git.baikalelectronics.ru Git - kernel.git/commit

author	Luck, Tony <tony.luck@intel.com>
	Thu, 22 Feb 2018 17:15:06 +0000 (09:15 -0800)
committer	Linus Torvalds <torvalds@linux-foundation.org>
	Thu, 22 Feb 2018 18:21:02 +0000 (10:21 -0800)
commit	c2dc698f2c33d9084808de44b5e1d7485b8beb65
tree	d3635a816ed945d7790b0202b3b40d6785ac7c8b	tree \| snapshot
parent	9bc09c376caa3178b90c99760e0340ffde45f0b8	commit \| diff

efivarfs: Limit the rate for non-root to read files

Each read from a file in efivarfs results in two calls to EFI
(one to get the file size, another to get the actual data).

On X86 these EFI calls result in broadcast system management
interrupts (SMI) which affect performance of the whole system.
A malicious user can loop performing reads from efivarfs bringing
the system to its knees.

Linus suggested per-user rate limit to solve this.

So we add a ratelimit structure to "user_struct" and initialize
it for the root user for no limit. When allocating user_struct for
other users we set the limit to 100 per second. This could be used
for other places that want to limit the rate of some detrimental
user action.

In efivarfs if the limit is exceeded when reading, we take an
interruptible nap for 50ms and check the rate limit again.

Signed-off-by: Tony Luck <tony.luck@intel.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

fs/efivarfs/file.c		diff \| blob \| history
include/linux/sched/user.h		diff \| blob \| history
kernel/user.c		diff \| blob \| history