Hi Kefeng, On 08/13, Kefeng Wang wrote: > > Syzkaller reproducer: > # {Threaded:true Collide:true Repeat:false RepeatTimes:0 Procs:1 Sandbox:none Fault:false FaultCall:-1 FaultNth:0 EnableTun:true EnableNetDev:true EnableNetReset:false EnableCgroups:false EnableBinfmtMisc:true EnableCloseFds:true UseTmpDir:true HandleSegv:true Repro:false Trace:false} > r0 = userfaultfd(0x80800) > ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000000200)) > ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000000080)={{&(0x7f0000ff2000/0xe000)=nil, 0xe000}, 0x1}) > ioctl$UFFDIO_COPY(r0, 0xc028aa03, 0x0) > ioctl$UFFDIO_COPY(r0, 0xc028aa03, &(0x7f0000000000)={&(0x7f0000ffc000/0x3000)=nil, &(0x7f0000ffd000/0x2000)=nil, 0x3000}) > syz_execute_func(&(0x7f00000000c0)="4134de984013e80f059532058300000071f3c4e18dd1ce5a65460f18320ce0b9977d8f64360f6e54e3a50fe53ff30fb837c42195dc42eddb8f087ca2a4d2c4017b708fa878c3e600f3266440d9a200000000c4016c5bdd7d0867dfe07f00f20f2b5f0009404cc442c102282cf2f20f51e22ef2e1291010f2262ef045814cb39700000000f32e3ef0fe05922f79a4000030470f3b58c1312fe7460f50ce0502338d00858526660f346253f6010f0f801d000000470f0f2c0a90c7c7df84feefff3636260fe02c98c8b8fcfc81fc51720a40400e700064660f71e70d2e0f57dfe819d0253f3ecaf06ad647608c41ffc42249bccb430f9bc8b7a042420f8d0042171e0f95ca9f7f921000d9fac4a27d5a1fc4a37961309de9000000003171460fc4d303c466410fd6389dc4426c456300c4233d4c922d92abf90ac6c34df30f5ee50909430f3a15e7776f6e866b0fdfdfc482797841cf6ffc842d9b9a516dc2e52ef2ac2636f20f114832d46231bffd4834eaeac4237d09d0003766420f160182c4a37d047882007f108f2808a6e68fc401505d6a82635d1467440fc7ba0c000000d4c482359652745300") > poll(&(0x7f00000000c0)=[{}], 0x1, 0x0) > > ./syz-execprog -executor=./syz-executor -repeat=0 -procs=16 -cover=0 repofile I tried to reproduce using the C code provided by Tetsuo but it doesn't work for me. Could you run this test-case with the patch below? (on top of the fix you have already tested). Oleg. --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -882,6 +882,8 @@ static int userfaultfd_release(struct inode *inode, struct file *file) unsigned long new_flags; bool still_valid; + file->private_data = (void*)0x6666; + WRITE_ONCE(ctx->released, true); if (!mmget_not_zero(mm)) @@ -1859,6 +1861,8 @@ static long userfaultfd_ioctl(struct file *file, unsigned cmd, int ret = -EINVAL; struct userfaultfd_ctx *ctx = file->private_data; + BUG_ON(ctx == (void*)0x6666); + if (cmd != UFFDIO_API && ctx->state == UFFD_STATE_WAIT_API) return -EINVAL; @@ -1882,6 +1886,8 @@ static long userfaultfd_ioctl(struct file *file, unsigned cmd, ret = userfaultfd_zeropage(ctx, arg); break; } + + BUG_ON(ctx != file->private_data); return ret; }