diff options
| author | Corey Minyard <cminyard@mvista.com> | 2022-03-28 11:39:29 -0500 |
|---|---|---|
| committer | Corey Minyard <cminyard@mvista.com> | 2022-05-12 10:00:02 -0500 |
| commit | 333730e456fa67eaf6032c6371936fd4aca6cc62 (patch) | |
| tree | 3fba083977cb8f25bed8fcdf1bcf5ef8485e6221 /drivers/char/ipmi/ipmi_msghandler.c | |
| parent | 8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 (diff) | |
ipmi: Limit the number of message a user may have outstanding
This way a rogue application can't use up a bunch of memory.
Based on work by Chen Guanqiao <chen.chenchacha@foxmail.com>
Cc: Chen Guanqiao <chen.chenchacha@foxmail.com>
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Diffstat (limited to 'drivers/char/ipmi/ipmi_msghandler.c')
| -rw-r--r-- | drivers/char/ipmi/ipmi_msghandler.c | 21 |
1 files changed, 21 insertions, 0 deletions
diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index 649bb270c43b..65a9e2629af1 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -151,6 +151,12 @@ module_param(max_users, uint, 0644); MODULE_PARM_DESC(max_users, "The most users that may use the IPMI stack at one time."); +/* The default maximum number of message a user may have outstanding. */ +static unsigned int max_msgs_per_user = 100; +module_param(max_msgs_per_user, uint, 0644); +MODULE_PARM_DESC(max_msgs_per_user, + "The most message a user may have outstanding."); + /* Call every ~1000 ms. */ #define IPMI_TIMEOUT_TIME 1000 @@ -193,6 +199,8 @@ struct ipmi_user { /* Does this interface receive IPMI events? */ bool gets_events; + atomic_t nr_msgs; + /* Free must run in process context for RCU cleanup. */ struct work_struct remove_work; }; @@ -934,11 +942,13 @@ static int deliver_response(struct ipmi_smi *intf, struct ipmi_recv_msg *msg) * risk. At this moment, simply skip it in that case. */ ipmi_free_recv_msg(msg); + atomic_dec(&msg->user->nr_msgs); } else { int index; struct ipmi_user *user = acquire_ipmi_user(msg->user, &index); if (user) { + atomic_dec(&user->nr_msgs); user->handler->ipmi_recv_hndl(msg, user->handler_data); release_ipmi_user(user, index); } else { @@ -1256,6 +1266,7 @@ int ipmi_create_user(unsigned int if_num, /* Note that each existing user holds a refcount to the interface. */ kref_get(&intf->refcount); + atomic_set(&new_user->nr_msgs, 0); kref_init(&new_user->refcount); new_user->handler = handler; new_user->handler_data = handler_data; @@ -2298,6 +2309,14 @@ static int i_ipmi_request(struct ipmi_user *user, struct ipmi_recv_msg *recv_msg; int rv = 0; + if (user) { + if (atomic_add_return(1, &user->nr_msgs) > max_msgs_per_user) { + /* Decrement will happen at the end of the routine. */ + rv = -EBUSY; + goto out; + } + } + if (supplied_recv) recv_msg = supplied_recv; else { @@ -2369,6 +2388,8 @@ out_err: rcu_read_unlock(); out: + if (rv && user) + atomic_dec(&user->nr_msgs); return rv; } |