On 3/4/24 11:10, Eric Biggers wrote:
If I understand correctly, this patch is supposed to fix a memory safety bug
when kiocb_set_cancel_fn() is called on a kiocb that is owned by io_uring
instead of legacy AIO. However, the kiocb still gets accessed as an aio_kiocb
at the very beginning of the function, so it's still broken:
struct aio_kiocb *req = container_of(iocb, struct aio_kiocb, rw);
struct kioctx *ctx = req->ki_ctx;
Hi Eric,
Thanks for having reported this. I agree that this needs to be fixed.
I'm also wondering why "ignore" is the right fix. The USB gadget driver sees
that it has asynchronous I/O (kiocb::ki_complete != NULL) and then tries to set
a cancellation function. What is the expected behavior when the I/O is owned by
io_uring? Should it perhaps call into io_uring to set a cancellation function
with io_uring? Or is the concept of cancellation functions indeed specific to
legacy AIO, and nothing should be done with io_uring I/O?
As far as I know no Linux user space interface for submitting I/O
supports cancellation of read or write requests other than the AIO
io_cancel() system call.
It would make it easier to maintain the kernel if I/O cancellation
support would be removed. However, there is existing user space code
that depends on USB I/O cancellation so I'm not sure how to proceed to
remove AIO io_cancel() support from the kernel.
Thanks,
Bart.
