From a07770525e61ae82ba198ae3b697e4f2981ec00a Mon Sep 17 00:00:00 2001
From: Suren Baghdasaryan <surenb@google.com>
Date: Fri, 11 Nov 2022 12:58:46 -0800
Subject: [PATCH] Revert "ANDROID: add vma->file_ref_count to synchronize
 vma->vm_file destruction"

This reverts commit a3fe25d92303739a0515c92cb1febb46a920d4d9.

File refcounting implemented in this patch is broken and needs to be
redone.
The change in include/linux/mm_types.h which adds file_ref_count into
vm_area_struct is left untouched to keep ABI intact.

Bug: 258731892
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I37984eb2f0981a989f74bcaaa6be42040a2f241e
---
 include/linux/mm.h | 15 ---------------
 kernel/fork.c      |  7 ++-----
 2 files changed, 2 insertions(+), 20 deletions(-)

diff --git a/include/linux/mm.h b/include/linux/mm.h
index 0ef74e4b1d16..047456e8b433 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -685,9 +685,6 @@ static inline void vma_init(struct vm_area_struct *vma, struct mm_struct *mm)
 	memset(vma, 0, sizeof(*vma));
 	vma->vm_mm = mm;
 	vma->vm_ops = &dummy_vm_ops;
-#ifdef CONFIG_SPECULATIVE_PAGE_FAULT
-        atomic_set(&vma->file_ref_count, 1);
-#endif
 	INIT_LIST_HEAD(&vma->anon_vma_chain);
 }
 
@@ -3382,18 +3379,6 @@ static inline bool pte_spinlock(struct vm_fault *vmf)
 	return __pte_map_lock(vmf);
 }
 
-static inline bool vma_get_file_ref(struct vm_area_struct *vma)
-{
-        return atomic_inc_not_zero(&vma->file_ref_count);
-}
-
-extern void fput(struct file *);
-static inline void vma_put_file_ref(struct vm_area_struct *vma)
-{
-        if (vma && atomic_dec_and_test(&vma->file_ref_count))
-                fput(vma->vm_file);
-}
-
 #else	/* !CONFIG_SPECULATIVE_PAGE_FAULT */
 
 #define pte_map_lock(___vmf)						\
diff --git a/kernel/fork.c b/kernel/fork.c
index d83371a37485..eb0781c9f9f9 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -383,6 +383,8 @@ struct vm_area_struct *vm_area_dup(struct vm_area_struct *orig)
 
 static inline void ____vm_area_free(struct vm_area_struct *vma)
 {
+	if (vma->vm_file)
+		fput(vma->vm_file);
 	kmem_cache_free(vm_area_cachep, vma);
 }
 
@@ -400,15 +402,10 @@ void vm_area_free(struct vm_area_struct *vma)
 	free_anon_vma_name(vma);
 #ifdef CONFIG_SPECULATIVE_PAGE_FAULT
 	if (atomic_read(&vma->vm_mm->mm_users) > 1) {
-		if (vma->vm_file)
-			vma_put_file_ref(vma);
-
 		call_rcu(&vma->vm_rcu, __vm_area_free);
 		return;
 	}
 #endif
-	if (vma->vm_file)
-		fput(vma->vm_file);
 	____vm_area_free(vma);
 }