From nobody Tue Dec  2 02:33:26 2025
Received: from mail-io1-f72.google.com (mail-io1-f72.google.com
 [209.85.166.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7497331355B
	for <linux-kernel@vger.kernel.org>; Wed, 19 Nov 2025 06:14:04 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.166.72
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1763532846; cv=none;
 b=Wq/KbdgwUQFrwSOjE/stjtc7iYOlv8n6/tAHGVStUE6bOeeqgybCN3UKRrbdjZnhFmZzlLaXW/BpikgcT3svUAwwWWW+f8g1rNz+q10mUcY6BRZA+LcHVaPSb9cCmDkB18pNS2n/diBDbaBVVlUEj9Dfn3qNi0J9oncW8up5Imo=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1763532846; c=relaxed/simple;
	bh=YBP5i2r7F0Gsuc+jQ24ofxZ+T0uVL3kLfZj/ELiOuBg=;
	h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To:
	 Content-Type;
 b=RdSpk2zSeMdKYnfLVzm1Fc1OjDepbfLzTJHDXTCrmVqobvOOJtvvR/sNYTxroBAZksXJriXKSIbP0LaXBzfnX9YJCWrTQy0Dagadk80GlhoRcXaRD9rPemVBFHPuleqHJ0cmRs9H2eFaWAE0u+LB33Kw8oYQqGIVS63g5eRd1jA=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com;
 arc=none smtp.client-ip=209.85.166.72
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com
Received: by mail-io1-f72.google.com with SMTP id
 ca18e2360f4ac-9489a3f6e3dso1015929939f.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 18 Nov 2025 22:14:04 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1763532843; x=1764137643;
        h=to:from:subject:message-id:in-reply-to:date:mime-version
         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=5SdLzmD5OpXUQxagOVJUqDrFHRJXO8D/+iBSMZg7qrw=;
        b=ekkzJWbOgoS0V/xAOwS/09VLWUTZ4cyWyp1e/QENwkpa0qJP2JtyhuDowoH6STZ4qz
         E5Y56cHZA7SrIZ8LKWsBo/NRD9E0fG1AWZkuKIN/mJyx3xRCfbOJP3Bt/uS8WFLOZzbE
         GMusNIWj9KC8m1KoLvQAsWLqdEMAJgdJZS9E0U5sGpkt9De6CEL80a0eUycHI0mckH8T
         LiBYREpdCHE5cWmfVHCzQtZjiLudRXH2JaJdSVRIeFDWEiOBEIfkaAmcQiUQ5jGSrBgP
         nbSepnp8jrjkc2gwrEhr7Smb2dZYWw94rdJx/W529yZl2nK+t9UNcvO4ddm1T84xR3Wi
         yV0Q==
X-Gm-Message-State: AOJu0YzmpHSI/fZJFSNAn5AupWCJGVI85n5LxZe1mb9CeoJHD4Wl//Yo
	WapVGrF0kicn2cCAQxTrrErfr0Car2TgaFWk5oLQsljFHhaDQYLYgBF8enzOljkj7Afv0yD+FuH
	baD4zZUP2LcWC1MxMbou1yWx255V0hvJaLxuynjkzYZ5SXFvDilthtGwxIY0=
X-Google-Smtp-Source: 
 AGHT+IHhRS0ZUagO459yshmKlXBvBywWH02kMjdzawE35n/5I9SJ9XfDVYY7BXXSN8IqXrD+Se72vdspzcUuSnw3FbiTxj8LcwqS
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Received: by 2002:a05:6e02:3810:b0:434:96ea:ff8b with SMTP id
 e9e14a558f8ab-43496eb0395mr186311165ab.35.1763532843698; Tue, 18 Nov 2025
 22:14:03 -0800 (PST)
Date: Tue, 18 Nov 2025 22:14:03 -0800
In-Reply-To: <69136cdb.a70a0220.22f260.0142.GAE@google.com>
X-Google-Appengine-App-Id: s~syzkaller
X-Google-Appengine-App-Id-Alias: syzkaller
Message-ID: <691d602b.a70a0220.2ea503.000f.GAE@google.com>
Subject: Forwarded: [PATCH] tracing: Fix WARN_ON in tracing_buffers_mmap_close
 for split VMAs
From: syzbot <syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] tracing: Fix WARN_ON in tracing_buffers_mmap_close for spl=
it VMAs
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git=
 master


When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel
calls vm_ops->close on each portion. For trace buffer mappings, this
results in ring_buffer_unmap() being called multiple times while
ring_buffer_map() was only called once.

This causes ring_buffer_unmap() to return -ENODEV on subsequent calls
because user_mapped is already 0, triggering a WARN_ON.

Trace buffer mappings cannot support partial mappings because the ring
buffer structure requires the complete buffer including the meta page.

Fix this by adding a may_split callback that returns -EINVAL to prevent
VMA splits entirely.

Closes: https://syzkaller.appspot.com/bug?extid=3Da72c325b042aae6403c7
Reported-by: syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 kernel/trace/trace.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index d1e527cf2aae..304e93597126 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -8781,8 +8781,18 @@ static void tracing_buffers_mmap_close(struct vm_are=
a_struct *vma)
 	put_snapshot_map(iter->tr);
 }
=20
+static int tracing_buffers_may_split(struct vm_area_struct *vma, unsigned =
long addr)
+{
+	/*
+	 * Trace buffer mappings require the complete buffer including
+	 * the meta page. Partial mappings are not supported.
+	 */
+	return -EINVAL;
+}
+
 static const struct vm_operations_struct tracing_buffers_vmops =3D {
 	.close		=3D tracing_buffers_mmap_close,
+	.may_split      =3D tracing_buffers_may_split,
 };
=20
 static int tracing_buffers_mmap(struct file *filp, struct vm_area_struct *=
vma)
--=20
2.43.0