Open
Conversation
This update amps up the security of the kernel lockdown feature with some cool tweaks: 1. Tightened things up to keep out unwanted changes to the lockdown settings. Think of it like locking the doors to your device. 2. Smoothed out any bumps in the road, making sure the system stays steady even when faced with unexpected inputs or hiccups. 3. Now, keeping a closer eye on things, log any changes to the lockdown state. It's like having a watchful guardian to keep your system safe. 4. Also set the default lockdown state to super secure mode, so your system starts off on the right foot every time. These upgrades give your system an extra layer of protection, like adding a secret passcode to your favorite game. Stay safe out there!
ElectroPerf
pushed a commit
to aospa-pong/msm-5.10
that referenced
this pull request
Jun 16, 2024
[ Upstream commit f8bbc07ac535593139c875ffa19af924b1084540 ] vhost_worker will call tun call backs to receive packets. If too many illegal packets arrives, tun_do_read will keep dumping packet contents. When console is enabled, it will costs much more cpu time to dump packet and soft lockup will be detected. net_ratelimit mechanism can be used to limit the dumping rate. PID: 33036 TASK: ffff949da6f20000 CPU: 23 COMMAND: "vhost-32980" #0 [fffffe00003fce50] crash_nmi_callback at ffffffff89249253 NothingOSS#1 [fffffe00003fce58] nmi_handle at ffffffff89225fa3 NothingOSS#2 [fffffe00003fceb0] default_do_nmi at ffffffff8922642e NothingOSS#3 [fffffe00003fced0] do_nmi at ffffffff8922660d NothingOSS#4 [fffffe00003fcef0] end_repeat_nmi at ffffffff89c01663 [exception RIP: io_serial_in+20] RIP: ffffffff89792594 RSP: ffffa655314979e8 RFLAGS: 00000002 RAX: ffffffff89792500 RBX: ffffffff8af428a0 RCX: 0000000000000000 RDX: 00000000000003fd RSI: 0000000000000005 RDI: ffffffff8af428a0 RBP: 0000000000002710 R8: 0000000000000004 R9: 000000000000000f R10: 0000000000000000 R11: ffffffff8acbf64f R12: 0000000000000020 R13: ffffffff8acbf698 R14: 0000000000000058 R15: 0000000000000000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 NothingOSS#5 [ffffa655314979e8] io_serial_in at ffffffff89792594 NothingOSS#6 [ffffa655314979e8] wait_for_xmitr at ffffffff89793470 NothingOSS#7 [ffffa65531497a08] serial8250_console_putchar at ffffffff897934f6 NothingOSS#8 [ffffa65531497a20] uart_console_write at ffffffff8978b605 NothingOSS#9 [ffffa65531497a48] serial8250_console_write at ffffffff89796558 NothingOSS#10 [ffffa65531497ac8] console_unlock at ffffffff89316124 NothingOSS#11 [ffffa65531497b10] vprintk_emit at ffffffff89317c07 NothingOSS#12 [ffffa65531497b68] printk at ffffffff89318306 NothingOSS#13 [ffffa65531497bc8] print_hex_dump at ffffffff89650765 NothingOSS#14 [ffffa65531497ca8] tun_do_read at ffffffffc0b06c27 [tun] NothingOSS#15 [ffffa65531497d38] tun_recvmsg at ffffffffc0b06e34 [tun] NothingOSS#16 [ffffa65531497d68] handle_rx at ffffffffc0c5d682 [vhost_net] NothingOSS#17 [ffffa65531497ed0] vhost_worker at ffffffffc0c644dc [vhost] #18 [ffffa65531497f10] kthread at ffffffff892d2e72 #19 [ffffa65531497f50] ret_from_fork at ffffffff89c0022f Fixes: ef3db4a ("tun: avoid BUG, dump packet on GSO errors") Signed-off-by: Lei Chen <[email protected]> Reviewed-by: Willem de Bruijn <[email protected]> Acked-by: Jason Wang <[email protected]> Reviewed-by: Eric Dumazet <[email protected]> Acked-by: Michael S. Tsirkin <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> Signed-off-by: Sasha Levin <[email protected]>
vagabond2522
approved these changes
Jan 1, 2025
vagabond2522
approved these changes
Jan 1, 2025
vagabond2522
approved these changes
Jan 1, 2025
vagabond2522
approved these changes
Jun 8, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This update amps up the security of the kernel lockdown feature with some cool tweaks:
Tightened things up to keep out unwanted changes to the lockdown settings. Think of it like locking the doors to your device.
Smoothed out any bumps in the road, making sure the system stays steady even when faced with unexpected inputs or hiccups.
Now, keeping a closer eye on things, log any changes to the lockdown state. It's like having a watchful guardian to keep your system safe.
Also set the default lockdown state to super secure mode, so your system starts off on the right foot every time.
These upgrades give your system an extra layer of protection, like adding a secret passcode to your favorite game. Stay safe out there!