On 3/4/24 11:10, Eric Biggers wrote:
If I understand correctly, this patch is supposed to fix a memory safety bug when kiocb_set_cancel_fn() is called on a kiocb that is owned by io_uring instead of legacy AIO. However, the kiocb still gets accessed as an aio_kiocb at the very beginning of the function, so it's still broken:
struct aio_kiocb *req = container_of(iocb, struct aio_kiocb, rw); struct kioctx *ctx = req->ki_ctx;
Hi Eric,
Thanks for having reported this. I agree that this needs to be fixed.
I'm also wondering why "ignore" is the right fix. The USB gadget driver sees that it has asynchronous I/O (kiocb::ki_complete != NULL) and then tries to set a cancellation function. What is the expected behavior when the I/O is owned by io_uring? Should it perhaps call into io_uring to set a cancellation function with io_uring? Or is the concept of cancellation functions indeed specific to legacy AIO, and nothing should be done with io_uring I/O?
As far as I know no Linux user space interface for submitting I/O supports cancellation of read or write requests other than the AIO io_cancel() system call.
It would make it easier to maintain the kernel if I/O cancellation support would be removed. However, there is existing user space code that depends on USB I/O cancellation so I'm not sure how to proceed to remove AIO io_cancel() support from the kernel.
Thanks,
Bart.