Hillf Danton <hdanton@xxxxxxxx> wrote: > On Sun, 13 Sep 2020 09:17:26 +0000 linmiaohe wrote: >> >> I reviewed the code carefully these days and I found vma_merge() do only fput() the vm_file of the linked vma in remove_next cases. >> This gpf is much likely because the ->mmap() callback can change >> vma->vm_file and fput the original file. But my previous commit failed to catch this case and always fput() the original file, hence add an extra fput(). >> The below patch would make the things right: >> > >Take another look at the Cc list and the link below. > >https://lore.kernel.org/lkml/20200911120222.GT87483@xxxxxxxx/ > Many thanks for your teach. I think I could send the proposed patch to the syzbot directly. Thanks again.:)
