ANDROID: add vma->file_ref_count to synchronize vma->vm_file destruction

In order to prevent destruction of vma->vm_file while it's being used during speculative page fault handling, introduce an atomic refcounter. Bug: 234527424 Signed-off-by: Suren Baghdasaryan <surenb@google.com> Change-Id: I0e971156f3e76feb45136bac1582a7eaab8c75df
2022-06-08 08:41:36 -07:00
parent 0864756fb0
commit 4daa3c254e
3 changed files with 23 additions and 2 deletions
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -679,6 +679,9 @@ static inline void vma_init(struct vm_area_struct *vma, struct mm_struct *mm)
 	memset(vma, 0, sizeof(*vma));
 	vma->vm_mm = mm;
 	vma->vm_ops = &dummy_vm_ops;
+#ifdef CONFIG_SPECULATIVE_PAGE_FAULT
+        atomic_set(&vma->file_ref_count, 1);
+#endif
 	INIT_LIST_HEAD(&vma->anon_vma_chain);
 }

@@ -3377,6 +3380,18 @@ static inline bool pte_spinlock(struct vm_fault *vmf)
 	return __pte_map_lock(vmf);
 }

+static inline bool vma_get_file_ref(struct vm_area_struct *vma)
+{
+        return atomic_inc_not_zero(&vma->file_ref_count);
+}
+
+extern void fput(struct file *);
+static inline void vma_put_file_ref(struct vm_area_struct *vma)
+{
+        if (vma && atomic_dec_and_test(&vma->file_ref_count))
+                fput(vma->vm_file);
+}
+
 #else	/* !CONFIG_SPECULATIVE_PAGE_FAULT */

 #define pte_map_lock(___vmf)						\