Received: by 2002:ac0:950c:0:0:0:0:0 with SMTP id f12csp1448959imc;
        Mon, 11 Mar 2019 14:07:32 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwIXG/c7hjw4cQ9j/2iBNH6LkLG7av6GahcawdzCkGq6G8W0+Ty6qpe5o2dFZatXEHRZYWT
X-Received: by 2002:a17:902:28e6:: with SMTP id f93mr36453711plb.264.1552338452381;
        Mon, 11 Mar 2019 14:07:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1552338452; cv=none;
        d=google.com; s=arc-20160816;
        b=kvp/Pq5ECi9CnJLfUWJvSV/zUGf/jMSyxYZQC2Agi37GWnxSIEZmWVmkZZg9VoqL1K
         Q+QEATPG6Z2+S9QE951STXQOznyFjndETz0vAonwhWf1DY6LT6Cbr+fCBVknA3ZCcc+X
         K0tElX6V726J9VOiZ9znByRnP4nYsXeiBW2XZD52FKoB+riVXoqfMB6/jfrF69RP8Dns
         hfdHnJbIK74roX64TNs3xkOpc0CmAfEI9HIIuWNUNB2iqJOtIkYDfRIiwJe6zb+a7r4T
         +b3EdvA/RBlVgKqmhRdnFoqixP0N9xKcwvhqCZuwcGspkLE/ZbKcKPp2NwrVSaeYMHUq
         60Bw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=K88IGTk2zR+4uFdTUEq/+ufOiC9zvqu0Wi/iFz7HJok=;
        b=B1u++xweXOrjpl1MKfwCe6TjwLUaRTn7I83aQ/iebmnzpMiRG4EtVvtKr23UGFzmW0
         vVit3mDrKtrxO1PWpAzd7ad57bxcsbofaUk/EpEXCqa1HTDiIi8i8OAgM5aWN37CXHcl
         zAyVcEv/1wdHcsyuogHxx9gIhmdxYvSEIwXoJWNf1cGZ8+SylQ5HNtncIhgYAXA1ha3B
         vvhv6L+2mOf+m2BiHzsZfApJobexMbFXz2K2nDsk5rOqjt4nvDk8jKcu1znHhrvaa7zr
         q4G+gXYaZR2VKaK3/4fGKCHdeBfmK5FyMU7CBccWrAITcDEZUve+xSBc3LzoN+ICM5Wq
         WYFg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id r192si5725779pgr.331.2019.03.11.14.07.16;
        Mon, 11 Mar 2019 14:07:32 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728321AbfCKVGg (ORCPT <rfc822;israelpgz17@gmail.com>
        + 99 others); Mon, 11 Mar 2019 17:06:36 -0400
Received: from zeniv.linux.org.uk ([195.92.253.2]:59888 "EHLO
        ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727898AbfCKVGf (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 11 Mar 2019 17:06:35 -0400
Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92 #3 (Red Hat Linux))
        id 1h3S7m-0001iF-B8; Mon, 11 Mar 2019 21:06:18 +0000
Date:   Mon, 11 Mar 2019 21:06:18 +0000
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     Christoph Hellwig <hch@lst.de>
Cc:     Linus Torvalds <torvalds@linux-foundation.org>,
        Eric Dumazet <eric.dumazet@gmail.com>,
        David Miller <davem@davemloft.net>,
        Jason Baron <jbaron@akamai.com>, kgraul@linux.ibm.com,
        ktkhai@virtuozzo.com, kyeongdon.kim@lge.com,
        Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
        Netdev <netdev@vger.kernel.org>, pabeni@redhat.com,
        syzkaller-bugs@googlegroups.com, xiyou.wangcong@gmail.com,
        zhengbin <zhengbin13@huawei.com>, bcrl@kvack.org,
        linux-fsdevel@vger.kernel.org, linux-aio@kvack.org,
        houtao1@huawei.com, yi.zhang@huawei.com
Subject: Re: [PATCH 4/8] Fix aio_poll() races
Message-ID: <20190311210618.GL2217@ZenIV.linux.org.uk>
References: <20190310070606.GA10138@ZenIV.linux.org.uk>
 <20190310070822.11564-1-viro@ZenIV.linux.org.uk>
 <20190310070822.11564-4-viro@ZenIV.linux.org.uk>
 <20190311195831.GA12807@lst.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190311195831.GA12807@lst.de>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Mar 11, 2019 at 08:58:31PM +0100, Christoph Hellwig wrote:
> Where do we put the second iocb reference in case we return from
> vfs_poll without ever being woken?

Depends.  If mask is non-zero (i.e. vfs_poll() has returned something
we care about) and it has never been woken, we steal it and drop the
reference ourselves.  If it is zero and we see that ->poll() has tried
to put it on two queues, we steal it (again, assuming it's not on
waitqueue and _can_ be stolen) and return -EINVAL.  In that case
__io_submit_one() (or, by the end of the series, io_submit_one())
will call iocb_destroy().  And in the normal waiting case (nothing
interesting reported and no errors) it will end up on the list of
cancellables.  Then it either will get completed by later wakeup, which
will drop the reference, or it will get eventually cancelled, which will
hit the same aio_poll_complete_work() and drop the reference...

> Also it seems like the complete code would still benefit from a little
> helper, something like:

Umm...  Not sure I like the name (something like aio_poll_done() seems
to be better), but other than that - no problem.