From a467d8a6d929ef491171dee0cf06d9855a892396 Mon Sep 17 00:00:00 2001
From: Patrick Daly <quic_pdaly@quicinc.com>
Date: Mon, 10 Oct 2022 19:25:27 -0700
Subject: [PATCH] ANDROID: mm/filemap: Fix missing put_page() for speculative
 page fault

find_get_page() returns a page with increased refcount, assuming a page
exists at the given index. Ensure this refcount is dropped on error.

Bug: 253068137
Fixes: cd333a037cfa ("BACKPORT: FROMLIST: mm: implement speculative handling in filemap_fault()")
Change-Id: Idc7b9e3f11f32a02bed4c6f4e11cec9200a5c790
Signed-off-by: Patrick Daly <quic_pdaly@quicinc.com>
(cherry picked from commit 6232eecfa7ca0d8d0ca088da6d0edb2c3a879ff9)
---
 mm/filemap.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/mm/filemap.c b/mm/filemap.c
index 25cc4b5023ea..528a21dcc116 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3057,11 +3057,14 @@ vm_fault_t filemap_fault(struct vm_fault *vmf)
 
 	if (vmf->flags & FAULT_FLAG_SPECULATIVE) {
 		page = find_get_page(mapping, offset);
-		if (unlikely(!page) || unlikely(PageReadahead(page)))
+		if (unlikely(!page))
 			return VM_FAULT_RETRY;
 
+		if (unlikely(PageReadahead(page)))
+			goto page_put;
+
 		if (!trylock_page(page))
-			return VM_FAULT_RETRY;
+			goto page_put;
 
 		if (unlikely(compound_head(page)->mapping != mapping))
 			goto page_unlock;
@@ -3093,6 +3096,8 @@ vm_fault_t filemap_fault(struct vm_fault *vmf)
 		return VM_FAULT_LOCKED;
 page_unlock:
 		unlock_page(page);
+page_put:
+		put_page(page);
 		return VM_FAULT_RETRY;
 	}