A regression was identified in the 7.0.0-rc2 kernel where a WARNING is triggered at include/linux/maple_tree.h:749 during an error rollback in __mmap_region. The issue occurs when fault injection (failslab) is used to simulate an allocation failure during a mmap operation that involves a VMA split. This suggests the Maple Tree iterator enters an inconsistent state during the error handling path.
Kernel Version: 7.0.0-rc2-g5ee8dbf54602.
Architecture: x86_64.
Config: CONFIG_FAULT_INJECTION=y, CONFIG_DEBUG_VM_MAPLE_TREE=y.
Hardware: QEMU Ubuntu 24.04 PC v2.
The WARNING occurs in __mas_set_range when the iterator is active and a new range is set where the start address exceeds the current recorded end of the range.
In the provided logs, the register state shows:
RSI (start): 00002000001e3000
R13 (mas->last): 00002000001e2fff
Because start > mas->last, the assertion MAS_WARN_ON(mas, mas_is_active(mas) && (mas->index > start || mas->last < start)) fails. This happens during the rollback of a failed mmap call initiated via do_mmap and mmap_region.
[ 26.423091] WARNING: ./include/linux/maple_tree.h:749 at __mmap_region+0x1a82/0x2650
...
[ 26.427870] RIP: 0010:__mmap_region+0x1a82/0x2650
...
[ 26.439165] Call Trace:
[ 26.439499] <TASK>
[ 26.443459] ? mm_get_unmapped_area_vmflags+0xd7/0x130
[ 26.444142] mmap_region+0x19c/0x360
[ 26.444653] do_mmap+0xcc7/0x11f0
[ 26.446925] vm_mmap_pgoff+0x20a/0x380
[ 26.449541] ksys_mmap_pgoff+0xdb/0x5a0
[ 26.452189] __x64_sys_mmap+0x125/0x190
[ 26.452704] do_syscall_64+0xf1/0x530
(Full log provided in attachment)
The issue can be reproduced consistently by running the attached C program under a fault-injection-enabled kernel. The program targets address 0x2000001e3000 with MAP_FIXED and utilizes /proc/thread-self/fail-nth to trigger a slab allocation failure.
Steps to reproduce:
Compile the reproducer: gcc -static repro.c -o repro -lpthread.
Enable fault injection: echo 1 > /sys/kernel/debug/failslab/cache-filter.
Run the binary as root: ./repro.
The transition to the new VMA management logic in 7.0 seems to have introduced an edge case in __mmap_region. When a helper like anon_vma_clone fails, the error path attempts to reconfigure the VMA iterator for cleanup without resetting its state (e.g., via mas_reset), leading to a range violation if the iterator was positioned at the boundary of the previous slot.