include/linux/mm.h | 4 +-- include/linux/mmap_lock.h | 55 +++++++++++++++++++++++++++++++++------ mm/madvise.c | 4 +-- 3 files changed, 49 insertions(+), 14 deletions(-)
Sometimes we wish to assert that a VMA is stable, that is - the VMA cannot be changed underneath us. This will be the case if EITHER the VMA lock or the mmap lock is held. We already open-code this in two places - anon_vma_name() in mm/madvise.c and vma_flag_set_atomic() in include/linux/mm.h. This series adds a number of pre-requisite predicates and adds vma_assert_stablisied() which can be used in these callsites instead. However the asserts implemented there subtly wrong - if CONFIG_PER_VMA_LOCK is not implemented and the mmap lock is not held, then we don't actually assert anything. Since this is an assert that only fires when CONFIG_DEBUG_VM is set and the test bots will largely be running with CONFIG_PER_VMA_LOCK set, this is likely in practice not a real-world issue. In any case, this series additionally fixes this issue. As part of this change we also reduce duplication of code in VMA lock asserts. This change also lays the foundation for future series to add this assert in further appropriate places to account for us now living in a world where a VMA may be stablised by either lock. Lorenzo Stoakes (2): mm/vma: add vma_is_*_locked() helpers mm: add + use vma_is_stabilised(), vma_assert_stabilised() helpers include/linux/mm.h | 4 +-- include/linux/mmap_lock.h | 55 +++++++++++++++++++++++++++++++++------ mm/madvise.c | 4 +-- 3 files changed, 49 insertions(+), 14 deletions(-) -- 2.52.0
OK sorry to do the extremely annoying pattern of 'immediate resend' but... :) I realised there's another silly issue here, I will have some caffeine, fix up, and do a resend. All - please disregard this series :>)) Cheers, Lorenzo On Fri, Jan 16, 2026 at 10:27:46AM +0000, Lorenzo Stoakes wrote: > Sometimes we wish to assert that a VMA is stable, that is - the VMA cannot > be changed underneath us. This will be the case if EITHER the VMA lock or > the mmap lock is held. > > We already open-code this in two places - anon_vma_name() in mm/madvise.c > and vma_flag_set_atomic() in include/linux/mm.h. > > This series adds a number of pre-requisite predicates and adds > vma_assert_stablisied() which can be used in these callsites instead. > > However the asserts implemented there subtly wrong - if CONFIG_PER_VMA_LOCK > is not implemented and the mmap lock is not held, then we don't actually > assert anything. > > Since this is an assert that only fires when CONFIG_DEBUG_VM is set and the > test bots will largely be running with CONFIG_PER_VMA_LOCK set, this is > likely in practice not a real-world issue. > > In any case, this series additionally fixes this issue. > > As part of this change we also reduce duplication of code in VMA lock > asserts. > > This change also lays the foundation for future series to add this assert > in further appropriate places to account for us now living in a world where > a VMA may be stablised by either lock. > > Lorenzo Stoakes (2): > mm/vma: add vma_is_*_locked() helpers > mm: add + use vma_is_stabilised(), vma_assert_stabilised() helpers > > include/linux/mm.h | 4 +-- > include/linux/mmap_lock.h | 55 +++++++++++++++++++++++++++++++++------ > mm/madvise.c | 4 +-- > 3 files changed, 49 insertions(+), 14 deletions(-) > > -- > 2.52.0
syzbot ci has tested the following series [v1] add and use vma_assert_stabilised() helper https://lore.kernel.org/all/cover.1768558900.git.lorenzo.stoakes@oracle.com * [PATCH 1/2] mm/vma: add vma_is_*_locked() helpers * [PATCH 2/2] mm: add + use vma_is_stabilised(), vma_assert_stabilised() helpers and found the following issue: kernel BUG in anon_vma_name Full report is available here: https://ci.syzbot.org/series/a3867085-bae4-4416-9704-3b23ef9c6006 *** kernel BUG in anon_vma_name tree: mm-new URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git base: eeb33083cc4749bdb61582eaeb5c200702607703 arch: amd64 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 config: https://ci.syzbot.org/builds/2e5b4d7e-a1a9-48c8-ae3b-654d3ac32e5c/config Loaded X.509 cert 'Build time autogenerated kernel key: 65176d093d4baf94ab1e788ee9f46804766f83ba' ima: Allocated hash algorithm: sha256 ima: No architecture policies found evm: Initialising EVM extended attributes: evm: security.selinux (disabled) evm: security.SMACK64 (disabled) evm: security.SMACK64EXEC (disabled) evm: security.SMACK64TRANSMUTE (disabled) evm: security.SMACK64MMAP (disabled) evm: security.apparmor evm: security.ima evm: security.capability evm: HMAC attrs: 0x1 PM: Magic number: 10:472:582 tty ptyc0: hash matches netconsole: network logging started gtp: GTP module loaded (pdp ctx size 128 bytes) rdma_rxe: loaded cfg80211: Loading compiled-in X.509 certificates for regulatory database Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7' Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600' clk: Disabling unused clocks ALSA device list: #0: Dummy 1 #1: Loopback 1 #2: Virtual MIDI Card 1 check access for rdinit=/init failed: -2, ignoring md: Waiting for all devices to be available before autodetect md: If you don't use raid, use raid=noautodetect md: Autodetecting RAID arrays. md: autorun ... md: ... autorun DONE. EXT4-fs (sda1): mounted filesystem b4773fba-1738-4da0-8a90-0fe043d0a496 ro with ordered data mode. Quota mode: none. VFS: Mounted root (ext4 filesystem) readonly on device 8:1. devtmpfs: mounted Freeing unused kernel image (initmem) memory: 26044K Write protecting the kernel read-only data: 212992k Freeing unused kernel image (text/rodata gap) memory: 388K Freeing unused kernel image (rodata/data gap) memory: 1776K x86/mm: Checked W+X mappings: passed, no W+X pages found. x86/mm: Checking user space page tables x86/mm: Checked W+X mappings: passed, no W+X pages found. Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found Run /sbin/init as init process vma ffff888175272d80 start 00007fffffffe000 end 00007ffffffff000 mm ffff888100079880 prot 8000000000000025 anon_vma ffff888110bf8000 vm_ops 0000000000000000 pgoff 7fffffffe file 0000000000000000 private_data 0000000000000000 refcnt 1 flags: 0x8118173(read|write|mayread|maywrite|mayexec|growsdown|seqread|randread|account|softdirty) ------------[ cut here ]------------ kernel BUG at ./include/linux/mmap_lock.h:476! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 1 Comm: init Not tainted syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:anon_vma_name+0x253/0x260 Code: ff 4c 89 ff e8 8e 7d 0a 00 e9 e9 fe ff ff e8 34 db a2 ff eb 0c e8 2d db a2 ff eb 05 e8 26 db a2 ff 48 89 df e8 6e 77 08 ff 90 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 RSP: 0000:ffffc90000067550 EFLAGS: 00010286 RAX: 000000000000014c RBX: ffff888175272d80 RCX: 37717524f4bb9000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffffbfff1c3ae40 R12: dffffc0000000000 R13: dffffc0000000000 R14: 0000000000000001 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff88818e405000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823ffff000 CR3: 0000000110c5a000 CR4: 00000000000006f0 Call Trace: <TASK> vma_modify_flags+0x203/0x330 mprotect_fixup+0x46a/0xa50 setup_arg_pages+0x565/0xae0 load_elf_binary+0xc5e/0x2980 bprm_execve+0x93d/0x1410 kernel_execve+0x8ef/0x9e0 try_to_run_init_process+0x13/0x60 kernel_init+0xad/0x1d0 ret_from_fork+0x51b/0xa40 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:anon_vma_name+0x253/0x260 Code: ff 4c 89 ff e8 8e 7d 0a 00 e9 e9 fe ff ff e8 34 db a2 ff eb 0c e8 2d db a2 ff eb 05 e8 26 db a2 ff 48 89 df e8 6e 77 08 ff 90 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 RSP: 0000:ffffc90000067550 EFLAGS: 00010286 RAX: 000000000000014c RBX: ffff888175272d80 RCX: 37717524f4bb9000 RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000004 R10: dffffc0000000000 R11: fffffbfff1c3ae40 R12: dffffc0000000000 R13: dffffc0000000000 R14: 0000000000000001 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff88818e405000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823ffff000 CR3: 0000000110c5a000 CR4: 00000000000006f0 *** If these findings have caused you to resend the series or submit a separate fix, please add the following tag to your commit message: Tested-by: syzbot@syzkaller.appspotmail.com --- This report is generated by a bot. It may contain errors. syzbot ci engineers can be reached at syzkaller@googlegroups.com.
Please ignore, this whole series has been resent at [0]. Cheers, Lorenzo [0]: https://lore.kernel.org/linux-mm/cover.1768569863.git.lorenzo.stoakes@oracle.com/ On Fri, Jan 16, 2026 at 05:51:01AM -0800, syzbot ci wrote: > syzbot ci has tested the following series > > [v1] add and use vma_assert_stabilised() helper > https://lore.kernel.org/all/cover.1768558900.git.lorenzo.stoakes@oracle.com > * [PATCH 1/2] mm/vma: add vma_is_*_locked() helpers > * [PATCH 2/2] mm: add + use vma_is_stabilised(), vma_assert_stabilised() helpers > > and found the following issue: > kernel BUG in anon_vma_name > > Full report is available here: > https://ci.syzbot.org/series/a3867085-bae4-4416-9704-3b23ef9c6006 > > *** > > kernel BUG in anon_vma_name > > tree: mm-new > URL: https://kernel.googlesource.com/pub/scm/linux/kernel/git/akpm/mm.git > base: eeb33083cc4749bdb61582eaeb5c200702607703 > arch: amd64 > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > config: https://ci.syzbot.org/builds/2e5b4d7e-a1a9-48c8-ae3b-654d3ac32e5c/config > > Loaded X.509 cert 'Build time autogenerated kernel key: 65176d093d4baf94ab1e788ee9f46804766f83ba' > ima: Allocated hash algorithm: sha256 > ima: No architecture policies found > evm: Initialising EVM extended attributes: > evm: security.selinux (disabled) > evm: security.SMACK64 (disabled) > evm: security.SMACK64EXEC (disabled) > evm: security.SMACK64TRANSMUTE (disabled) > evm: security.SMACK64MMAP (disabled) > evm: security.apparmor > evm: security.ima > evm: security.capability > evm: HMAC attrs: 0x1 > PM: Magic number: 10:472:582 > tty ptyc0: hash matches > netconsole: network logging started > gtp: GTP module loaded (pdp ctx size 128 bytes) > rdma_rxe: loaded > cfg80211: Loading compiled-in X.509 certificates for regulatory database > Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7' > Loaded X.509 cert 'wens: 61c038651aabdcf94bd0ac7ff06c7248db18c600' > clk: Disabling unused clocks > ALSA device list: > #0: Dummy 1 > #1: Loopback 1 > #2: Virtual MIDI Card 1 > check access for rdinit=/init failed: -2, ignoring > md: Waiting for all devices to be available before autodetect > md: If you don't use raid, use raid=noautodetect > md: Autodetecting RAID arrays. > md: autorun ... > md: ... autorun DONE. > EXT4-fs (sda1): mounted filesystem b4773fba-1738-4da0-8a90-0fe043d0a496 ro with ordered data mode. Quota mode: none. > VFS: Mounted root (ext4 filesystem) readonly on device 8:1. > devtmpfs: mounted > Freeing unused kernel image (initmem) memory: 26044K > Write protecting the kernel read-only data: 212992k > Freeing unused kernel image (text/rodata gap) memory: 388K > Freeing unused kernel image (rodata/data gap) memory: 1776K > x86/mm: Checked W+X mappings: passed, no W+X pages found. > x86/mm: Checking user space page tables > x86/mm: Checked W+X mappings: passed, no W+X pages found. > Failed to set sysctl parameter 'max_rcu_stall_to_panic=1': parameter not found > Run /sbin/init as init process > vma ffff888175272d80 start 00007fffffffe000 end 00007ffffffff000 mm ffff888100079880 > prot 8000000000000025 anon_vma ffff888110bf8000 vm_ops 0000000000000000 > pgoff 7fffffffe file 0000000000000000 private_data 0000000000000000 > refcnt 1 > flags: 0x8118173(read|write|mayread|maywrite|mayexec|growsdown|seqread|randread|account|softdirty) > ------------[ cut here ]------------ > kernel BUG at ./include/linux/mmap_lock.h:476! > Oops: invalid opcode: 0000 [#1] SMP KASAN PTI > CPU: 0 UID: 0 PID: 1 Comm: init Not tainted syzkaller #0 PREEMPT(full) > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 > RIP: 0010:anon_vma_name+0x253/0x260 > Code: ff 4c 89 ff e8 8e 7d 0a 00 e9 e9 fe ff ff e8 34 db a2 ff eb 0c e8 2d db a2 ff eb 05 e8 26 db a2 ff 48 89 df e8 6e 77 08 ff 90 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 > RSP: 0000:ffffc90000067550 EFLAGS: 00010286 > RAX: 000000000000014c RBX: ffff888175272d80 RCX: 37717524f4bb9000 > RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 > RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000004 > R10: dffffc0000000000 R11: fffffbfff1c3ae40 R12: dffffc0000000000 > R13: dffffc0000000000 R14: 0000000000000001 R15: 0000000000000001 > FS: 0000000000000000(0000) GS:ffff88818e405000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: ffff88823ffff000 CR3: 0000000110c5a000 CR4: 00000000000006f0 > Call Trace: > <TASK> > vma_modify_flags+0x203/0x330 > mprotect_fixup+0x46a/0xa50 > setup_arg_pages+0x565/0xae0 > load_elf_binary+0xc5e/0x2980 > bprm_execve+0x93d/0x1410 > kernel_execve+0x8ef/0x9e0 > try_to_run_init_process+0x13/0x60 > kernel_init+0xad/0x1d0 > ret_from_fork+0x51b/0xa40 > ret_from_fork_asm+0x1a/0x30 > </TASK> > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:anon_vma_name+0x253/0x260 > Code: ff 4c 89 ff e8 8e 7d 0a 00 e9 e9 fe ff ff e8 34 db a2 ff eb 0c e8 2d db a2 ff eb 05 e8 26 db a2 ff 48 89 df e8 6e 77 08 ff 90 <0f> 0b 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 > RSP: 0000:ffffc90000067550 EFLAGS: 00010286 > RAX: 000000000000014c RBX: ffff888175272d80 RCX: 37717524f4bb9000 > RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000 > RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000004 > R10: dffffc0000000000 R11: fffffbfff1c3ae40 R12: dffffc0000000000 > R13: dffffc0000000000 R14: 0000000000000001 R15: 0000000000000001 > FS: 0000000000000000(0000) GS:ffff88818e405000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: ffff88823ffff000 CR3: 0000000110c5a000 CR4: 00000000000006f0 > > > *** > > If these findings have caused you to resend the series or submit a > separate fix, please add the following tag to your commit message: > Tested-by: syzbot@syzkaller.appspotmail.com > > --- > This report is generated by a bot. It may contain errors. > syzbot ci engineers can be reached at syzkaller@googlegroups.com.
© 2016 - 2026 Red Hat, Inc.