From nobody Mon Dec 1 23:06:46 2025 Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38BF42877DE for ; Wed, 26 Nov 2025 20:31:02 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=216.40.44.12 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764189065; cv=none; b=CYDGpQykceUjbgXkctJaX7MyBM0irzAxZPf7UndX0BEmIJic5r6UUj5fam71V9joyqbrVP4YqcHVvdUAT2iD/C0tVkyMlnPPY0yaDZdTAsr3wb2MZwyLNowN7/ge6z/eTEMCI+Fy7FDgC5ak8tfKH2Ye47/rxa+eTqWYRibyEEI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764189065; c=relaxed/simple; bh=6FV2LkJ2kPoqMLPiUoqrwbN7dsOjKUbnQeRxT33UpRM=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type; b=r/Yq7s32fG0vZdkjYTi9zbxhUk5QPUQp/MifFpWvbgDe0fY7egIRTnYcukTHBFDh2tnmK3b6ZpuLuJR3bHKv4N4DjDTjoeCU/54P1q4g0ipW6h0zkuzge1q+qPvZ3CMIXSJmMh+ByDyK5MS+QqxcYh2K39qy7gz0cajxZw1W95A= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=goodmis.org; spf=pass smtp.mailfrom=goodmis.org; arc=none smtp.client-ip=216.40.44.12 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=goodmis.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=goodmis.org Received: from omf07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay03.hostedemail.com (Postfix) with ESMTP id 49704BB20E; Wed, 26 Nov 2025 20:30:56 +0000 (UTC) Received: from [HIDDEN] (Authenticated sender: rostedt@goodmis.org) by omf07.hostedemail.com (Postfix) with ESMTPA id 9B0942002D; Wed, 26 Nov 2025 20:30:54 +0000 (UTC) Date: Wed, 26 Nov 2025 15:31:41 -0500 From: Steven Rostedt To: Linus Torvalds Cc: LKML , Masami Hiramatsu , Mathieu Desnoyers , Deepanshu Kartikey Subject: [GIT PULL] ring-buffer: A fix for v6.18 Message-ID: <20251126153141.174661b5@gandalf.local.home> X-Mailer: Claws Mail 3.20.0git84 (GTK+ 2.24.33; x86_64-pc-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspamout06 X-Rspamd-Queue-Id: 9B0942002D X-Stat-Signature: 1tuyuyk3hyb6czp9gtybeo6qrbeocoqn X-Session-Marker: 726F737465647440676F6F646D69732E6F7267 X-Session-ID: U2FsdGVkX19gOQ9FQb6lSkkoyNWJKhmODL3evhh0TfM= X-HE-Tag: 1764189054-277641 X-HE-Meta: U2FsdGVkX1+E2b0T2cj+/zPZev/65zwlQfPysP9vQtXwYNCArLomvGB6o+5g2/8Wgn4OSrnJDBM3IdXS0FfSj2fAsu78LIJwnniMYW5qaXmB2OjUrKAen5i3eKQOanA0UQRnkkqLk1wYH3fodWUXaEvoL8K08dor4bOisWnX7npTR0hysSE/vh3gEq8KyeeypetiUzTOqPsMRhmoKy31235eFMVWvHGXJNNoK3xiprjaj4FecWc7n2OIMrZTNj/yVsbhVi133KplIjz64jF1o2htkSeJ3dvpLVQCsePq3OmlWG4JH7+hClME5VQ+SCthZbN4h4aIaRIihfeLpTLDExfkJUkUBzrm1HYeICOgENoYpUEixmm7X/OwZRs0M5w/iv2iaAjHaIJg5eQxaM/Lg4xUxGHzzFRRDQH5JqI5mmlY+Lhr74OXlz8NmnLevXz+ZGDuF5AZe4qaGvmet6yti46NfVqSSIcp2KcShOl5AGl9VtRMCkt6BYhUFtg9R3tHW0sbhoBnFf1R+BeR+jODJ/kq1epXFS8OiX/Ac/3paPf5P9HOIHAuk+jShGF/OA41yTLATUmU1tnRVnKBnmXP2dEtX761Kq00UK+gNFqgAFY7iZ1CNiK7UhECUBq6BHId Content-Type: text/plain; charset="utf-8" Linus, ring-buffer fixes for v6.18: - Do not allow mmapped ring buffer to be split When the ring buffer VMA is split by a partial munmap or a MAP_FIXED, the kernel calls vm_ops->close() on each portion. This causes the ring_buffer_unmap() to be called multiple times. This causes subsequent calls to return -ENODEV and triggers a warning. There's no reason to allow user space to split up memory mapping of the ring buffer. Have it return -EINVAL when that happens. Please pull the latest trace-ringbuffer-v6.18-rc7 tree, which can be found = at: git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git trace-ringbuffer-v6.18-rc7 Tag SHA1: 0f396c7eb7f1d3ec728312e75cd42213d69916ff Head SHA1: b042fdf18e89a347177a49e795d8e5184778b5b6 Deepanshu Kartikey (1): tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs ---- kernel/trace/trace.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --------------------------- commit b042fdf18e89a347177a49e795d8e5184778b5b6 Author: Deepanshu Kartikey Date: Wed Nov 19 12:10:19 2025 +0530 tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs =20 When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel calls vm_ops->close on each portion. For trace buffer mappings, this results in ring_buffer_unmap() being called multiple times while ring_buffer_map() was only called once. =20 This causes ring_buffer_unmap() to return -ENODEV on subsequent calls because user_mapped is already 0, triggering a WARN_ON. =20 Trace buffer mappings cannot support partial mappings because the ring buffer structure requires the complete buffer including the meta page. =20 Fix this by adding a may_split callback that returns -EINVAL to prevent VMA splits entirely. =20 Cc: stable@vger.kernel.org Fixes: cf9f0f7c4c5bb ("tracing: Allow user-space mapping of the ring-bu= ffer") Link: https://patch.msgid.link/20251119064019.25904-1-kartikey406@gmail= .com Closes: https://syzkaller.appspot.com/bug?extid=3Da72c325b042aae6403c7 Tested-by: syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com Reported-by: syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com Signed-off-by: Deepanshu Kartikey Signed-off-by: Steven Rostedt (Google) diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c index d1e527cf2aae..304e93597126 100644 --- a/kernel/trace/trace.c +++ b/kernel/trace/trace.c @@ -8781,8 +8781,18 @@ static void tracing_buffers_mmap_close(struct vm_are= a_struct *vma) put_snapshot_map(iter->tr); } =20 +static int tracing_buffers_may_split(struct vm_area_struct *vma, unsigned = long addr) +{ + /* + * Trace buffer mappings require the complete buffer including + * the meta page. Partial mappings are not supported. + */ + return -EINVAL; +} + static const struct vm_operations_struct tracing_buffers_vmops =3D { .close =3D tracing_buffers_mmap_close, + .may_split =3D tracing_buffers_may_split, }; =20 static int tracing_buffers_mmap(struct file *filp, struct vm_area_struct *= vma)