Friendly ping.
> The syzbot reported the below general protection fault:
>
> general protection fault, probably for non-canonical address
> 0xe00eeaee0000003b: 0000 [#1] PREEMPT SMP KASAN
> KASAN: maybe wild-memory-access in range
> [0x00777770000001d8-0x00777770000001df]
> CPU: 1 PID: 10488 Comm: syz-executor721 Not tainted 5.9.0-rc3-syzkaller #0
>
> It's because the ->mmap() callback can change vma->vm_file and fput the
> original file. But the commit d70cec898324 ("mm: mmap: merge vma after
> call_mmap() if possible") failed to catch this case and always fput() the
> original file, hence add an extra fput().
>
> [ Thanks Hillf for pointing this extra fput() out. ]
>
> @@ -1815,7 +1815,11 @@ unsigned long mmap_region(struct file *file, unsigned
> long addr,
> merge = vma_merge(mm, prev, vma->vm_start, vma->vm_end,
> vma->vm_flags,
> NULL, vma->vm_file, vma->vm_pgoff, NULL,
> NULL_VM_UFFD_CTX);
> if (merge) {
> - fput(file);
> + /* ->mmap() can change vma->vm_file and fput
> the original file. So
> + * fput the vma->vm_file here or we would add
> an extra fput for file
> + * and cause general protection fault
> ultimately.
> + */
> + fput(vma->vm_file);
> vm_area_free(vma);
> vma = merge;
> /* Update vm_flags and possible addr to pick up
> the change. We don't
> --
> 2.19.1
>
