXwx8fswcA9qqCpYvssx5B3VB07IKPxfrzKVY9SoG1/zFRR2Ya1VZdAnR48i9Pzju1HxJ3v1kVzRQnUDHH3BHY687yoWgq3aErkVIckKUid4217ziQbZB8qOTPX5pVrUyj5nhkT3DFksyluASUKa5YqsP2BY1wBnNFb41nxf5PKaAt8vwzVy1FH+f0f8twouHefrkYK2ZrkZ8ezhF4WjO32Qv63PzaCR4Bp3Phwnt6/M0jShFhEj80hVYSe9SAaa+gdG48OpdR1iA5NXJpiEM7gdc/jSkqjllFH7Z1PwJRIA7ESLNobBfcg6RgFRwVfRjvDw+U6ixRylKCj9qnJRnZ6ACxUVJefbyNWv7nr0X2inu99L0mue6vGAxm31GuYXdQYm8dslIlSjKz0kvWOovXFw00j+hwlJdhV+74uedhm7G8zT Content-Type: text/plain; charset="utf-8" ring-buffer fixes for v6.18: - Do not allow mmapped ring buffer to be split When the ring buffer VMA is split by a partial munmap or a MAP_FIXED, the kernel calls vm_ops->close() on each portion. This causes the ring_buffer_unmap() to be called multiple times. This causes subsequent calls to return -ENODEV and triggers a warning. There's no reason to allow user space to split up memory mapping of the ring buffer. Have it return -EINVAL when that happens. git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git ring-buffer/fixes Head SHA1: b042fdf18e89a347177a49e795d8e5184778b5b6 Deepanshu Kartikey (1): tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs ---- kernel/trace/trace.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --------------------------- commit b042fdf18e89a347177a49e795d8e5184778b5b6 Author: Deepanshu Kartikey Date: Wed Nov 19 12:10:19 2025 +0530 tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs =20 When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel calls vm_ops->close on each portion. For trace buffer mappings, this results in ring_buffer_unmap() being called multiple times while ring_buffer_map() was only called once. =20 This causes ring_buffer_unmap() to return -ENODEV on subsequent calls because user_mapped is already 0, triggering a WARN_ON. =20 Trace buffer mappings cannot support partial mappings because the ring buffer structure requires the complete buffer including the meta page. =20 Fix this by adding a may_split callback that returns -EINVAL to prevent VMA splits entirely. =20 Cc: stable@vger.kernel.org Fixes: cf9f0f7c4c5bb ("tracing: Allow user-space mapping of the ring-bu= ffer") Link: https://patch.msgid.link/20251119064019.25904-1-kartikey406@gmail= .com Closes: https://syzkaller.appspot.com/bug?extid=3Da72c325b042aae6403c7 Tested-by: syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com Reported-by: syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey Signed-off-by: Steven Rostedt (Google) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index d1e527cf2aae..304e93597126 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -8781,8 +8781,18 @@ static void tracing_buffers_mmap_close(struct vm_are= a_struct *vma) put_snapshot_map(iter->tr); } =20 +static int tracing_buffers_may_split(struct vm_area_struct *vma, unsigned = long addr) +{ + /* + * Trace buffer mappings require the complete buffer including + * the meta page. Partial mappings are not supported. + */ + return -EINVAL; +} + static const struct vm_operations_struct tracing_buffers_vmops =3D { .close =3D tracing_buffers_mmap_close, + .may_split =3D tracing_buffers_may_split, }; =20 static int tracing_buffers_mmap(struct file *filp, struct vm_area_struct *= vma)