1. 22 Feb, 2018 1 commit
    • Luck, Tony's avatar
      efivarfs: Limit the rate for non-root to read files · bef3efbe
      Luck, Tony authored
      Each read from a file in efivarfs results in two calls to EFI
      (one to get the file size, another to get the actual data).
      
      On X86 these EFI calls result in broadcast system management
      interrupts (SMI) which affect performance of the whole system.
      A malicious user can loop performing reads from efivarfs bringing
      the system to its knees.
      
      Linus suggested per-user rate limit to solve this.
      
      So we add a ratelimit structure to "user_struct" and initialize
      it for the root user for no limit. When allocating user_struct for
      other users we set the limit to 100 per second. This could be used
      for other places that want to limit the rate of some detrimental
      user action.
      
      In efivarfs if the limit is exceeded when reading, we take an
      interruptible nap for 50ms and check the rate limit again.
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      bef3efbe
  2. 07 May, 2016 1 commit
  3. 10 Feb, 2016 1 commit
  4. 22 Jan, 2016 1 commit
    • Al Viro's avatar
      wrappers for ->i_mutex access · 5955102c
      Al Viro authored
      parallel to mutex_{lock,unlock,trylock,is_locked,lock_nested},
      inode_foo(inode) being mutex_foo(&inode->i_mutex).
      
      Please, use those for access to ->i_mutex; over the coming cycle
      ->i_mutex will become rwsem, with ->lookup() done with it held
      only shared.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5955102c
  5. 19 Nov, 2014 1 commit
  6. 04 Mar, 2014 1 commit
  7. 13 May, 2013 1 commit
    • Lingzhu Xiang's avatar
      efivarfs: Never return ENOENT from firmware again · 3fab70c1
      Lingzhu Xiang authored
      Previously in 1fa7e695 efi_status_to_err() translated firmware status
      EFI_NOT_FOUND to -EIO instead of -ENOENT for efivarfs operations to
      avoid confusion. After refactoring in e14ab23d, it is also used in other
      places where the translation may be unnecessary.
      
      So move the translation to efivarfs specific code. Also return EOF
      for reading zero-length files, which is what users would expect.
      
      Cc: Josh Boyer <jwboyer@redhat.com>
      Cc: Jeremy Kerr <jk@ozlabs.org>
      Cc: Lee, Chun-Yi <jlee@suse.com>
      Cc: Andy Whitcroft <apw@canonical.com>
      Signed-off-by: default avatarLingzhu Xiang <lxiang@redhat.com>
      Signed-off-by: default avatarMatt Fleming <matt.fleming@intel.com>
      3fab70c1
  8. 17 Apr, 2013 1 commit
    • Matt Fleming's avatar
      efivarfs: Move to fs/efivarfs · d68772b7
      Matt Fleming authored
      Now that efivarfs uses the efivar API, move it out of efivars.c and
      into fs/efivarfs where it belongs. This move will eventually allow us
      to enable the efivarfs code without having to also enable
      CONFIG_EFI_VARS built, and vice versa.
      
      Furthermore, things like,
      
          mount -t efivarfs none /sys/firmware/efi/efivars
      
      will now work if efivarfs is built as a module without requiring the
      use of MODULE_ALIAS(), which would have been necessary when the
      efivarfs code was part of efivars.c.
      
      Cc: Matthew Garrett <matthew.garrett@nebula.com>
      Cc: Jeremy Kerr <jk@ozlabs.org>
      Reviewed-by: default avatarTom Gundersen <teg@jklm.no>
      Tested-by: default avatarTom Gundersen <teg@jklm.no>
      Signed-off-by: default avatarMatt Fleming <matt.fleming@intel.com>
      d68772b7