drop hmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch from everywhere

diff --git a/queue-4.14/series b/queue-4.14/series
index ca79c2da89018449b69b822d7edb00701b28514a..906ae54096c61a56416631c7c712195b691d7fcd 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -68,4 +68,3 @@ inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch
 net-add-a-read_once-in-skb_peek_tail.patch
 net-icmp-fix-data-race-in-cmp_global_allow.patch
 hrtimer-annotate-lockless-access-to-timer-state.patch
-shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch

diff --git a/queue-4.14/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch b/queue-4.14/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch
deleted file mode 100644 (file)
index 2c7c5f9..0000000
--- a/queue-4.14/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Sat, 30 Nov 2019 17:50:26 -0800
-Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped
-
-From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-
-commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 upstream.
-
-syzbot found the following crash:
-
-  BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
-  Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173
-
-  CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146
-  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-  Call Trace:
-     perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
-     trace_lock_acquire include/trace/events/lock.h:13 [inline]
-     lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411
-     __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
-     _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
-     spin_lock include/linux/spinlock.h:338 [inline]
-     shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034
-     __do_fault+0x111/0x540 mm/memory.c:3083
-     do_shared_fault mm/memory.c:3535 [inline]
-     do_fault mm/memory.c:3613 [inline]
-     handle_pte_fault mm/memory.c:3840 [inline]
-     __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964
-     handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001
-     do_user_addr_fault arch/x86/mm/fault.c:1441 [inline]
-     __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506
-     do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530
-     page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202
-
-It happens if the VMA got unmapped under us while we dropped mmap_sem
-and inode got freed.
-
-Pinning the file if we drop mmap_sem fixes the issue.
-
-Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com
-Acked-by: Johannes Weiner <hannes@cmpxchg.org>
-Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
-Cc: Hillf Danton <hdanton@sina.com>
-Cc: Hugh Dickins <hughd@google.com>
-Cc: Josef Bacik <josef@toxicpanda.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- mm/shmem.c |   11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -1969,16 +1969,14 @@ static int shmem_fault(struct vm_fault *
-                   shmem_falloc->waitq &&
-                   vmf->pgoff >= shmem_falloc->start &&
-                   vmf->pgoff < shmem_falloc->next) {
-+                      struct file *fpin;
-                       wait_queue_head_t *shmem_falloc_waitq;
-                       DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function);
- 
-                       ret = VM_FAULT_NOPAGE;
--                      if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
--                         !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
--                              /* It's polite to up mmap_sem if we can */
--                              up_read(&vma->vm_mm->mmap_sem);
-+                      fpin = maybe_unlock_mmap_for_io(vmf, NULL);
-+                      if (fpin)
-                               ret = VM_FAULT_RETRY;
--                      }
- 
-                       shmem_falloc_waitq = shmem_falloc->waitq;
-                       prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
-@@ -1996,6 +1994,9 @@ static int shmem_fault(struct vm_fault *
-                       spin_lock(&inode->i_lock);
-                       finish_wait(shmem_falloc_waitq, &shmem_fault_wait);
-                       spin_unlock(&inode->i_lock);
-+
-+                      if (fpin)
-+                              fput(fpin);
-                       return ret;
-               }
-               spin_unlock(&inode->i_lock);

diff --git a/queue-4.19/series b/queue-4.19/series
index 1a0c6ebef8f51a4492be6741301c580113fed9f3..158fc8beea89ec1f6220282fc7f02fbc0541b88e 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -87,4 +87,3 @@ inetpeer-fix-data-race-in-inet_putpeer-inet_putpeer.patch
 net-add-a-read_once-in-skb_peek_tail.patch
 net-icmp-fix-data-race-in-cmp_global_allow.patch
 hrtimer-annotate-lockless-access-to-timer-state.patch
-shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch

diff --git a/queue-4.19/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch b/queue-4.19/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch
deleted file mode 100644 (file)
index 06a3c1d..0000000
--- a/queue-4.19/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Sat, 30 Nov 2019 17:50:26 -0800
-Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped
-
-From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-
-commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 upstream.
-
-syzbot found the following crash:
-
-  BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
-  Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173
-
-  CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146
-  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-  Call Trace:
-     perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
-     trace_lock_acquire include/trace/events/lock.h:13 [inline]
-     lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411
-     __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
-     _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
-     spin_lock include/linux/spinlock.h:338 [inline]
-     shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034
-     __do_fault+0x111/0x540 mm/memory.c:3083
-     do_shared_fault mm/memory.c:3535 [inline]
-     do_fault mm/memory.c:3613 [inline]
-     handle_pte_fault mm/memory.c:3840 [inline]
-     __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964
-     handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001
-     do_user_addr_fault arch/x86/mm/fault.c:1441 [inline]
-     __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506
-     do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530
-     page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202
-
-It happens if the VMA got unmapped under us while we dropped mmap_sem
-and inode got freed.
-
-Pinning the file if we drop mmap_sem fixes the issue.
-
-Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com
-Acked-by: Johannes Weiner <hannes@cmpxchg.org>
-Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
-Cc: Hillf Danton <hdanton@sina.com>
-Cc: Hugh Dickins <hughd@google.com>
-Cc: Josef Bacik <josef@toxicpanda.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- mm/shmem.c |   11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -1989,16 +1989,14 @@ static vm_fault_t shmem_fault(struct vm_
-                   shmem_falloc->waitq &&
-                   vmf->pgoff >= shmem_falloc->start &&
-                   vmf->pgoff < shmem_falloc->next) {
-+                      struct file *fpin;
-                       wait_queue_head_t *shmem_falloc_waitq;
-                       DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function);
- 
-                       ret = VM_FAULT_NOPAGE;
--                      if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
--                         !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
--                              /* It's polite to up mmap_sem if we can */
--                              up_read(&vma->vm_mm->mmap_sem);
-+                      fpin = maybe_unlock_mmap_for_io(vmf, NULL);
-+                      if (fpin)
-                               ret = VM_FAULT_RETRY;
--                      }
- 
-                       shmem_falloc_waitq = shmem_falloc->waitq;
-                       prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
-@@ -2016,6 +2014,9 @@ static vm_fault_t shmem_fault(struct vm_
-                       spin_lock(&inode->i_lock);
-                       finish_wait(shmem_falloc_waitq, &shmem_fault_wait);
-                       spin_unlock(&inode->i_lock);
-+
-+                      if (fpin)
-+                              fput(fpin);
-                       return ret;
-               }
-               spin_unlock(&inode->i_lock);

diff --git a/queue-4.9/series b/queue-4.9/series
index 3807579462a3deb7d17184e26a5980bfd2221bd0..7bb3e783516646d4ee947523bdfec01655705d7e 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -160,4 +160,3 @@ netfilter-ebtables-compat-reject-all-padding-in-matches-watchers.patch
 netfilter-bridge-make-sure-to-pull-arp-header-in-br_nf_forward_arp.patch
 net-icmp-fix-data-race-in-cmp_global_allow.patch
 hrtimer-annotate-lockless-access-to-timer-state.patch
-shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch

diff --git a/queue-4.9/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch b/queue-4.9/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch
deleted file mode 100644 (file)
index ca3440d..0000000
--- a/queue-4.9/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Sat, 30 Nov 2019 17:50:26 -0800
-Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped
-
-From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-
-commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 upstream.
-
-syzbot found the following crash:
-
-  BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
-  Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173
-
-  CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146
-  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-  Call Trace:
-     perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
-     trace_lock_acquire include/trace/events/lock.h:13 [inline]
-     lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411
-     __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
-     _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
-     spin_lock include/linux/spinlock.h:338 [inline]
-     shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034
-     __do_fault+0x111/0x540 mm/memory.c:3083
-     do_shared_fault mm/memory.c:3535 [inline]
-     do_fault mm/memory.c:3613 [inline]
-     handle_pte_fault mm/memory.c:3840 [inline]
-     __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964
-     handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001
-     do_user_addr_fault arch/x86/mm/fault.c:1441 [inline]
-     __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506
-     do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530
-     page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202
-
-It happens if the VMA got unmapped under us while we dropped mmap_sem
-and inode got freed.
-
-Pinning the file if we drop mmap_sem fixes the issue.
-
-Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com
-Acked-by: Johannes Weiner <hannes@cmpxchg.org>
-Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
-Cc: Hillf Danton <hdanton@sina.com>
-Cc: Hugh Dickins <hughd@google.com>
-Cc: Josef Bacik <josef@toxicpanda.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- mm/shmem.c |   11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -1925,16 +1925,14 @@ static int shmem_fault(struct vm_area_st
-                   shmem_falloc->waitq &&
-                   vmf->pgoff >= shmem_falloc->start &&
-                   vmf->pgoff < shmem_falloc->next) {
-+                      struct file *fpin;
-                       wait_queue_head_t *shmem_falloc_waitq;
-                       DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function);
- 
-                       ret = VM_FAULT_NOPAGE;
--                      if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
--                         !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
--                              /* It's polite to up mmap_sem if we can */
--                              up_read(&vma->vm_mm->mmap_sem);
-+                      fpin = maybe_unlock_mmap_for_io(vmf, NULL);
-+                      if (fpin)
-                               ret = VM_FAULT_RETRY;
--                      }
- 
-                       shmem_falloc_waitq = shmem_falloc->waitq;
-                       prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
-@@ -1952,6 +1950,9 @@ static int shmem_fault(struct vm_area_st
-                       spin_lock(&inode->i_lock);
-                       finish_wait(shmem_falloc_waitq, &shmem_fault_wait);
-                       spin_unlock(&inode->i_lock);
-+
-+                      if (fpin)
-+                              fput(fpin);
-                       return ret;
-               }
-               spin_unlock(&inode->i_lock);

diff --git a/queue-5.4/series b/queue-5.4/series
index 8f78bd77a6e507ff9d729460cfa6242bbcea3b69..9489293098c93846e5b527a79b73b0f05c1f43cd 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -145,4 +145,3 @@ tomoyo-don-t-use-nifty-names-on-sockets.patch
 uaccess-disallow-int_max-copy-sizes.patch
 drm-limit-to-int_max-in-create_blob-ioctl.patch
 xfs-fix-mount-failure-crash-on-invalid-iclog-memory-access.patch
-shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch

diff --git a/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch b/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch
deleted file mode 100644 (file)
index 5c3a7fd..0000000
--- a/queue-5.4/shmem-pin-the-file-in-shmem_fault-if-mmap_sem-is-dropped.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 Mon Sep 17 00:00:00 2001
-From: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
-Date: Sat, 30 Nov 2019 17:50:26 -0800
-Subject: shmem: pin the file in shmem_fault() if mmap_sem is dropped
-
-From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-
-commit 8897c1b1a1795cab23d5ac13e4e23bf0b5f4e0c6 upstream.
-
-syzbot found the following crash:
-
-  BUG: KASAN: use-after-free in perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
-  Read of size 8 at addr ffff8880a5cf2c50 by task syz-executor.0/26173
-
-  CPU: 0 PID: 26173 Comm: syz-executor.0 Not tainted 5.3.0-rc6 #146
-  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
-  Call Trace:
-     perf_trace_lock_acquire+0x401/0x530 include/trace/events/lock.h:13
-     trace_lock_acquire include/trace/events/lock.h:13 [inline]
-     lock_acquire+0x2de/0x410 kernel/locking/lockdep.c:4411
-     __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
-     _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
-     spin_lock include/linux/spinlock.h:338 [inline]
-     shmem_fault+0x5ec/0x7b0 mm/shmem.c:2034
-     __do_fault+0x111/0x540 mm/memory.c:3083
-     do_shared_fault mm/memory.c:3535 [inline]
-     do_fault mm/memory.c:3613 [inline]
-     handle_pte_fault mm/memory.c:3840 [inline]
-     __handle_mm_fault+0x2adf/0x3f20 mm/memory.c:3964
-     handle_mm_fault+0x1b5/0x6b0 mm/memory.c:4001
-     do_user_addr_fault arch/x86/mm/fault.c:1441 [inline]
-     __do_page_fault+0x536/0xdd0 arch/x86/mm/fault.c:1506
-     do_page_fault+0x38/0x590 arch/x86/mm/fault.c:1530
-     page_fault+0x39/0x40 arch/x86/entry/entry_64.S:1202
-
-It happens if the VMA got unmapped under us while we dropped mmap_sem
-and inode got freed.
-
-Pinning the file if we drop mmap_sem fixes the issue.
-
-Link: http://lkml.kernel.org/r/20190927083908.rhifa4mmaxefc24r@box
-Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
-Reported-by: syzbot+03ee87124ee05af991bd@syzkaller.appspotmail.com
-Acked-by: Johannes Weiner <hannes@cmpxchg.org>
-Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
-Cc: Hillf Danton <hdanton@sina.com>
-Cc: Hugh Dickins <hughd@google.com>
-Cc: Josef Bacik <josef@toxicpanda.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- mm/shmem.c |   11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
---- a/mm/shmem.c
-+++ b/mm/shmem.c
-@@ -2022,16 +2022,14 @@ static vm_fault_t shmem_fault(struct vm_
-                   shmem_falloc->waitq &&
-                   vmf->pgoff >= shmem_falloc->start &&
-                   vmf->pgoff < shmem_falloc->next) {
-+                      struct file *fpin;
-                       wait_queue_head_t *shmem_falloc_waitq;
-                       DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function);
- 
-                       ret = VM_FAULT_NOPAGE;
--                      if ((vmf->flags & FAULT_FLAG_ALLOW_RETRY) &&
--                         !(vmf->flags & FAULT_FLAG_RETRY_NOWAIT)) {
--                              /* It's polite to up mmap_sem if we can */
--                              up_read(&vma->vm_mm->mmap_sem);
-+                      fpin = maybe_unlock_mmap_for_io(vmf, NULL);
-+                      if (fpin)
-                               ret = VM_FAULT_RETRY;
--                      }
- 
-                       shmem_falloc_waitq = shmem_falloc->waitq;
-                       prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
-@@ -2049,6 +2047,9 @@ static vm_fault_t shmem_fault(struct vm_
-                       spin_lock(&inode->i_lock);
-                       finish_wait(shmem_falloc_waitq, &shmem_fault_wait);
-                       spin_unlock(&inode->i_lock);
-+
-+                      if (fpin)
-+                              fput(fpin);
-                       return ret;
-               }
-               spin_unlock(&inode->i_lock);