*1. Summary*

A regression was identified in the *7.0.0-rc2* kernel where a WARNING is
triggered at include/linux/maple_tree.h:749 during an error rollback in
__mmap_region. The issue occurs when fault injection (failslab) is used to
simulate an allocation failure during a mmap operation that involves a VMA
split. This suggests the Maple Tree iterator enters an inconsistent state
during the error handling path.
*2. Environment Information*

   -

   *Kernel Version:* 7.0.0-rc2-g5ee8dbf54602.
   -

   *Architecture:* x86_64.
   -

   *Config:* CONFIG_FAULT_INJECTION=y, CONFIG_DEBUG_VM_MAPLE_TREE=y.
   -

   *Hardware:* QEMU Ubuntu 24.04 PC v2.

*3. Detailed Description*

The WARNING occurs in __mas_set_range when the iterator is active and a new
range is set where the start address exceeds the current recorded end of
the range.

In the provided logs, the register state shows:

   -

   *RSI (start):* 00002000001e3000
   -

   *R13 (mas->last):* 00002000001e2fff

Because start > mas->last, the assertion MAS_WARN_ON(mas,
mas_is_active(mas) && (mas->index > start || mas->last < start)) fails.
This happens during the rollback of a failed mmap call initiated via do_mmap
and mmap_region.
*4. Call Trace*
Plaintext

[   26.423091] WARNING: ./include/linux/maple_tree.h:749 at
__mmap_region+0x1a82/0x2650
...
[   26.427870] RIP: 0010:__mmap_region+0x1a82/0x2650
...
[   26.439165] Call Trace:
[   26.439499]  <TASK>
[   26.443459]  ? mm_get_unmapped_area_vmflags+0xd7/0x130
[   26.444142]  mmap_region+0x19c/0x360
[   26.444653]  do_mmap+0xcc7/0x11f0
[   26.446925]  vm_mmap_pgoff+0x20a/0x380
[   26.449541]  ksys_mmap_pgoff+0xdb/0x5a0
[   26.452189]  __x64_sys_mmap+0x125/0x190
[   26.452704]  do_syscall_64+0xf1/0x530

*(Full log provided in attachment)*
*5. Reproducer*

The issue can be reproduced consistently by running the attached C program
under a fault-injection-enabled kernel. The program targets address
0x2000001e3000 with MAP_FIXED and utilizes /proc/thread-self/fail-nth to
trigger a slab allocation failure.

*Steps to reproduce:*

   1.

   Compile the reproducer: gcc -static repro.c -o repro -lpthread.
   2.

   Enable fault injection: echo 1 > /sys/kernel/debug/failslab/cache-filter.
   3.

   Run the binary as root: ./repro.

*6. Potential Root Cause*

The transition to the new VMA management logic in 7.0 seems to have
introduced an edge case in __mmap_region. When a helper like anon_vma_clone
fails, the error path attempts to reconfigure the VMA iterator for cleanup
without resetting its state (e.g., via mas_reset), leading to a range
violation if the iterator was positioned at the boundary of the previous
slot.