Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4606871imb;
        Wed, 6 Mar 2019 18:19:31 -0800 (PST)
X-Google-Smtp-Source: APXvYqz50wtHou0N7sYYru4OWvrIyv7nQ4oaN6H7VSIbgvo45qMFRCxkDIC3xWeddn3uM12SPjxu
X-Received: by 2002:a17:902:622:: with SMTP id 31mr10389589plg.31.1551925170962;
        Wed, 06 Mar 2019 18:19:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551925170; cv=none;
        d=google.com; s=arc-20160816;
        b=upE6B7pjc1gUmNQYXjxD3Li1Ofgq9VnPapxrmB54We1THo6uWjko5nx8iviTPQ/BWA
         JZBEaxNrs0b4VXxj2N4xk6E9BW8R/aM4qnPDL/8sKUYL4BEhYPXnTh/VbkXmg9fbeiIl
         m0nOYGTgMw9FPB5uHES6jccolWE74eUR8QXHJdzXgg26L59gBX2Cvk21E5vJZgjmXiEF
         GwfAILUF77YrC5kJyPGWm0K6JlwO+e8YlB+kZg0SwwB6zXU4eSWgo6QkgVtSOnHgdIgn
         +w599c3AT2BftcQBWVEWSaC7F5rrPN3Wj1KO+RtslXuTGNTs7NNyrdXTKm42z40OWHUO
         OLGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=d0ipJ+0rYTHNLJRvbu5+55h06Ei9qTs9wbUdJa7WbMs=;
        b=woKmdlxdi4SNmYl13suFhzf6oSnQWnXDSIOhvLRKegQjnoMaCgM8r2EVaXNtGL3E0B
         USTkgKoliCDkM1Ry1TQfgn3rIKOg54VL4oDtcNAwgDXa85aIujeGsQv+MY471xaYJsGp
         7xo41pVKpugy3MD3FtSmsamxlmRoQ72QPbPY3al8qSoTtVUZFmBEbXdplqRDF4+SWqe8
         WyAyxGBv09S+Pr6E22ja+1HUZzg3zopaBdbhUMIxGos0YxSE2WigBvnL9ut+4pNraKgx
         tCm/+ZhS+wfWlFm8JDEnwXlKCbJd/mN4P8FQEraw4uXR1mETtVueIOx/IAWsiSx4XXpa
         Rb8Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 95si2895384plb.30.2019.03.06.18.19.15;
        Wed, 06 Mar 2019 18:19:30 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726715AbfCGCSz (ORCPT <rfc822;kerneldev.sdk@gmail.com>
        + 99 others); Wed, 6 Mar 2019 21:18:55 -0500
Received: from zeniv.linux.org.uk ([195.92.253.2]:41644 "EHLO
        ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726514AbfCGCSy (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Mar 2019 21:18:54 -0500
Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92 #3 (Red Hat Linux))
        id 1h1icO-00030k-PC; Thu, 07 Mar 2019 02:18:44 +0000
Date:   Thu, 7 Mar 2019 02:18:44 +0000
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     Linus Torvalds <torvalds@linux-foundation.org>
Cc:     Eric Dumazet <eric.dumazet@gmail.com>,
        David Miller <davem@davemloft.net>,
        Jason Baron <jbaron@akamai.com>, kgraul@linux.ibm.com,
        ktkhai@virtuozzo.com, kyeongdon.kim@lge.com,
        Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
        Netdev <netdev@vger.kernel.org>, pabeni@redhat.com,
        syzkaller-bugs@googlegroups.com, xiyou.wangcong@gmail.com,
        Christoph Hellwig <hch@lst.de>,
        zhengbin <zhengbin13@huawei.com>, bcrl@kvack.org,
        linux-fsdevel@vger.kernel.org, linux-aio@kvack.org,
        houtao1@huawei.com, yi.zhang@huawei.com
Subject: Re: [PATCH 2/8] aio_poll_wake(): don't set ->woken if we ignore the
 wakeup
Message-ID: <20190307021844.GC2217@ZenIV.linux.org.uk>
References: <CAHk-=wghRmdYKRAwakeHmjcpbLt9fJAHyU2x8s_NZONhz6RTOw@mail.gmail.com>
 <20190307000316.31133-1-viro@ZenIV.linux.org.uk>
 <20190307000316.31133-2-viro@ZenIV.linux.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190307000316.31133-2-viro@ZenIV.linux.org.uk>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Mar 07, 2019 at 12:03:10AM +0000, Al Viro wrote:
> From: Al Viro <viro@zeniv.linux.org.uk>
> 
> In case of early wakeups, aio_poll() assumes that aio_poll_complete()
> has either already happened or is imminent.  In that case we do not
> want to put iocb on the list of cancellables.  However, ignored
> wakeups need to be treated as if wakeup has not happened at all.
> Trivially fixed by having aio_poll_wake() set ->woken only after
> it's committed to taking iocb out of the waitqueue.
> 
> Spotted-by: zhengbin <zhengbin13@huawei.com>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

... and unfortunately it's worse than just that - what both of us
have missed is that one could have non-specific wakep + schedule_work +
aio_poll_complete_work() rechecking ->poll(), seeing nothing of
interest and reinserting into queue.  All before vfs_poll() manages
to return into aio_poll().  The window is harder to hit, but it's
still there, with exact same "failed to add to cancel list" kind of bug
if we do hit it ;-/