Commit b042fdf1 authored Nov 19, 2025 by Deepanshu Kartikey Committed by Steven Rostedt (Google) Nov 25, 2025

tracing: Fix WARN_ON in tracing_buffers_mmap_close for split VMAs

When a VMA is split (e.g., by partial munmap or MAP_FIXED), the kernel
calls vm_ops->close on each portion. For trace buffer mappings, this
results in ring_buffer_unmap() being called multiple times while
ring_buffer_map() was only called once.

This causes ring_buffer_unmap() to return -ENODEV on subsequent calls
because user_mapped is already 0, triggering a WARN_ON.

Trace buffer mappings cannot support partial mappings because the ring
buffer structure requires the complete buffer including the meta page.

Fix this by adding a may_split callback that returns -EINVAL to prevent
VMA splits entirely.

Cc: stable@vger.kernel.org
Fixes: cf9f0f7c ("tracing: Allow user-space mapping of the ring-buffer")
Link: https://patch.msgid.link/20251119064019.25904-1-kartikey406@gmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a72c325b042aae6403c7


Tested-by:  <syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com>
Reported-by:  <syzbot+a72c325b042aae6403c7@syzkaller.appspotmail.com>
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>

parent dcb6fa37

kernel/trace/trace.c

+10 −0

Original line number	Diff line number	Diff line
		@@ -8781,8 +8781,18 @@ static void tracing_buffers_mmap_close(struct vm_area_struct *vma)
		put_snapshot_map(iter->tr);
		}

		static int tracing_buffers_may_split(struct vm_area_struct *vma, unsigned long addr)
		{
		/*
		* Trace buffer mappings require the complete buffer including
		* the meta page. Partial mappings are not supported.
		*/
		return -EINVAL;
		}

		static const struct vm_operations_struct tracing_buffers_vmops = {
		.close = tracing_buffers_mmap_close,
		.may_split = tracing_buffers_may_split,
		};

		static int tracing_buffers_mmap(struct file filp, struct vm_area_struct vma)