On 08/20, Tetsuo Handa wrote: > > On 2019/08/20 1:05, Andrea Arcangeli wrote: > > It's a bit strange that the file that > > was opened by the ioctl() syscall gets released and its > > file->private_data destroyed before the ioctl syscall has a chance to > > return to userland. > > My guess is that the fd was opened by userfaultfd() syscall, and the fd was > closed by close() syscall. Nothing wrong. But when a page fault happened, The problem is that this page fault is triggered by ioctl() and this file was already closed and the final fput() was already called, note that userfaultfd_release() is f_op->release. > Then, not resetting pointer to the data structure before > releasing the memory (due to "goto skip_mm;") is the bug. Yes, this is wrong in any case and this is that the patch tries to fix. Oleg.
