6.16-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ankit Khushwaha ankitkhushwaha.linux@gmail.com
commit de4cbd704731778a2dc833ce5a24b38e5d672c05 upstream.
The return value from `__rb_map_vma()`, which rejects writable or executable mappings (VM_WRITE, VM_EXEC, or !VM_MAYSHARE), was being ignored. As a result the caller of `__rb_map_vma` always returned 0 even when the mapping had actually failed, allowing it to proceed with an invalid VMA.
Cc: stable@vger.kernel.org Cc: Masami Hiramatsu mhiramat@kernel.org Cc: Mathieu Desnoyers mathieu.desnoyers@efficios.com Link: https://lore.kernel.org/20251008172516.20697-1-ankitkhushwaha.linux@gmail.co... Fixes: 117c39200d9d7 ("ring-buffer: Introducing ring-buffer mapping functions") Reported-by: syzbot+ddc001b92c083dbf2b97@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?id=194151be8eaebd826005329b2e123aecae714bd... Signed-off-by: Ankit Khushwaha ankitkhushwaha.linux@gmail.com Signed-off-by: Steven Rostedt (Google) rostedt@goodmis.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- kernel/trace/ring_buffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/trace/ring_buffer.c +++ b/kernel/trace/ring_buffer.c @@ -7180,7 +7180,7 @@ int ring_buffer_map(struct trace_buffer atomic_dec(&cpu_buffer->resize_disabled); }
- return 0; + return err; }
int ring_buffer_unmap(struct trace_buffer *buffer, int cpu)