Since the commit 1e23db450cff ("io_uring: use iter_ubuf for single range
imports") .read_iter() can be called with iov type ITER_UBUF.
In such case dup_iter() will correctly dup but it will not allocate
any memory. But callers ffs_epfile_read_iter and ep_read_iter treat
this as a failure.
Following patches address this by checking if iter_is_ubuf().
Without the fix, async IOs from io_uring will be returned with -ENOMEM.
Sandeep Dhavale (2):
usb: gadget: f_fs: Fix ffs_epfile_read_iter to handle ITER_UBUF
usb: gadgetfs: Fix ep_read_iter to handle ITER_UBUF
drivers/usb/gadget/function/f_fs.c | 2 +-
drivers/usb/gadget/legacy/inode.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--
2.40.0.348.gf938b09366-goog
iov_iter for ep_read_iter can be ITER_UBUF with io_uring.
In that case dup_iter() does not have to allocate iov and it can
return NULL. Fix the assumption by checking for iter_is_ubuf()
other wise ep_read_iter can treat this as failure and return -ENOMEM.
Fixes: 1e23db450cff ("io_uring: use iter_ubuf for single range imports")
Signed-off-by: Sandeep Dhavale <[email protected]>
---
drivers/usb/gadget/legacy/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index d605bc2e7e8f..28249d0bf062 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -614,7 +614,7 @@ ep_read_iter(struct kiocb *iocb, struct iov_iter *to)
if (!priv)
goto fail;
priv->to_free = dup_iter(&priv->to, to, GFP_KERNEL);
- if (!priv->to_free) {
+ if (!iter_is_ubuf(&priv->to) && !priv->to_free) {
kfree(priv);
goto fail;
}
--
2.40.0.348.gf938b09366-goog
On 4/1/23 12:05?AM, Sandeep Dhavale wrote:
> Since the commit 1e23db450cff ("io_uring: use iter_ubuf for single range
> imports") .read_iter() can be called with iov type ITER_UBUF.
> In such case dup_iter() will correctly dup but it will not allocate
> any memory. But callers ffs_epfile_read_iter and ep_read_iter treat
> this as a failure.
>
> Following patches address this by checking if iter_is_ubuf().
> Without the fix, async IOs from io_uring will be returned with -ENOMEM.
Looks fine to me. The dup_iter() interface is somewhat unfortunate, as
it doesn't return an error pointer. Hence NULL can be failed or success,
depending on the type. Looks like cifs is the only other user of
dup_iter(), and that checks the type first. You could do something like
that too in the gadget code. Or we could fix the API... And it is kind
of silly calling into dup_iter() when you don't need it. But for now,
this will probably suffice:
Acked-by: Jens Axboe <[email protected]>
--
Jens Axboe