Commit bcf9d3da authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] Fix for vma merging refcounting bug

From: "Stephen C. Tweedie" <sct@redhat.com>

When a new vma can be merged simultaneously with its two immediate
neighbours in both directions, vma_merge() extends the predecessor vma and
deletes the successor.  However, if the vma maps a file, it fails to fput()
when doing the delete, leaving the file's refcount inconsistent.
parent a3db5a33
...@@ -471,6 +471,8 @@ static int vma_merge(struct mm_struct *mm, struct vm_area_struct *prev, ...@@ -471,6 +471,8 @@ static int vma_merge(struct mm_struct *mm, struct vm_area_struct *prev,
spin_unlock(lock); spin_unlock(lock);
if (need_up) if (need_up)
up(&inode->i_mapping->i_shared_sem); up(&inode->i_mapping->i_shared_sem);
if (file)
fput(file);
mm->map_count--; mm->map_count--;
kmem_cache_free(vm_area_cachep, next); kmem_cache_free(vm_area_cachep, next);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment