Skip to content

K
Kernel

openeuler / Kernel
大约 2 年 前同步成功

通知 8
Star 0
Fork 0
K
Kernel
提交 333730e4 编写于 作者: C Corey Minyard
浏览文件
操作

ipmi: Limit the number of message a user may have outstanding 

This way a rogue application can't use up a bunch of memory.

Based on work by Chen Guanqiao <chen.chenchacha@foxmail.com>

Cc: Chen Guanqiao <chen.chenchacha@foxmail.com>
Signed-off-by: NCorey Minyard <cminyard@mvista.com>
上级 8e76741c
隐藏空白更改
内联 并排
Showing with 21 addition and 0 deletion
drivers/char/ipmi/ipmi_msghandler.c
浏览文件 @ 333730e4
...@@ -151,6 +151,12 @@ module_param(max_users, uint, 0644); ...@@ -151,6 +151,12 @@ module_param(max_users, uint, 0644);
MODULE_PARM_DESC(max_users, MODULE_PARM_DESC(max_users,
"The most users that may use the IPMI stack at one time."); "The most users that may use the IPMI stack at one time.");
/* The default maximum number of message a user may have outstanding. */
static unsigned int max_msgs_per_user = 100;
module_param(max_msgs_per_user, uint, 0644);
MODULE_PARM_DESC(max_msgs_per_user,
"The most message a user may have outstanding.");
/* Call every ~1000 ms. */ /* Call every ~1000 ms. */
#define IPMI_TIMEOUT_TIME 1000 #define IPMI_TIMEOUT_TIME 1000
...@@ -193,6 +199,8 @@ struct ipmi_user { ...@@ -193,6 +199,8 @@ struct ipmi_user {
/* Does this interface receive IPMI events? */ /* Does this interface receive IPMI events? */
bool gets_events; bool gets_events;
atomic_t nr_msgs;
/* Free must run in process context for RCU cleanup. */ /* Free must run in process context for RCU cleanup. */
struct work_struct remove_work; struct work_struct remove_work;
}; };
...@@ -934,11 +942,13 @@ static int deliver_response(struct ipmi_smi *intf, struct ipmi_recv_msg *msg) ...@@ -934,11 +942,13 @@ static int deliver_response(struct ipmi_smi *intf, struct ipmi_recv_msg *msg)
* risk. At this moment, simply skip it in that case. * risk. At this moment, simply skip it in that case.
*/ */
ipmi_free_recv_msg(msg); ipmi_free_recv_msg(msg);
atomic_dec(&msg->user->nr_msgs);
} else { } else {
int index; int index;
struct ipmi_user *user = acquire_ipmi_user(msg->user, &index); struct ipmi_user *user = acquire_ipmi_user(msg->user, &index);
if (user) { if (user) {
atomic_dec(&user->nr_msgs);
user->handler->ipmi_recv_hndl(msg, user->handler_data); user->handler->ipmi_recv_hndl(msg, user->handler_data);
release_ipmi_user(user, index); release_ipmi_user(user, index);
} else { } else {
...@@ -1256,6 +1266,7 @@ int ipmi_create_user(unsigned int if_num, ...@@ -1256,6 +1266,7 @@ int ipmi_create_user(unsigned int if_num,
/* Note that each existing user holds a refcount to the interface. */ /* Note that each existing user holds a refcount to the interface. */
kref_get(&intf->refcount); kref_get(&intf->refcount);
atomic_set(&new_user->nr_msgs, 0);
kref_init(&new_user->refcount); kref_init(&new_user->refcount);
new_user->handler = handler; new_user->handler = handler;
new_user->handler_data = handler_data; new_user->handler_data = handler_data;
...@@ -2298,6 +2309,14 @@ static int i_ipmi_request(struct ipmi_user *user, ...@@ -2298,6 +2309,14 @@ static int i_ipmi_request(struct ipmi_user *user,
struct ipmi_recv_msg *recv_msg; struct ipmi_recv_msg *recv_msg;
int rv = 0; int rv = 0;
if (user) {
if (atomic_add_return(1, &user->nr_msgs) > max_msgs_per_user) {
/* Decrement will happen at the end of the routine. */
rv = -EBUSY;
goto out;
}
}
if (supplied_recv) if (supplied_recv)
recv_msg = supplied_recv; recv_msg = supplied_recv;
else { else {
...@@ -2369,6 +2388,8 @@ static int i_ipmi_request(struct ipmi_user *user, ...@@ -2369,6 +2388,8 @@ static int i_ipmi_request(struct ipmi_user *user,
rcu_read_unlock(); rcu_read_unlock();
out: out:
if (rv && user)
atomic_dec(&user->nr_msgs);
return rv; return rv;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册