From d64519bf05760fc4f2d9a31e28df56af873c5b65 Mon Sep 17 00:00:00 2001
From: Zefan Li <lizefan@huawei.com>
Date: Sun, 9 Oct 2016 19:06:49 +0800
Subject: [PATCH] Fix incomplete backport of commit 0f792cf949a0

Signed-off-by: Zefan Li <lizefan@huawei.com>
---
 mm/hugetlb.c | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 416cbfd92ec8..6726bfea8623 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -2929,13 +2929,17 @@ out_page_table_lock:
 		unlock_page(pagecache_page);
 		put_page(pagecache_page);
 	}
-	if (page != pagecache_page)
-		unlock_page(page);
-	put_page(page);
-
 out_mutex:
 	mutex_unlock(&hugetlb_instantiation_mutex);
-
+	/*
+	 * Generally it's safe to hold refcount during waiting page lock. But
+	 * here we just wait to defer the next page fault to avoid busy loop and
+	 * the page is not used after unlocked before returning from the current
+	 * page fault. So we are safe from accessing freed page, even if we wait
+	 * here without taking refcount.
+	 */
+	if (need_wait_lock)
+		wait_on_page_locked(page);
 	return ret;
 }