From 6ad609468d93cd2080e6f76d8596f4dff6cc860f Mon Sep 17 00:00:00 2001
From: Suren Baghdasaryan <surenb@google.com>
Date: Fri, 29 Oct 2021 11:00:34 -0700
Subject: [PATCH] ANDROID: Fix mmu_notifier imbalance

SPF patchset introduced an mmu_notifier imbalance by adding a new exit
path that skips mmu_notifier_invalidate_range_only_end after calling
mmu_notifier_invalidate_range_start. This triggers a BUG in KVM driver
checking for mmu_notifier_count to remain balanced

Fixes: afeec97a8dfc ("FROMLIST: mm: prepare for FAULT_FLAG_SPECULATIVE")
Bug: 161210518
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Ibe9d1f0903a23b48c9d733b81249b190e5321c2f
---
 mm/memory.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mm/memory.c b/mm/memory.c
index 44c6a8ee197b..5db2a3ed395b 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3159,7 +3159,7 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf)
 	 */
 	if (!pte_map_lock(vmf)) {
 		ret = VM_FAULT_RETRY;
-		goto out_free_new;
+		goto out_invalidate_end;
 	}
 	if (likely(pte_same(*vmf->pte, vmf->orig_pte))) {
 		if (old_page) {
@@ -3247,6 +3247,8 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf)
 		put_page(old_page);
 	}
 	return page_copied ? VM_FAULT_WRITE : 0;
+out_invalidate_end:
+	mmu_notifier_invalidate_range_only_end(&range);
 out_free_new:
 	put_page(new_page);
 out: