From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 587C93A1E97
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 10:41:23 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.51
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772188886; cv=none; b=isufO9pf9Qs/8kvlZfZawGM0f+Qe6N5t7YbjBiT+BdKNsmGU7gwCgk0VDCDDbzhVD9X8A+5yCPHtTMhDDLRb4nZVZspTeDX5I+ddsp2n3lL2oOv4rBadOexrgAQAF58wm/hKbFDf2urSMucH+Ub6kvw8V5AwBe4S2l8gKN61y54=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772188886; c=relaxed/simple;
	bh=NVckoVnayRCDg2lxO8A99rAy12Dz1VRVrDZC3M7E05Q=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=s4JXqGnWDvoQpOzvnOsOyZQdZRcfX0hr9u2e8hejlVrufLFH4XpYjEtMV2gZq/Kkqtnyht6EN/Q3oVVzShnUr3bcTFlfij0TctcV5HuWVNuYJW8M85OjmxzXKBSnvfFa8E7lHPl1FuNG4AB1dRFw74gTCMcXktg7V2fb4rB+GmM=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=sdx8rsuL; arc=none smtp.client-ip=209.85.221.51
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="sdx8rsuL"
Received: by mail-wr1-f51.google.com with SMTP id ffacd0b85a97d-437711e9195so1385567f8f.1
        for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 02:41:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1772188882; x=1772793682; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=agntuRFRcyFCg1UlMZtKJYzJVOGWEdQf/hNuyCKdXO0=;
        b=sdx8rsuLHzo8efQiXbpT/pj9NFvwIYvnSfnSfCl7lzHcC2ugv5VVZW5XE5CuTgQkIl
         gfJbRVij8ErGm04nDoktFtSrqiODypMxNIZL8hnWUOcmby6XLz1X/efi9B+7Xsa9wDEk
         4L9h0LjiGAGRMXLe3WweOHFVrQm+jVDObTQLnhwvzZta3moKJwe1GrsRyvbo3OYpqtbR
         w/LM/lKo28BLIRVtsQttkcpHqtm8lVUk5Ad+YUFvGSiSzstA0rpzqhjXZXC8TNr04ICM
         WgKwYR9pz7jB35PD7qzNLM2nvDy0zELTfiF59NwbtgDqB/hE20aOmpJlDPERqaep8qRN
         3S0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772188882; x=1772793682;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=agntuRFRcyFCg1UlMZtKJYzJVOGWEdQf/hNuyCKdXO0=;
        b=XrOE8b0bSgA5Xd5t5fyDyu6HfcsbCKexmBn6rZT4ylpVfdx704i9VWPh/wWO965oZ3
         rGqK3Y++jgo9mXgSCrt58R6XxhH6JBcRPqSSdqiEy7ysu01Z09/l9IAyx0nY+p/GJSS9
         JobfdxdR7a3P6GMeALD01OHDLjSA9TkUJyagoBU8Xsnu4fa9qO7eRfIBkWCSPxY/IO5c
         G4zsCkH5DL5jnO/lzrdgRymMbtutPj1CxbwwCDJko9B3fmG7YSeiJoxVIDHLXQjxjo5h
         aVJWI2m7qMOkCiqRHUZTAfRMbnOCQpPbMIvMVN2BysDl5B97iDQOUuyJLitKo4+Xja57
         kDhA==
X-Forwarded-Encrypted: i=1; AJvYcCUwWcia2RWbUpgMi3ZBfXcbxOPOGOfT8EERH3TYlY4311Az+yuTfdPBtJJBe3j+rKqD3ncquim9H4y6szU=@vger.kernel.org
X-Gm-Message-State: AOJu0YxwXbFbXpl6/s07HNCq0H/hwpIeLPLNX9kVTljjl6jJEFLKp8E9
	KXRqqSA8vhIsJdhOtGdFzJBiJGuhR/dLl3d5eT9xxphzuQz8o80k5cOkniodX/e4cA==
X-Gm-Gg: ATEYQzzknOCI/3KpSbYeVZQUkcesdfZYglqCbeVnIB5MvWxJhjyo3VH+dJJca4G/lCW
	mk9eLxr20N90CKRIQGo+Ky05vDekrhjFm5MLzpBfM0RlW01Y4milyNKInR13fgJNGsm2Roe2d9N
	jSZtdysRR5upkxxx/spBLPwIt/Y9RwFHG5ONqqrQJeP827xE2VnkiB5lbZ+AdK8t/yjvqbN1cwi
	ustudTnLi5xFn+vazD9Ar2+fW+gephOok5sIsrHLDVAFkNYU09pDXNfC8Ax9uT3yM0T0l66ehi8
	o1sm8l5SjJb5vEzmnLwGIRP2dX/qp2C+OHG5XM1FzAU0eTrtFsSxyH9Dn3RL3AS64fk6pei2T27
	hA/miZJrT38bEm8SI2Sf/g1mA3GZ2ntQDPCDdaEvVktNdoXSXvNYBvfZ6O3GHbcYutyhiqRfJgu
	pgr1BR1GdiXggiF7CJZ9rFMkR1aV0OMBwpgR7CgEKgi/N9Yqi8IESJGqczFFWJvg3vEoM=
X-Received: by 2002:a05:6000:2313:b0:436:307c:b756 with SMTP id ffacd0b85a97d-4399de2fcdemr3455055f8f.47.1772188881266;
        Fri, 27 Feb 2026 02:41:21 -0800 (PST)
Received: from google.com (135.91.155.104.bc.googleusercontent.com. [104.155.91.135])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4399c75a0f6sm6726300f8f.22.2026.02.27.02.41.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 27 Feb 2026 02:41:20 -0800 (PST)
Date: Fri, 27 Feb 2026 10:41:17 +0000
From: Vincent Donnefort <vdonnefort@google.com>
To: Qing Wang <wangqing7171@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>,
	Masami Hiramatsu <mhiramat@kernel.org>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
	syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
Subject: Re: [PATCH] tracing: Fix WARN_ON in tracing_buffers_mmap_close
Message-ID: <aaF0zS3xh5KgM_yy@google.com>
References: <20260227025842.1085206-1-wangqing7171@gmail.com>
 <aaFrmHzIAkEe7ufy@google.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <aaFrmHzIAkEe7ufy@google.com>

On Fri, Feb 27, 2026 at 10:02:00AM +0000, Vincent Donnefort wrote:
> On Fri, Feb 27, 2026 at 10:58:42AM +0800, Qing Wang wrote:
> > When a process forks, the child process copies the parent's VMAs but the
> > user_mapped reference count is not incremented. As a result, when both the
> > parent and child processes exit, tracing_buffers_mmap_close() is called
> > twice. On the second call, user_mapped is already 0, causing the function to
> > return -ENODEV and triggering a WARN_ON.
> > 
> > Fix it by incrementing the user_mapped reference count without re-mapping
> > the pages in the VMA's open callback.
> 
> Hum, not sure this is entirely correct. We do set VM_DONTCOPY when creating the
> mapping (see __rb_map_vma). So AFAICT ->open() is not called in this situation (see
> dup_mmap())

Ah right, Syzkaller is using madvise(MADVISE_DOFORK) which resets VM_DONTCOPY.

> 
> > 
> > Fixes: cf9f0f7c4c5bb ("tracing: Allow user-space mapping of the ring-buffer")
> > Reported-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=3b5dd2030fe08afdf65d
> > Tested-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
> > Signed-off-by: Qing Wang <wangqing7171@gmail.com>
> > ---
> >  include/linux/ring_buffer.h |  1 +
> >  kernel/trace/ring_buffer.c  | 21 +++++++++++++++++++++
> >  kernel/trace/trace.c        | 13 +++++++++++++
> >  3 files changed, 35 insertions(+)
> > 
> > diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h
> > index 876358cfe1b1..d862fa610270 100644
> > --- a/include/linux/ring_buffer.h
> > +++ b/include/linux/ring_buffer.h
> > @@ -248,6 +248,7 @@ int trace_rb_cpu_prepare(unsigned int cpu, struct hlist_node *node);
> >  
> >  int ring_buffer_map(struct trace_buffer *buffer, int cpu,
> >  		    struct vm_area_struct *vma);
> > +void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu);
> >  int ring_buffer_unmap(struct trace_buffer *buffer, int cpu);
> >  int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu);
> >  #endif /* _LINUX_RING_BUFFER_H */
> > diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
> > index f16f053ef77d..17d0ea0cc3e6 100644
> > --- a/kernel/trace/ring_buffer.c
> > +++ b/kernel/trace/ring_buffer.c
> > @@ -7310,6 +7310,27 @@ int ring_buffer_map(struct trace_buffer *buffer, int cpu,
> >  	return err;
> >  }
> >  
> > +/*
> > + * This is called when a VMA is duplicated (e.g., on fork()) to increment
> > + * the user_mapped counter without remapping pages.
> > + */
> > +void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu)
> > +{
> > +	struct ring_buffer_per_cpu *cpu_buffer;
> > +
> > +	if (WARN_ON(!cpumask_test_cpu(cpu, buffer->cpumask)))
> > +		return;
> > +
> > +	cpu_buffer = buffer->buffers[cpu];
> > +
> > +	guard(mutex)(&cpu_buffer->mapping_lock);
> > +
> > +	if (cpu_buffer->user_mapped)
> > +		__rb_inc_dec_mapped(cpu_buffer, true);
> > +	else
> > +		WARN(1, "Unexpected buffer stat, it should be mapped");
> > +}
> > +
> >  int ring_buffer_unmap(struct trace_buffer *buffer, int cpu)
> >  {
> >  	struct ring_buffer_per_cpu *cpu_buffer;
> > diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> > index 23de3719f495..1e7c032a72d2 100644
> > --- a/kernel/trace/trace.c
> > +++ b/kernel/trace/trace.c
> > @@ -8213,6 +8213,18 @@ static inline int get_snapshot_map(struct trace_array *tr) { return 0; }
> >  static inline void put_snapshot_map(struct trace_array *tr) { }
> >  #endif
> >  
> > +/*
> > + * This is called when a VMA is duplicated (e.g., on fork()) to increment
> > + * the user_mapped counter without remapping pages.
> > + */
> > +static void tracing_buffers_mmap_open(struct vm_area_struct *vma)
> > +{
> > +	struct ftrace_buffer_info *info = vma->vm_file->private_data;
> > +	struct trace_iterator *iter = &info->iter;
> > +
> > +	ring_buffer_map_dup(iter->array_buffer->buffer, iter->cpu_file);
> > +}
> > +
> >  static void tracing_buffers_mmap_close(struct vm_area_struct *vma)
> >  {
> >  	struct ftrace_buffer_info *info = vma->vm_file->private_data;
> > @@ -8232,6 +8244,7 @@ static int tracing_buffers_may_split(struct vm_area_struct *vma, unsigned long a
> >  }
> >  
> >  static const struct vm_operations_struct tracing_buffers_vmops = {
> > +	.open		= tracing_buffers_mmap_open,
> >  	.close		= tracing_buffers_mmap_close,
> >  	.may_split      = tracing_buffers_may_split,
> >  };
> > -- 
> > 2.34.1
> >