commit fe4b6161c1c98d8bf609f687567955a58556ecf5
author Christian Brauner <brauner@kernel.org> Wed Oct 16 20:10:07 2024 +0200
committer Christian Brauner <brauner@kernel.org> Thu Oct 17 18:20:53 2024 +0200
tree 74a92d785684bc2fa2a43bc7420d19a802074864
parent 1f2dd712611df0a60115098f18b4aa0a1659f130

file_ref_t: allow for valid race

The following race exists when putting the last reference to a file:

CPU1                                                    CPU2

file_ref_put()
// last reference
// => count goes negative/FILE_REF_NOREF
atomic_long_add_negative_release(-1, &ref->refcnt)
-> __file_ref_put()
							file_ref_get()
							// goes back from negative/FILE_REF_NOREF to 0
                                                        atomic_long_add_negative(1, &ref->refcnt)

							// manages to put last reference
							// and set FILE_REF_DEAD
							file_ref_put()

   // Sees cnt > FILE_REF_RELEASED
   // and splats with
   // "imbalanced put on file reference count"
   cnt = atomic_long_read(&ref->refcnt);

This race is benign and the problem is the atomic_long_read(). Instead
of performing a separate read, use atomic_long_dec_return() and pass the
value to __file_ref_put(). Thanks to Linus for pointing out that braino.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202410151043.5d224a27-oliver.sang@intel.com
Closes: https://lore.kernel.org/all/202410151611.f4cd71f2-oliver.sang@intel.com
Signed-off-by: Christian Brauner <brauner@kernel.org>