From: syzbot <syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs
Date: Tue, 18 Nov 2025 21:51:27 -0800 [thread overview]
Message-ID: <691d5adf.a70a0220.d98e3.0008.GAE@google.com> (raw)
In-Reply-To: <69136cdb.a70a0220.22f260.0142.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
***
Subject: [PATCH] tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs
Author: kartikey406@gmail.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel
calls vm_ops->close on each portion. For trace buffer mappings, this
results in ring_buffer_unmap() being called multiple times while
ring_buffer_map() was only called once.
This causes ring_buffer_unmap() to return -ENODEV on subsequent calls
because user_mapped is already 0, triggering a WARN_ON.
Fix this by handling -ENODEV gracefully in tracing_buffers_mmap_close().
When ring_buffer_unmap() returns -ENODEV, it means this VMA was a split
portion that doesn't hold a reference, so simply return without calling
put_snapshot_map().
Closes: https://syzkaller.appspot.com/bug?extid=a72c325b042aae6403c7
Reported-by: syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
kernel/trace/trace.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index d1e527cf2aae..fe593dd2c387 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -8776,8 +8776,17 @@ static void tracing_buffers_mmap_close(struct vm_area_struct *vma)
{
struct ftrace_buffer_info *info = vma->vm_file->private_data;
struct trace_iterator *iter = &info->iter;
+ int ret;
- WARN_ON(ring_buffer_unmap(iter->array_buffer->buffer, iter->cpu_file));
+ ret = ring_buffer_unmap(iter->array_buffer->buffer, iter->cpu_file);
+ if (ret == -ENODEV) {
+ /*
+ * This VMA was split from the original mapping. Since
+ * ring buffer mappings do not support partial mappings,
+ * the split VMA does not hold a reference.
+ */
+ return;
+ }
put_snapshot_map(iter->tr);
}
--
2.43.0
next prev parent reply other threads:[~2025-11-19 5:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-11 17:05 [syzbot] [trace?] WARNING in tracing_buffers_mmap_close (2) syzbot
2025-11-11 23:27 ` Hillf Danton
2025-11-11 23:44 ` syzbot
2025-11-19 5:51 ` syzbot [this message]
2025-11-19 6:14 ` Forwarded: [PATCH] tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=691d5adf.a70a0220.d98e3.0008.GAE@google.com \
--to=syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.