Userfaultfd unregister includes a step to remove wr-protect bits from all the relevant pgtable entries, but that only covered an explicit UFFDIO_UNREGISTER ioctl, not a close() on the userfaultfd itself. Cover that too. Link: https://lore.kernel.org/all/000000000000ca4df20616a0fe16@xxxxxxxxxx/ Analyzed-by: David Hildenbrand <david@xxxxxxxxxx> Reported-by: syzbot+d8426b591c36b21c750e@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Peter Xu <peterx@xxxxxxxxxx> --- fs/userfaultfd.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/userfaultfd.c b/fs/userfaultfd.c index 3e6ddda6f159..d2c3879745e5 100644 --- a/fs/userfaultfd.c +++ b/fs/userfaultfd.c @@ -898,6 +898,10 @@ static int userfaultfd_release(struct inode *inode, struct file *file) prev = vma; continue; } + /* Reset ptes for the whole vma range if wr-protected */ + if (userfaultfd_wp(vma)) + uffd_wp_range(vma, vma->vm_start, + vma->vm_end - vma->vm_start, false); new_flags = vma->vm_flags & ~__VM_UFFD_FLAGS; vma = vma_modify_flags_uffd(&vmi, prev, vma, vma->vm_start, vma->vm_end, new_flags, -- 2.44.0