From: Vincent Donnefort <vdonnefort@google.com>
To: Qing Wang <wangqing7171@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>,
Masami Hiramatsu <mhiramat@kernel.org>,
Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
Subject: Re: [PATCH] tracing: Fix WARN_ON in tracing_buffers_mmap_close
Date: Fri, 27 Feb 2026 10:02:00 +0000 [thread overview]
Message-ID: <aaFrmHzIAkEe7ufy@google.com> (raw)
In-Reply-To: <20260227025842.1085206-1-wangqing7171@gmail.com>
On Fri, Feb 27, 2026 at 10:58:42AM +0800, Qing Wang wrote:
> When a process forks, the child process copies the parent's VMAs but the
> user_mapped reference count is not incremented. As a result, when both the
> parent and child processes exit, tracing_buffers_mmap_close() is called
> twice. On the second call, user_mapped is already 0, causing the function to
> return -ENODEV and triggering a WARN_ON.
>
> Fix it by incrementing the user_mapped reference count without re-mapping
> the pages in the VMA's open callback.
Hum, not sure this is entirely correct. We do set VM_DONTCOPY when creating the
mapping (see __rb_map_vma). So AFAICT ->open() is not called in this situation (see
dup_mmap())
>
> Fixes: cf9f0f7c4c5bb ("tracing: Allow user-space mapping of the ring-buffer")
> Reported-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3b5dd2030fe08afdf65d
> Tested-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
> Signed-off-by: Qing Wang <wangqing7171@gmail.com>
> ---
> include/linux/ring_buffer.h | 1 +
> kernel/trace/ring_buffer.c | 21 +++++++++++++++++++++
> kernel/trace/trace.c | 13 +++++++++++++
> 3 files changed, 35 insertions(+)
>
> diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h
> index 876358cfe1b1..d862fa610270 100644
> --- a/include/linux/ring_buffer.h
> +++ b/include/linux/ring_buffer.h
> @@ -248,6 +248,7 @@ int trace_rb_cpu_prepare(unsigned int cpu, struct hlist_node *node);
>
> int ring_buffer_map(struct trace_buffer *buffer, int cpu,
> struct vm_area_struct *vma);
> +void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu);
> int ring_buffer_unmap(struct trace_buffer *buffer, int cpu);
> int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu);
> #endif /* _LINUX_RING_BUFFER_H */
> diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
> index f16f053ef77d..17d0ea0cc3e6 100644
> --- a/kernel/trace/ring_buffer.c
> +++ b/kernel/trace/ring_buffer.c
> @@ -7310,6 +7310,27 @@ int ring_buffer_map(struct trace_buffer *buffer, int cpu,
> return err;
> }
>
> +/*
> + * This is called when a VMA is duplicated (e.g., on fork()) to increment
> + * the user_mapped counter without remapping pages.
> + */
> +void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu)
> +{
> + struct ring_buffer_per_cpu *cpu_buffer;
> +
> + if (WARN_ON(!cpumask_test_cpu(cpu, buffer->cpumask)))
> + return;
> +
> + cpu_buffer = buffer->buffers[cpu];
> +
> + guard(mutex)(&cpu_buffer->mapping_lock);
> +
> + if (cpu_buffer->user_mapped)
> + __rb_inc_dec_mapped(cpu_buffer, true);
> + else
> + WARN(1, "Unexpected buffer stat, it should be mapped");
> +}
> +
> int ring_buffer_unmap(struct trace_buffer *buffer, int cpu)
> {
> struct ring_buffer_per_cpu *cpu_buffer;
> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> index 23de3719f495..1e7c032a72d2 100644
> --- a/kernel/trace/trace.c
> +++ b/kernel/trace/trace.c
> @@ -8213,6 +8213,18 @@ static inline int get_snapshot_map(struct trace_array *tr) { return 0; }
> static inline void put_snapshot_map(struct trace_array *tr) { }
> #endif
>
> +/*
> + * This is called when a VMA is duplicated (e.g., on fork()) to increment
> + * the user_mapped counter without remapping pages.
> + */
> +static void tracing_buffers_mmap_open(struct vm_area_struct *vma)
> +{
> + struct ftrace_buffer_info *info = vma->vm_file->private_data;
> + struct trace_iterator *iter = &info->iter;
> +
> + ring_buffer_map_dup(iter->array_buffer->buffer, iter->cpu_file);
> +}
> +
> static void tracing_buffers_mmap_close(struct vm_area_struct *vma)
> {
> struct ftrace_buffer_info *info = vma->vm_file->private_data;
> @@ -8232,6 +8244,7 @@ static int tracing_buffers_may_split(struct vm_area_struct *vma, unsigned long a
> }
>
> static const struct vm_operations_struct tracing_buffers_vmops = {
> + .open = tracing_buffers_mmap_open,
> .close = tracing_buffers_mmap_close,
> .may_split = tracing_buffers_may_split,
> };
> --
> 2.34.1
>
next prev parent reply other threads:[~2026-02-27 10:02 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-27 2:58 [PATCH] tracing: Fix WARN_ON in tracing_buffers_mmap_close Qing Wang
2026-02-27 10:02 ` Vincent Donnefort [this message]
2026-02-27 10:41 ` Vincent Donnefort
2026-02-27 11:22 ` Vincent Donnefort
2026-02-27 15:20 ` Steven Rostedt
2026-02-27 20:56 ` Steven Rostedt
2026-03-02 12:13 ` Lorenzo Stoakes
2026-03-02 16:52 ` Steven Rostedt
2026-03-03 10:19 ` Lorenzo Stoakes
2026-03-03 15:25 ` Steven Rostedt
2026-03-04 17:30 ` Lorenzo Stoakes (Oracle)
2026-02-28 8:59 ` Qing Wang
2026-02-27 15:10 ` Steven Rostedt
2026-02-27 15:16 ` Vincent Donnefort
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aaFrmHzIAkEe7ufy@google.com \
--to=vdonnefort@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-trace-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=mhiramat@kernel.org \
--cc=rostedt@goodmis.org \
--cc=syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com \
--cc=wangqing7171@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox