From: David Howells dhowells@redhat.com
commit c1853fbadcba1497f4907971e7107888e0714c81 upstream.
When a pipe ring descriptor points to a notification message, the refcount on the backing page is incremented by the generic get function, but the release function, which marks the bitmap, doesn't drop the page ref.
Fix this by calling generic_pipe_buf_release() at the end of watch_queue_pipe_buf_release().
Fixes: c73be61cede5 ("pipe: Add general notification queue support") Reported-by: Jann Horn jannh@google.com Signed-off-by: David Howells dhowells@redhat.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- kernel/watch_queue.c | 1 + 1 file changed, 1 insertion(+)
--- a/kernel/watch_queue.c +++ b/kernel/watch_queue.c @@ -54,6 +54,7 @@ static void watch_queue_pipe_buf_release bit += page->index;
set_bit(bit, wqueue->notes_bitmap); + generic_pipe_buf_release(pipe, buf); }
// No try_steal function => no stealing