On 21/09/2020 00:13, David Laight wrote: > From: Arnd Bergmann >> Sent: 20 September 2020 21:49 >> >> On Sun, Sep 20, 2020 at 9:28 PM Andy Lutomirski <luto@xxxxxxxxxx> wrote: >>> On Sun, Sep 20, 2020 at 12:23 PM Matthew Wilcox <willy@xxxxxxxxxxxxx> wrote: >>>> >>>> On Sun, Sep 20, 2020 at 08:10:31PM +0100, Al Viro wrote: >>>>> IMO it's much saner to mark those and refuse to touch them from io_uring... >>>> >>>> Simpler solution is to remove io_uring from the 32-bit syscall list. >>>> If you're a 32-bit process, you don't get to use io_uring. Would >>>> any real users actually care about that? >>> >>> We could go one step farther and declare that we're done adding *any* >>> new compat syscalls :) >> >> Would you also stop adding system calls to native 32-bit systems then? >> >> On memory constrained systems (less than 2GB a.t.m.), there is still a >> strong demand for running 32-bit user space, but all of the recent Arm >> cores (after Cortex-A55) dropped the ability to run 32-bit kernels, so >> that compat mode may eventually become the primary way to run >> Linux on cheap embedded systems. >> >> I don't think there is any chance we can realistically take away io_uring >> from the 32-bit ABI any more now. > > Can't it just run requests from 32bit apps in a kernel thread that has > the 'in_compat_syscall' flag set? > Not that i recall seeing the code where it saves the 'compat' nature > of any requests. > > It is already completely f*cked if you try to pass the command ring > to a child process - it uses the wrong 'mm'. And how so? io_uring uses mm of a submitter. The exception is SQPOLL mode, but it requires CAP_SYS_ADMIN or CAP_SYS_NICE anyway. > I suspect there are some really horrid security holes in that area. > > David. > > - > Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK > Registration No: 1397386 (Wales) > -- Pavel Begunkov
