Hello, since I found there is no reproduce from then to now. I try to reproduce this bug to generate repro.c.
Maybe this bug is the same bug as [syzbot] [mm?] general protection fault in hugetlb_vma_lock_write I guess...
But no matter what, with the reproduce.c, we can quickly fix this bug or check the correctness of our fix.

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif

static void sleep_ms(uint64_t ms)
{
    usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
    struct timespec ts;
    if (clock_gettime(CLOCK_MONOTONIC, &ts))
    exit(1);
    return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...)
{
    char buf[1024];
    va_list args;
    va_start(args, what);
    vsnprintf(buf, sizeof(buf), what, args);
    va_end(args);
    buf[sizeof(buf) - 1] = 0;
    int len = strlen(buf);
    int fd = open(file, O_WRONLY | O_CLOEXEC);
    if (fd == -1)
        return false;
    if (write(fd, buf, len) != len) {
        int err = errno;
        close(fd);
        errno = err;
        return false;
    }
    close(fd);
    return true;
}

static void kill_and_wait(int pid, int* status)
{
    kill(-pid, SIGKILL);
    kill(pid, SIGKILL);
    for (int i = 0; i < 100; i++) {
        if (waitpid(-1, status, WNOHANG | __WALL) == pid)
            return;
        usleep(1000);
    }
    DIR* dir = opendir("/sys/fs/fuse/connections");
    if (dir) {
        for (;;) {
            struct dirent* ent = readdir(dir);
            if (!ent)
                break;
            if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
                continue;
            char abort[300];
            snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort", ent->d_name);
            int fd = open(abort, O_WRONLY);
            if (fd == -1) {
                continue;
            }
            if (write(fd, abort, 1) < 0) {
            }
            close(fd);
        }
        closedir(dir);
    } else {
    }
    while (waitpid(-1, status, __WALL) != pid) {
    }
}

static void setup_test()
{
    prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
    setpgrp();
    write_file("/proc/self/oom_score_adj", "1000");
}

#define USLEEP_FORKED_CHILD (3 * 50 *1000)

static long handle_clone_ret(long ret)
{
    if (ret != 0) {
        return ret;
    }
    usleep(USLEEP_FORKED_CHILD);
    syscall(__NR_exit, 0);
    while (1) {
    }
}

static long syz_clone(volatile long flags, volatile long stack, volatile long stack_len,
              volatile long ptid, volatile long ctid, volatile long tls)
{
    long sp = (stack + stack_len) & ~15;
    long ret = (long)syscall(__NR_clone, flags & ~CLONE_VM, sp, ptid, ctid, tls);
    return handle_clone_ret(ret);
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void)
{
    int iter = 0;
    for (;; iter++) {
        int pid = fork();
        if (pid < 0)
    exit(1);
        if (pid == 0) {
            setup_test();
            execute_one();
            exit(0);
        }
        int status = 0;
        uint64_t start = current_time_ms();
        for (;;) {
            if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
                break;
            sleep_ms(1);
            if (current_time_ms() - start < 5000)
                continue;
            kill_and_wait(pid, &status);
            break;
        }
    }
}

uint64_t r[2] = {0xffffffffffffffff, 0x0};

void execute_one(void)
{
        intptr_t res = 0;
memcpy((void*)0x20000800, "\001\375\256.+\246\214\266?2\0319\224S,|x?Ue[\275\341!\0033\274\'#\377\027\233%\363[d  \227\365G\227A\302\330\360Uq\346+\245l\224\v\266\a\027\\\373\004!\344\304\261\262\034\377C;\224Q\r\266}\234\354C\v\317\353\344\232R\345,\202\003\000\031\215\350\306\271\344\264\231\212\031P\270\214x\b\231\004R\005\257\242\3525\f\314\032\233\000Uf\245\367\200Tgi\264\300\346\264\357\250i\330\242\322(\230\233A\217\023\353\364b/\357!\217\366]-\351k\2662\211gEv\023\364\307\262\365\\\027\220\265\246\250\270o\017\342 \347\234$\327\362@\367cdv[\t\000\215\363\3141\r$\036\377\360P\262\227\270\274\353\221\207\213u\277\324\'\377\037\f\0016\235Q\356T\350\bY\000\262\006\246\276l\233.o\276\200\235x\325O\326h\\I\311\215\a\035\311\017\202\333s\307\203L\236\242\321\263\254\215\330\264\264\352\220Q\330\307\353%\213Op\032b\226\317\273\025\317\374N\355\000\000\000\000\000\000\000\000\000\000\000\000\000s\257\242\024]p+\226\036i|n\332\356\\\256\226*\202*\270j\332\252\024\037\035\370\370\256\374H\304\263j\350\317O\357\016\257e\265*\211\030\262w\226\b\033y\352T\335\263g6\274\205\262Y\314v\006\000\000\000\305e\220\3051\237\v_# \b\245\274P,|\351\326s\037\037\276\323\200\261\250 \316|df\2203\v\002\352.\003X\265\344,8\267\255EI\334A\247\314\327\371n\033\225\370\021Z\346:\003\316\376\002\214tdy~_oC\236\357\360\242K\351;\216:\001\003C\222\353\026\000\000\000\000\314Uxhg\377\344\a\203\246z\377\001\235 o_{!O\252jU\204 \351\2659r\234w\030Z\323\315\016\272\\\333\360\341\206\340\037\373\322\247\2040\216\n\275^\005\300\316uC}\250\307\255\206\327\025&\271]1\005J\226\360\204\301\f\246p\226\270\002\023pA\031\tf\022\210\310\234\311Cn\324\2447V\'+\314\277\r\251\020\035\317\353Klb\345:\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000G\337\273\300_\231F\364n]\024\274\315\323\237\237e\305\346\350Mb\306\202\202\314\312Xe\341\242\252\002\206\270\030\342C\353\251\027&\001&\'w\241t0\200\360\223\200\237\233\340\237\352\271\236D]#V\332\222\312\306\372.\326\3431\376\350\002\353X\220@\352\224\237a/\242-E\337\030yoSYua\031\357\363I\001\361\266\222gl7\361\035\027\027\361\313\217]\351Z\263q\365N\207\326q\300\320\213\273+\205\v\335n2lV\260]\254T\2636J\352\324\236\357L^ \301\364\374\000\000\000\000\000\000\000\000\000\000\000", 746);
    res = syscall(__NR_memfd_create, /*name=*/0x20000800ul, /*flags=*/5ul);
    if (res != -1)
        r[0] = res;
    syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x4000ul, /*prot=*/0xeul, /*flags=*/0x12ul, /*fd=*/r[0], /*offset=*/0ul);
    syscall(__NR_socketpair, /*domain=*/2ul, /*type=*/2ul, /*proto=*/0, /*fds=*/0x200008c0ul);
    res = -1;
res = syz_clone(/*flags=*/0, /*stack=*/0, /*stack_len=*/0, /*parentid=*/0, /*childtid=*/0, /*tls=*/0);
    if (res != -1)
        r[1] = res;
*(uint64_t*)0x20000f80 = 0;
*(uint64_t*)0x20000f88 = 0;
    syscall(__NR_process_vm_writev, /*pid=*/r[1], /*loc_vec=*/0ul, /*loc_vlen=*/0ul, /*rem_vec=*/0x20000f80ul, /*rem_vlen=*/1ul, /*flags=*/0ul);

}
int main(void)
{
        syscall(__NR_mmap, /*addr=*/0x1ffff000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
    syscall(__NR_mmap, /*addr=*/0x20000000ul, /*len=*/0x1000000ul, /*prot=*/7ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
    syscall(__NR_mmap, /*addr=*/0x21000000ul, /*len=*/0x1000ul, /*prot=*/0ul, /*flags=*/0x32ul, /*fd=*/-1, /*offset=*/0ul);
            loop();
    return 0;

}