[BUG] Regression in 7.0-rc2: WARNING in maple_tree during __mmap_region error path

From: song yang

Date: Tue Mar 10 2026 - 20:26:05 EST

1. Summary

A regression was identified in the 7.0.0-rc2 kernel where a WARNING is triggered at include/linux/maple_tree.h:749 during an error rollback in __mmap_region. The issue occurs when fault injection (failslab) is used to simulate an allocation failure during a mmap operation that involves a VMA split. This suggests the Maple Tree iterator enters an inconsistent state during the error handling path.

2. Environment Information

Kernel Version: 7.0.0-rc2-g5ee8dbf54602.
Architecture: x86_64.
Config: CONFIG_FAULT_INJECTION=y, CONFIG_DEBUG_VM_MAPLE_TREE=y.
Hardware: QEMU Ubuntu 24.04 PC v2.

3. Detailed Description

The WARNING occurs in __mas_set_range when the iterator is active and a new range is set where the start address exceeds the current recorded end of the range.

In the provided logs, the register state shows:

RSI (start): 00002000001e3000
R13 (mas->last): 00002000001e2fff

Because start > mas->last, the assertion MAS_WARN_ON(mas, mas_is_active(mas) && (mas->index > start || mas->last < start)) fails. This happens during the rollback of a failed mmap call initiated via do_mmap and mmap_region.

4. Call Trace

Plaintext

[   26.423091] WARNING: ./include/linux/maple_tree.h:749 at __mmap_region+0x1a82/0x2650
...
[   26.427870] RIP: 0010:__mmap_region+0x1a82/0x2650
...
[   26.439165] Call Trace:
[   26.439499]  <TASK>
[   26.443459]  ? mm_get_unmapped_area_vmflags+0xd7/0x130
[   26.444142]  mmap_region+0x19c/0x360
[   26.444653]  do_mmap+0xcc7/0x11f0
[   26.446925]  vm_mmap_pgoff+0x20a/0x380
[   26.449541]  ksys_mmap_pgoff+0xdb/0x5a0
[   26.452189]  __x64_sys_mmap+0x125/0x190
[   26.452704]  do_syscall_64+0xf1/0x530

(Full log provided in attachment)

5. Reproducer

The issue can be reproduced consistently by running the attached C program under a fault-injection-enabled kernel. The program targets address 0x2000001e3000 with MAP_FIXED and utilizes /proc/thread-self/fail-nth to trigger a slab allocation failure.

Steps to reproduce:

Compile the reproducer: gcc -static repro.c -o repro -lpthread.
Enable fault injection: echo 1 > /sys/kernel/debug/failslab/cache-filter.
Run the binary as root: ./repro.

6. Potential Root Cause

The transition to the new VMA management logic in 7.0 seems to have introduced an edge case in __mmap_region. When a helper like anon_vma_clone fails, the error path attempts to reconfigure the VMA iterator for cleanup without resetting its state (e.g., via mas_reset), leading to a range violation if the iterator was positioned at the boundary of the previous slot.

Attachment: repro.c
Description: Binary data

Attachment: kernel_crash.log
Description: Binary data