Merge tag 'pull-18-rc1-work.fd' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs

	if (!twcb)

		return;

	init_task_work(&twcb->twork, binder_do_fd_close);

	close_fd_get_file(fd, &twcb->file);

	twcb->file = close_fd_get_file(fd);

	if (twcb->file) {

		filp_close(twcb->file, current->files);

		task_work_add(current, &twcb->twork, TWA_RESUME);

 * @files: file struct to retrieve file from

 * @fd: file descriptor to retrieve file for

 *

 * If this functions returns an EINVAL error pointer the fd was beyond the

 * current maximum number of file descriptors for that fdtable.

 * Context: files_lock must be held.

 *

 * Returns: The file associated with @fd, on error returns an error pointer.

 * Returns: The file associated with @fd (NULL if @fd is not open)

 */

static struct file *pick_file(struct files_struct *files, unsigned fd)

{

	struct fdtable *fdt = files_fdtable(files);

	struct file *file;

	struct fdtable *fdt;

	spin_lock(&files->file_lock);

	fdt = files_fdtable(files);

	if (fd >= fdt->max_fds) {

		file = ERR_PTR(-EINVAL);

		goto out_unlock;

	}

	if (fd >= fdt->max_fds)

		return NULL;

	file = fdt->fd[fd];

	if (!file) {

		file = ERR_PTR(-EBADF);

		goto out_unlock;

	}

	if (file) {

		rcu_assign_pointer(fdt->fd[fd], NULL);

		__put_unused_fd(files, fd);

out_unlock:

	spin_unlock(&files->file_lock);

	}

	return file;

}

	struct files_struct *files = current->files;

	struct file *file;

	spin_lock(&files->file_lock);

	file = pick_file(files, fd);

	if (IS_ERR(file))

	spin_unlock(&files->file_lock);

	if (!file)

		return -EBADF;

	return filp_close(file, files);

static inline void __range_close(struct files_struct *cur_fds, unsigned int fd,

				 unsigned int max_fd)

{

	unsigned n;

	rcu_read_lock();

	n = last_fd(files_fdtable(cur_fds));

	rcu_read_unlock();

	max_fd = min(max_fd, n);

	while (fd <= max_fd) {

		struct file *file;

		spin_lock(&cur_fds->file_lock);

		file = pick_file(cur_fds, fd++);

		if (!IS_ERR(file)) {

		spin_unlock(&cur_fds->file_lock);

		if (file) {

			/* found a valid file to close */

			filp_close(file, cur_fds);

			cond_resched();

			continue;

		}

		/* beyond the last fd in that table */

		if (PTR_ERR(file) == -EINVAL)

			return;

	}

}

 * See close_fd_get_file() below, this variant assumes current->files->file_lock

 * is held.

 */

int __close_fd_get_file(unsigned int fd, struct file **res)

struct file *__close_fd_get_file(unsigned int fd)

{

	struct files_struct *files = current->files;

	struct file *file;

	struct fdtable *fdt;

	fdt = files_fdtable(files);

	if (fd >= fdt->max_fds)

		goto out_err;

	file = fdt->fd[fd];

	if (!file)

		goto out_err;

	rcu_assign_pointer(fdt->fd[fd], NULL);

	__put_unused_fd(files, fd);

	get_file(file);

	*res = file;

	return 0;

out_err:

	*res = NULL;

	return -ENOENT;

	return pick_file(current->files, fd);

}

/*

 * The caller must ensure that filp_close() called on the file, and then

 * an fput().

 */

int close_fd_get_file(unsigned int fd, struct file **res)

struct file *close_fd_get_file(unsigned int fd)

{

	struct files_struct *files = current->files;

	int ret;

	struct file *file;

	spin_lock(&files->file_lock);

	ret = __close_fd_get_file(fd, res);

	file = pick_file(files, fd);

	spin_unlock(&files->file_lock);

	return ret;

	return file;

}

void do_close_on_exec(struct files_struct *files)

}

static inline struct file *__fget_files_rcu(struct files_struct *files,

	unsigned int fd, fmode_t mask, unsigned int refs)

	unsigned int fd, fmode_t mask)

{

	for (;;) {

		struct file *file;

		 * Such a race can take two forms:

		 *

		 *  (a) the file ref already went down to zero,

		 *      and get_file_rcu_many() fails. Just try

		 *      again:

		 *      and get_file_rcu() fails. Just try again:

		 */

		if (unlikely(!get_file_rcu_many(file, refs)))

		if (unlikely(!get_file_rcu(file)))

			continue;

		/*

		 *       pointer having changed, because it always goes

		 *       hand-in-hand with 'fdt'.

		 *

		 * If so, we need to put our refs and try again.

		 * If so, we need to put our ref and try again.

		 */

		if (unlikely(rcu_dereference_raw(files->fdt) != fdt) ||

		    unlikely(rcu_dereference_raw(*fdentry) != file)) {

			fput_many(file, refs);

			fput(file);

			continue;

		}

}

static struct file *__fget_files(struct files_struct *files, unsigned int fd,

				 fmode_t mask, unsigned int refs)

				 fmode_t mask)

{

	struct file *file;

	rcu_read_lock();

	file = __fget_files_rcu(files, fd, mask, refs);

	file = __fget_files_rcu(files, fd, mask);

	rcu_read_unlock();

	return file;

}

static inline struct file *__fget(unsigned int fd, fmode_t mask,

				  unsigned int refs)

{

	return __fget_files(current->files, fd, mask, refs);

}

struct file *fget_many(unsigned int fd, unsigned int refs)

static inline struct file *__fget(unsigned int fd, fmode_t mask)

{

	return __fget(fd, FMODE_PATH, refs);

	return __fget_files(current->files, fd, mask);

}

struct file *fget(unsigned int fd)

{

	return __fget(fd, FMODE_PATH, 1);

	return __fget(fd, FMODE_PATH);

}

EXPORT_SYMBOL(fget);

struct file *fget_raw(unsigned int fd)

{

	return __fget(fd, 0, 1);

	return __fget(fd, 0);

}

EXPORT_SYMBOL(fget_raw);

	task_lock(task);

	if (task->files)

		file = __fget_files(task->files, fd, 0, 1);

		file = __fget_files(task->files, fd, 0);

	task_unlock(task);

	return file;

			return 0;

		return (unsigned long)file;

	} else {

		file = __fget(fd, mask, 1);

		file = __fget(fd, mask);

		if (!file)

			return 0;

		return FDPUT_FPUT | (unsigned long)file;

static DECLARE_DELAYED_WORK(delayed_fput_work, delayed_fput);

void fput_many(struct file *file, unsigned int refs)

void fput(struct file *file)

{

	if (atomic_long_sub_and_test(refs, &file->f_count)) {

	if (atomic_long_dec_and_test(&file->f_count)) {

		struct task_struct *task = current;

		if (likely(!in_interrupt() && !(task->flags & PF_KTHREAD))) {

	}

}

void fput(struct file *file)

{

	fput_many(file, 1);

}

/*

 * synchronous analog of fput(); for kernel threads that might be needed

 * in some umount() (and thus can't use flush_delayed_fput() without

		const char *, const struct open_flags *);

extern struct open_how build_open_how(int flags, umode_t mode);

extern int build_open_flags(const struct open_how *how, struct open_flags *op);

extern int __close_fd_get_file(unsigned int fd, struct file **res);

extern struct file *__close_fd_get_file(unsigned int fd);

long do_sys_ftruncate(unsigned int fd, loff_t length, int small);

int chmod_common(const struct path *path, umode_t mode);

		return -EAGAIN;

	}

	ret = __close_fd_get_file(close->fd, &file);

	file = __close_fd_get_file(close->fd);

	spin_unlock(&files->file_lock);

	if (ret < 0) {

		if (ret == -ENOENT)

			ret = -EBADF;

	if (!file)

		goto err;

	}

	/* No ->flush() or already async, safely close from here */

	ret = filp_close(file, current->files);

			return -EINVAL;

		fd = array_index_nospec(fd, IO_RINGFD_REG_MAX);

		f.file = tctx->registered_rings[fd];

		if (unlikely(!f.file))

			return -EBADF;

		f.flags = 0;

	} else {

		f = fdget(fd);

	}

	if (unlikely(!f.file))

		return -EBADF;

	}

	ret = -EOPNOTSUPP;

	if (unlikely(f.file->f_op != &io_uring_fops))

out:

	percpu_ref_put(&ctx->refs);

out_fput:

	if (!(flags & IORING_ENTER_REGISTERED_RING))

	fdput(f);

	return ret;

}