From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 15FF336AB6E
	for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 10:02:05 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.44
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1772186528; cv=none; b=SaSi/Cqc+uyaPo1xhwJlE9yrZMjByzYmlIUaEgRpERHXmP0cZbnAkXpURvEwbgoDaKUaKbzOTXm0eKYRjUYKdkNdU6AifhE5NsSxW27oCDSUrxtJMOscrdMX7UyWDk+Y6lQfwJ4M00hAvI8pfuRDQEr/49MZ5ktZYgWiQNw9vFQ=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1772186528; c=relaxed/simple;
	bh=2VaJOmkUSU/W/BZJeyRFO41YmjgBSZYWuJmiSwhM65c=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=ZVbCz6+dVdsOUhilVcpuojsP11wJjgBwyZd1woIrCUslTcw5Ix6ncXMptkzP8uX6ytSXFWni/blcnsepSEU2tpeY9Ws4J3b1oPNTtq33BL5645NNcVjjyiuFwHRzAYyHygkmCyyOiUengQE6Tw2iFLN2daaf87f1WzDkKSwtWus=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=yoi1yU94; arc=none smtp.client-ip=209.85.221.44
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="yoi1yU94"
Received: by mail-wr1-f44.google.com with SMTP id ffacd0b85a97d-43987b97701so1324241f8f.3
        for <linux-kernel@vger.kernel.org>; Fri, 27 Feb 2026 02:02:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1772186524; x=1772791324; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=qsndPfFBrY0DlP1r/HjD63Wwnr9fz/D+PLW9Y98RIro=;
        b=yoi1yU94VP9xTCrQZW2CS3lQkvTNBkNwdauTMaqPzNaaBMLnr16ASY4PwxbHctZDZ2
         ymYrWDBLf9Qh3n2TT2zQOjB3zQUUFQiFxYdBiaKkq8aAhSLvhvoF7qtjXEWz2zKpU+0y
         VsShLoLuYJOGqv6G5SOsoVTfWJyyZ8YE5jVfBm/glJ8QhiLLmWkL3RX2MFz4QbGac6xk
         rAiPdj7xHaOUlBkmczlYjXXp678CwNOTm9QzEE5rAs1ry8AJS6akW/jWMEJqUchK7c7c
         YEwMFVJK1986Z+GRmDMU2VwsQerqkyH0Yr8j35JQj2go0xWrFF5G9yCq6v68TZPpn1gs
         AVCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772186524; x=1772791324;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=qsndPfFBrY0DlP1r/HjD63Wwnr9fz/D+PLW9Y98RIro=;
        b=OJs3VNgK9SHqXQWtJid0ekNH/ig3xKXW1AF1loSA+8DYwzMgAiVGn9XbmA+eleiwec
         /wDWBCSP0IKivo7lhTvEw9We21l2LQu0lpIOzVybCJ0+3QnN/pxETk24rt+FcJkYeHk/
         K22Wgbwwe8nV6Y4Hb/3UmmD8+3EgxSEVEkR2HOqs5Wdp+l19/cpzSMapzdV8RfanyW2I
         M0rZMaEYuyZ3lKtb0SwX5tFYVugnRPG7upoOYzK9EjTJyb3FIOL2T/dIgbusSvBVcv2i
         kFpk/C+Xpsi83SDwB8G3R06+htCzGhPsUgL+JkeETJbhzroWSHAIQO5OdwnHggJymT+Q
         3nWw==
X-Forwarded-Encrypted: i=1; AJvYcCUoTE1ZVMfai6wJoh9xndttpEF3fxDG7RW7jeaexCzmf8vkMtSU9ihPRQ03YVhmPYTO0QCI+8bWji0vTUg=@vger.kernel.org
X-Gm-Message-State: AOJu0Yy7gl/jFJ11B4p2uxOPi1G6G4uT21eUxC3HbL5CBUsWFcwZNwC5
	ECndrjbh6gTz9bsL7NIYpbXfP80wshpaDm8ef0xN4Ur+awIJylT//i5SRzQYHMxKKkG0Xd87JoL
	CinaePw==
X-Gm-Gg: ATEYQzxe5dkiKrqE5++1/kAyfUKwWdUVeZfOd8jpc0uFqY3n5raXri0X7OqhOdZ2MpO
	V1eUI2Wbz8N6Da9MkmO79fbqOHj+WmwATvIF6zpZbby/wReiY2lJavGfYPCzdaeQCwF7qgGD2ki
	c8Hkm083MxPwV3a+vb7EtW0S9X5a83FxISUc7G/z+aumtGCn7nxtt0hLfOIhLy7Qn5MSS801Zxs
	mwNZr5wiqv/sgj99FKUSSkCPH/+vjSfwaPhv7fYtXjohA5GiCz0Zs4O+G0oWXEQsc8UxVhdB7No
	qRy+CCQ5KEvXHGKDiYjEj514b3qYQx7BtSdhFalWW8NaHLo+vvymjGg1YXCbtcy5V0XeggnUUfs
	RYlKm/Y6nW7k4LEasP+7dhnRz8SFUnaETvooLDnwTOP3pce/NN13r6e6h67AWwZIuWSY1NKmgBu
	JPsXISTYRpIPEgKGPz3qUXehDpigX2x2bqKzswbIs2l0aU4zeQnWoh3lkpfVEQgxfRxBA=
X-Received: by 2002:a05:600c:46c4:b0:483:7783:537b with SMTP id 5b1f17b1804b1-483c9c0f34cmr31377655e9.24.1772186523881;
        Fri, 27 Feb 2026 02:02:03 -0800 (PST)
Received: from google.com (135.91.155.104.bc.googleusercontent.com. [104.155.91.135])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-483bd70e6c9sm171777575e9.8.2026.02.27.02.02.03
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 27 Feb 2026 02:02:03 -0800 (PST)
Date: Fri, 27 Feb 2026 10:02:00 +0000
From: Vincent Donnefort <vdonnefort@google.com>
To: Qing Wang <wangqing7171@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>,
	Masami Hiramatsu <mhiramat@kernel.org>,
	Mathieu Desnoyers <mathieu.desnoyers@efficios.com>,
	linux-kernel@vger.kernel.org, linux-trace-kernel@vger.kernel.org,
	syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
Subject: Re: [PATCH] tracing: Fix WARN_ON in tracing_buffers_mmap_close
Message-ID: <aaFrmHzIAkEe7ufy@google.com>
References: <20260227025842.1085206-1-wangqing7171@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20260227025842.1085206-1-wangqing7171@gmail.com>

On Fri, Feb 27, 2026 at 10:58:42AM +0800, Qing Wang wrote:
> When a process forks, the child process copies the parent's VMAs but the
> user_mapped reference count is not incremented. As a result, when both the
> parent and child processes exit, tracing_buffers_mmap_close() is called
> twice. On the second call, user_mapped is already 0, causing the function to
> return -ENODEV and triggering a WARN_ON.
> 
> Fix it by incrementing the user_mapped reference count without re-mapping
> the pages in the VMA's open callback.

Hum, not sure this is entirely correct. We do set VM_DONTCOPY when creating the
mapping (see __rb_map_vma). So AFAICT ->open() is not called in this situation (see
dup_mmap())

> 
> Fixes: cf9f0f7c4c5bb ("tracing: Allow user-space mapping of the ring-buffer")
> Reported-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3b5dd2030fe08afdf65d
> Tested-by: syzbot+3b5dd2030fe08afdf65d@syzkaller.appspotmail.com
> Signed-off-by: Qing Wang <wangqing7171@gmail.com>
> ---
>  include/linux/ring_buffer.h |  1 +
>  kernel/trace/ring_buffer.c  | 21 +++++++++++++++++++++
>  kernel/trace/trace.c        | 13 +++++++++++++
>  3 files changed, 35 insertions(+)
> 
> diff --git a/include/linux/ring_buffer.h b/include/linux/ring_buffer.h
> index 876358cfe1b1..d862fa610270 100644
> --- a/include/linux/ring_buffer.h
> +++ b/include/linux/ring_buffer.h
> @@ -248,6 +248,7 @@ int trace_rb_cpu_prepare(unsigned int cpu, struct hlist_node *node);
>  
>  int ring_buffer_map(struct trace_buffer *buffer, int cpu,
>  		    struct vm_area_struct *vma);
> +void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu);
>  int ring_buffer_unmap(struct trace_buffer *buffer, int cpu);
>  int ring_buffer_map_get_reader(struct trace_buffer *buffer, int cpu);
>  #endif /* _LINUX_RING_BUFFER_H */
> diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
> index f16f053ef77d..17d0ea0cc3e6 100644
> --- a/kernel/trace/ring_buffer.c
> +++ b/kernel/trace/ring_buffer.c
> @@ -7310,6 +7310,27 @@ int ring_buffer_map(struct trace_buffer *buffer, int cpu,
>  	return err;
>  }
>  
> +/*
> + * This is called when a VMA is duplicated (e.g., on fork()) to increment
> + * the user_mapped counter without remapping pages.
> + */
> +void ring_buffer_map_dup(struct trace_buffer *buffer, int cpu)
> +{
> +	struct ring_buffer_per_cpu *cpu_buffer;
> +
> +	if (WARN_ON(!cpumask_test_cpu(cpu, buffer->cpumask)))
> +		return;
> +
> +	cpu_buffer = buffer->buffers[cpu];
> +
> +	guard(mutex)(&cpu_buffer->mapping_lock);
> +
> +	if (cpu_buffer->user_mapped)
> +		__rb_inc_dec_mapped(cpu_buffer, true);
> +	else
> +		WARN(1, "Unexpected buffer stat, it should be mapped");
> +}
> +
>  int ring_buffer_unmap(struct trace_buffer *buffer, int cpu)
>  {
>  	struct ring_buffer_per_cpu *cpu_buffer;
> diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
> index 23de3719f495..1e7c032a72d2 100644
> --- a/kernel/trace/trace.c
> +++ b/kernel/trace/trace.c
> @@ -8213,6 +8213,18 @@ static inline int get_snapshot_map(struct trace_array *tr) { return 0; }
>  static inline void put_snapshot_map(struct trace_array *tr) { }
>  #endif
>  
> +/*
> + * This is called when a VMA is duplicated (e.g., on fork()) to increment
> + * the user_mapped counter without remapping pages.
> + */
> +static void tracing_buffers_mmap_open(struct vm_area_struct *vma)
> +{
> +	struct ftrace_buffer_info *info = vma->vm_file->private_data;
> +	struct trace_iterator *iter = &info->iter;
> +
> +	ring_buffer_map_dup(iter->array_buffer->buffer, iter->cpu_file);
> +}
> +
>  static void tracing_buffers_mmap_close(struct vm_area_struct *vma)
>  {
>  	struct ftrace_buffer_info *info = vma->vm_file->private_data;
> @@ -8232,6 +8244,7 @@ static int tracing_buffers_may_split(struct vm_area_struct *vma, unsigned long a
>  }
>  
>  static const struct vm_operations_struct tracing_buffers_vmops = {
> +	.open		= tracing_buffers_mmap_open,
>  	.close		= tracing_buffers_mmap_close,
>  	.may_split      = tracing_buffers_may_split,
>  };
> -- 
> 2.34.1
>