From: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Date: Wed, 17 Jul 2019 17:17:16 -0700 > From the oops, I assume that the problem is that get_user_pages_fast() > returned an invalid page, causing the bad access later in > get_futex_key(). That's correct. It's the first deref of page that oops's. > But that's odd too, considering that get_user_pages_fast() had > already accessed the page (both for looking up the head, and for > then doing things like SetPageReferenced(page)). Even the huge page cases all do that dereference as well, so it is indeed a mystery how the pointer works inside of get_user_pages_fast() but becomes garbage in the caller. This page pointer sits on the stack, so maybe something stores garbage there meanwhile. Maybe the issue is even compiler dependent. I'll keep looking over the changes made here for clues.