)]}'
{
  "commit": "0643e2d53977c1e655834287c8755c24088e6538",
  "tree": "12fae33c81fbdc749799b8c082b7f0feebb9b46b",
  "parents": [
    "fe4b6161c1c98d8bf609f687567955a58556ecf5"
  ],
  "author": {
    "name": "Christian Brauner",
    "email": "brauner@kernel.org",
    "time": "Thu Oct 17 15:48:01 2024 +0200"
  },
  "committer": {
    "name": "Christian Brauner",
    "email": "brauner@kernel.org",
    "time": "Thu Oct 17 21:02:34 2024 +0200"
  },
  "message": "file_ref_t: don\u0027t accidently mark recycled files dead\n\nWhen a file is recycled the following race exists:\n\nCPU1                                                    CPU2\nfile_ref_get(file)\n// the result is negative \u003e\u003d FILE_REF_RELEASED\natomic_long_add_negative(1, \u0026ref-\u003erefcnt)\n-\u003e __file_ref_get()\n\n   // Sees cnt \u003e\u003e FILE_REF_RELEASED\n   cnt \u003d atomic_long_read(\u0026ref-\u003erefcnt);\n\n                                                        kmem_cache_free()\n                                                        file \u003d kmem_cache_alloc()\n                                                        file_ref_init(\u0026ref-\u003erefcnt, 1);\n\n   // Here we mark someone else\u0027s file dead...\n   atomic_long_set(\u0026ref-\u003erefcnt, FILE_REF_DEAD);\n\n                                                        close(fd)\n                                                        file \u003d file_close_fd_locked()\n                                                        filp_flush()\n                                                        // splats the first time\n                                                        CHECK_DATA_CORRUPTION(file_count(file) \u003d\u003d 0)\n\n                                                        // splats a second time becaues it sees FILE_REF_DEAD\n                                                        file_ref_put(\u0026ref-\u003erefcnt);\n\nQuoting Linus:\n\nI think we should just make file_ref_get() do a simple\n\u003e\n\u003e        return !atomic_long_add_negative(1, \u0026ref-\u003erefcnt));\n\u003e\n\u003e and nothing else. Yes, multiple CPU\u0027s can race, and you can increment\n\u003e more than once, but the gap - even on 32-bit - between DEAD and\n\u003e becoming close to REF_RELEASED is so big that we simply don\u0027t care.\n\u003e That\u0027s the point of having a gap.\n\nReported-by: kernel test robot \u003coliver.sang@intel.com\u003e\nCloses: https://lore.kernel.org/oe-lkp/202410151043.5d224a27-oliver.sang@intel.com\nCloses: https://lore.kernel.org/all/202410151611.f4cd71f2-oliver.sang@intel.com\nSigned-off-by: Christian Brauner \u003cbrauner@kernel.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "44c04dcc0fdcf5800c33b4829a5215bb82144308",
      "old_mode": 33188,
      "old_path": "fs/file.c",
      "new_id": "9598c577f7132b6f3818e229767f9934c36519c5",
      "new_mode": 33188,
      "new_path": "fs/file.c"
    },
    {
      "type": "modify",
      "old_id": "3ed2423c23496165945ec4be16472ffc21900a52",
      "old_mode": 33188,
      "old_path": "include/linux/file_ref.h",
      "new_id": "949823a0a050e756827fb5f33470ec8518cc8512",
      "new_mode": 33188,
      "new_path": "include/linux/file_ref.h"
    }
  ]
}