This is straight forward, yet subtle bug, basically taking a reference to a file while it is actively being deleted leading to a use after free despite holding onto a reference.

Patch: Used get_file_rcu instead of get_file which will check for this condition and bail.