From: "Stephen C. Tweedie" <sct@redhat.com>

When a new vma can be merged simultaneously with its two immediate
neighbours in both directions, vma_merge() extends the predecessor vma and
deletes the successor.  However, if the vma maps a file, it fails to fput()
when doing the delete, leaving the file's refcount inconsistent.



 mm/mmap.c |    2 ++
 1 files changed, 2 insertions(+)

diff -puN mm/mmap.c~vma-merging-missing-fput mm/mmap.c
--- 25/mm/mmap.c~vma-merging-missing-fput	2003-05-12 21:23:12.000000000 -0700
+++ 25-akpm/mm/mmap.c	2003-05-12 21:23:12.000000000 -0700
@@ -471,6 +471,8 @@ static int vma_merge(struct mm_struct *m
 			spin_unlock(lock);
 			if (need_up)
 				up(&inode->i_mapping->i_shared_sem);
+			if (file)
+				fput(file);
 
 			mm->map_count--;
 			kmem_cache_free(vm_area_cachep, next);

_