efivarfs: Limit the rate for non-root to read files

Each read from a file in efivarfs results in two calls to EFI (one to get the file size, another to get the actual data). On X86 these EFI calls result in broadcast system management interrupts (SMI) which affect performance of the whole system. A malicious user can loop performing reads from efivarfs bringing the system to its knees. Linus suggested per-user rate limit to solve this. So we add a ratelimit structure to "user_struct" and initialize it for the root user for no limit. When allocating user_struct for other users we set the limit to 100 per second. This could be used for other places that want to limit the rate of some detrimental user action. In efivarfs if the limit is exceeded when reading, we take an interruptible nap for 50ms and check the rate limit again. Signed-off-by: Tony Luck <tony.luck@intel.com> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Luck, Tony <tony.luck@intel.com> 2018-02-22 12:15:06 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2018-02-22 13:21:02 -0500
commit: bef3efbeb897b56867e271cdbc5f8adaacaeb9cd (patch)
tree: d3635a816ed945d7790b0202b3b40d6785ac7c8b
parent: 28128c61e08eaeced9cc8ec0e6b5d677b5b94690 (diff)
3 files changed, 13 insertions, 0 deletions
diff --git a/fs/efivarfs/file.c b/fs/efivarfs/file.c
index 5f22e74bbade..8e568428c88b 100644
--- a/fs/efivarfs/file.c
+++ b/fs/efivarfs/file.c
@@ -8,6 +8,7 @@
 */
 #include <linux/efi.h>
+#include <linux/delay.h>
 #include <linux/fs.h>
 #include <linux/slab.h>
 #include <linux/mount.h>
@@ -74,6 +75,11 @@ static ssize_t efivarfs_file_read(struct file *file, char __user *userbuf,
        ssize_t size = 0;
        int err;
+        while (!__ratelimit(&file->f_cred->user->ratelimit)) {
+                if (!msleep_interruptible(50))
+                        return -EINTR;
+        }
        err = efivar_entry_size(var, &datasize);
        /*
diff --git a/include/linux/sched/user.h b/include/linux/sched/user.h
index 0dcf4e480ef7..96fe289c4c6e 100644
--- a/include/linux/sched/user.h
+++ b/include/linux/sched/user.h
@@ -4,6 +4,7 @@
 #include <linux/uidgid.h>
 #include <linux/atomic.h>
+#include <linux/ratelimit.h>
 struct key;
@@ -41,6 +42,9 @@ struct user_struct {
    defined(CONFIG_NET)
        atomic_long_t locked_vm;
 #endif
+        /* Miscellaneous per-user rate limit */
+        struct ratelimit_state ratelimit;
 };
 extern int uids_sysfs_init(void);
diff --git a/kernel/user.c b/kernel/user.c
index 9a20acce460d..36288d840675 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -101,6 +101,7 @@ struct user_struct root_user = {
        .sigpending     = ATOMIC_INIT(0),
        .locked_shm     = 0,
        .uid            = GLOBAL_ROOT_UID,
+        .ratelimit      = RATELIMIT_STATE_INIT(root_user.ratelimit, 0, 0),
 };
 /*
@@ -191,6 +192,8 @@ struct user_struct *alloc_uid(kuid_t uid)
                new->uid = uid;
                atomic_set(&new->__count, 1);
+                ratelimit_state_init(&new->ratelimit, HZ, 100);
+                ratelimit_set_flags(&new->ratelimit, RATELIMIT_MSG_ON_RELEASE);
                /*
                 * Before adding this, check whether we raced
author	Luck, Tony <tony.luck@intel.com>	2018-02-22 12:15:06 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2018-02-22 13:21:02 -0500
commit	bef3efbeb897b56867e271cdbc5f8adaacaeb9cd (patch)
tree	d3635a816ed945d7790b0202b3b40d6785ac7c8b
parent	28128c61e08eaeced9cc8ec0e6b5d677b5b94690 (diff)