Merge tag 'v6.1-rc8' into rdma.git for-next

For dependencies in following patches Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
author: Jason Gunthorpe <jgg@nvidia.com> 2022-12-09 15:52:17 -0400
committer: Jason Gunthorpe <jgg@nvidia.com> 2022-12-09 15:52:17 -0400
commit: d69e8c63fcbbf695ff7ff2c6d26efead23cfbb3a (patch)
tree: 4d714ecd331233069ab718989bb017dfd934e129 /fs/file.c
parent: 6cfe7bd0dfd33033683639039b5608d6534c19eb (diff)
parent: 76dcd734eca23168cb008912c0f69ff408905235 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/fs/file.c b/fs/file.c
index 5f9c802a5d8d..c942c89ca4cd 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -1003,7 +1003,16 @@ static unsigned long __fget_light(unsigned int fd, fmode_t mask)
 	struct files_struct *files = current->files;
 	struct file *file;
 
-	if (atomic_read(&files->count) == 1) {
+	/*
+	 * If another thread is concurrently calling close_fd() followed
+	 * by put_files_struct(), we must not observe the old table
+	 * entry combined with the new refcount - otherwise we could
+	 * return a file that is concurrently being freed.
+	 *
+	 * atomic_read_acquire() pairs with atomic_dec_and_test() in
+	 * put_files_struct().
+	 */
+	if (atomic_read_acquire(&files->count) == 1) {
 		file = files_lookup_fd_raw(files, fd);
 		if (!file || unlikely(file->f_mode & mask))
 			return 0;
author	Jason Gunthorpe <jgg@nvidia.com>	2022-12-09 15:52:17 -0400
committer	Jason Gunthorpe <jgg@nvidia.com>	2022-12-09 15:52:17 -0400
commit	d69e8c63fcbbf695ff7ff2c6d26efead23cfbb3a (patch)
tree	4d714ecd331233069ab718989bb017dfd934e129 /fs/file.c
parent	6cfe7bd0dfd33033683639039b5608d6534c19eb (diff)
parent	76dcd734eca23168cb008912c0f69ff408905235 (diff)