On Wed, Mar 21, 2018 at 08:40:10AM +0100, Christoph Hellwig wrote: > Simple one-shot poll through the io_submit() interface. To poll for > a file descriptor the application should submit an iocb of type > IOCB_CMD_POLL. It will poll the fd for the events specified in the > the first 32 bits of the aio_buf field of the iocb. > > Unlike poll or epoll without EPOLLONESHOT this interface always works > in one shot mode, that is once the iocb is completed, it will have to be > resubmitted. AFAICS, your wakeup can race with io_cancel(), leading to double fput(). You are checking the "somebody had committed itself to cancelling that thing" bit outside of ->ctx_lock on the wakeup side, and I don't see anything to prevent both getting to __aio_poll_complete() on the same iocb, with obvious results. I might be missing something subtle in there, but then it would be nice to have it covered in commit message...
