input/uring: safe cancellation

My concept with `class CancellableOperation` doesn't work properly,
because the kernel may continue to write to the given buffer as soon
as the read finishes.

To fix this, this commit adds `class ReadOperation` which owns the
buffer and the `struct iovec`.  Instances of this class persist until
the read really finishes, even if the operation is canceled.

src/io/uring/ReadOperation.cxx

@@ -0,0 +1,70 @@
+/*
+ * Copyright 2020 Max Kellermann <max.kellermann@gmail.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * - Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE
+ * FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "ReadOperation.hxx"
+#include "Queue.hxx"
+#include "io/FileDescriptor.hxx"
+
+#include <cassert>
+
+namespace Uring {
+
+void
+ReadOperation::Start(Queue &queue, FileDescriptor fd, off_t offset,
+		     std::size_t size, ReadHandler &_handler) noexcept
+{
+	assert(!buffer);
+
+	handler = &_handler;
+
+	buffer = std::make_unique<std::byte[]>(size);
+
+	auto *s = queue.GetSubmitEntry();
+	assert(s != nullptr); // TODO: what if the submit queue is full?
+
+	iov.iov_base = buffer.get();
+	iov.iov_len = size;
+
+	io_uring_prep_readv(s, fd.Get(), &iov, 1, offset);
+	queue.Push(*s, *this);
+}
+
+void
+ReadOperation::OnUringCompletion(int res) noexcept
+{
+	if (handler == nullptr)
+		/* operation was canceled */
+		delete this;
+	else if (res >= 0)
+		handler->OnRead(std::move(buffer), res);
+	else
+		handler->OnReadError(-res);
+}
+
+} // namespace Uring

src/io/uring/ReadOperation.hxx

@@ -0,0 +1,88 @@
+/*
+ * Copyright 2020 Max Kellermann <max.kellermann@gmail.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * - Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * - Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the
+ * distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE
+ * FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "Operation.hxx"
+
+#include <cstddef>
+#include <memory>
+
+#include <sys/uio.h> // for struct iovec
+
+class FileDescriptor;
+
+namespace Uring {
+
+class Queue;
+
+class ReadHandler {
+public:
+	virtual void OnRead(std::unique_ptr<std::byte[]> buffer,
+			    std::size_t size) noexcept = 0;
+
+	/**
+	 * @param error an errno value
+	 */
+	virtual void OnReadError(int error) noexcept = 0;
+};
+
+/**
+ * Read into a newly allocated buffer.
+ *
+ * Instances of this class must be allocated with `new`, because
+ * cancellation will require this object (and the allocated buffer) to
+ * persist until the kernel completes the operation.
+ */
+class ReadOperation final : Operation {
+	ReadHandler *handler;
+
+	struct iovec iov;
+
+	std::unique_ptr<std::byte[]> buffer;
+
+public:
+	void Start(Queue &queue, FileDescriptor fd, off_t offset,
+		   std::size_t size, ReadHandler &_handler) noexcept;
+
+	/**
+	 * Cancel this operation.  This instance will be freed using
+	 * `delete` after the kernel has finished cancellation,
+	 * i.e. the caller resigns ownership.
+	 */
+	void Cancel() noexcept {
+		handler = nullptr;
+	}
+
+private:
+	/* virtual methods from class Operation */
+	void OnUringCompletion(int res) noexcept override;
+};
+
+} // namespace Uring

src/io/uring/meson.build

@@ -21,6 +21,7 @@ uring = static_library(
   'Ring.cxx',
   'Queue.cxx',
   'Operation.cxx',
+  'ReadOperation.cxx',
   include_directories: inc,
   dependencies: [
     liburing,