BUG] [REGRESSION] Regression in 7.0-rc2: WARNING in maple_tree during __mmap_region error path
From: song yang
Date: Tue Mar 10 2026 - 20:30:48 EST
Hi Liam and MM maintainers,
I have identified a regression in the Linux 7.0-rc2 kernel involving
the Maple Tree iterator during a VMA split error path.
The issue triggers a MAS_WARN_ON in the Maple Tree headers when
fault injection is used to simulate memory allocation failures.
1. Kernel Information:
- Version: 7.0.0-rc2-g5ee8dbf54602
- Architecture: x86_64
- Relevant Configs: CONFIG_FAULT_INJECTION, CONFIG_DEBUG_VM_MAPLE_TREE
2. Problem Description:
A WARNING is triggered at include/linux/maple_tree.h:749 within
__mmap_region+0x1a82/0x2650. This occurs during
a MAP_FIXED mmap call that requires splitting an existing VMA.
When vm_area_dup or similar allocations fail due to fault injection
(via /proc/thread-self/fail-nth), the error rollback path attempts
to reconfigure the VMA iterator.
However, the iterator (mas) appears to be in an inconsistent state
where the new start address exceeds the recorded last address.
Log evidence (register state):
- RSI (start address): 00002000001e3000
- R13 (mas->last): 00002000001e2fff
Violation: start > mas->last.
3. Call Trace Snippet:
[ 26.423091] WARNING: ./include/linux/maple_tree.h:749 at
__mmap_region+0x1a82/0x2650
...
[ 26.444142] mmap_region+0x19c/0x360
[ 26.444653] do_mmap+0xcc7/0x11f0
[ 26.446925] vm_mmap_pgoff+0x20a/0x380
[ 26.452704] do_syscall_64+0xf1/0x530
4. Security Impact:
While currently manifesting as a warning, this inconsistency suggests
a foundational failure in the Maple Tree state machine during error
recovery. This could potentially lead to
Use-After-Free (UAF) scenarios or overlapping VMAs, which are
exploitable for local privilege escalation.
5. Reproducer:
The issue was discovered using syzkaller-based fuzzing.
A simplified C reproducer is attached below that utilizes
fault-injection to trigger the failure path.
Reproduction steps:
# echo 13 > /proc/thread-self/fail-nth
# ./repro
Best regards,
Song Yang
Attachment:
repro.c
Description: Binary data
Attachment:
kernel_crash.log
Description: Binary data