linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
To: David Lamparter <equinox@diac24.net>
Cc: Rodrigo Moya <rodrigo.moya@collabora.co.uk>,
	David Miller <davem@davemloft.net>,
	javier@collabora.co.uk, eric.dumazet@gmail.com,
	lennart@poettering.net, kay.sievers@vrfy.org,
	alban.crequy@collabora.co.uk, bart.cerneels@collabora.co.uk,
	sjoerd.simons@collabora.co.uk, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/10] af_unix: add multicast and filtering features to AF_UNIX
Date: Tue, 28 Feb 2012 17:33:04 +0100	[thread overview]
Message-ID: <4F4D01C0.3050808@collabora.co.uk> (raw)
In-Reply-To: <4F4CF1BF.7080503@collabora.co.uk>

On 02/28/2012 04:24 PM, Javier Martinez Canillas wrote:
> On 02/28/2012 03:28 PM, David Lamparter wrote:
>> On Tue, Feb 28, 2012 at 11:47:39AM +0100, Rodrigo Moya wrote:
>>> > - slow readers: dropping packets vs blocking the sender. Although
>>> >   datagrams are not reliable on IP, datagrams on Unix sockets are
>>> never
>>> >   lost. So if one receiver has its buffer full the sender is blocked
>>> > instead of dropping packets. That way we guarantee a reliable
>>> > communication channel.
>> 
>> This sounds like a terribly nice way to f*ck the entire D-Bus system by
>> having one broken (or malicious) desktop application. What's the
>> intended way of coping with users that block the socket by not reading?
>> 
>> 
>> -David L.
> 
> The problem is that D-bus expects a reliable transport method (TCP or
> SOCK_STREAM Unix socks) but this is not the case with multicast Unix
> sockets. Since our implementation is for SOCK_SEQPACKET and SOCK_DGRAM
> socket types.
> 
> So, you have to either add another layer to the D-bus protocol to make
> it reliable (acks, retransmissions, flow control, etc) or avoid losing
> D-bus messages (by blocking the sender if one of the receivers has its
> buffer full).
> 

Also, this problem exists with current D-bus implementation. If a
malicious desktop application doesn't read its socket then the messages
sent to it will be buffered in the daemon:
https://bugs.freedesktop.org/show_bug.cgi?id=33606

dbus-daemon memory usage will ballooning until
max_incoming_bytes/max_outgoing_bytes limit is reached (1GB for session
bus in default configuration)

<limit name="max_incoming_bytes">1000000000</limit>
<limit name="max_outgoing_bytes">1000000000</limit>

It only works because not many applications are broken and user-space
memory is virtualized. But if you bypass the daemon and use a multicast
transport layer (as in our multicast Unix socket implementation) you
don't have that much memory to buffer the packets.

So you have to either block the senders or:

- drop the slow reader
- kill the spammer
- have an infinite amount of memory

Regards,
Javier

  reply	other threads:[~2012-02-28 16:32 UTC|newest]

Thread overview: 55+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-20 15:57 [PATCH 0/10] af_unix: add multicast and filtering features to AF_UNIX Javier Martinez Canillas
2012-02-20 15:57 ` [PATCH 01/10] af_unix: Documentation on multicast unix sockets Javier Martinez Canillas
2012-02-20 15:57 ` [PATCH 02/10] af_unix: Add constant for unix socket options level Javier Martinez Canillas
2012-02-20 15:57 ` [PATCH 03/10] af_unix: add setsockopt on unix sockets Javier Martinez Canillas
2012-02-20 16:20   ` David Miller
2012-02-20 19:13 ` [PATCH 0/10] af_unix: add multicast and filtering features to AF_UNIX Colin Walters
2012-02-21  8:07   ` Rodrigo Moya
2012-02-24 20:36 ` David Miller
2012-02-27 14:00   ` Javier Martinez Canillas
2012-02-27 19:05     ` David Miller
2012-02-28 10:47       ` Rodrigo Moya
2012-02-28 14:28         ` David Lamparter
2012-02-28 15:24           ` Javier Martinez Canillas
2012-02-28 16:33             ` Javier Martinez Canillas [this message]
2012-02-28 19:05         ` David Miller
2012-03-01 11:57           ` Javier Martinez Canillas
2012-03-01 12:26             ` Eric Dumazet
2012-03-01 12:33               ` David Laight
2012-03-01 12:50                 ` Rodrigo Moya
2012-03-01 12:59                   ` Eric Dumazet
2012-03-01 13:56                     ` Javier Martinez Canillas
2012-03-01 16:00                       ` Eric Dumazet
2012-03-01 16:02                       ` Luiz Augusto von Dentz
2012-03-01 17:06                         ` Javier Martinez Canillas
2012-03-01 17:59                         ` Eric Dumazet
2012-03-01 18:10                           ` Alan Cox
2012-03-01 19:02                           ` Javier Martinez Canillas
2012-03-01 19:29                             ` Javier Martinez Canillas
2012-03-01 18:53                         ` David Dillow
2012-03-01 20:55                       ` David Miller
2012-03-02  4:40                         ` Stephen Hemminger
2012-03-01 20:44               ` David Miller
2012-03-01 22:01                 ` Luiz Augusto von Dentz
2012-03-01 22:08                   ` David Miller
2012-03-02  8:39                     ` Luiz Augusto von Dentz
2012-03-02  8:55                       ` David Miller
2012-03-02  9:27                         ` Javier Martinez Canillas
2012-03-02  9:39                           ` David Miller
2012-03-02 13:13                           ` Eric Dumazet
2012-03-02 16:34                             ` Javier Martinez Canillas
2012-03-02 17:08                               ` Alan Cox
2012-03-05  8:38                                 ` Luiz Augusto von Dentz
2012-03-05 14:05                                   ` Martin Mares
2012-03-05 15:11                                     ` Javier Martinez Canillas
2012-03-05 15:49                                       ` Martin Mares
2012-03-05 18:55                           ` David Lamparter
2012-03-02 10:08                         ` Luiz Augusto von Dentz
2012-03-03 12:20                           ` Martin Mares
2012-03-02 22:19                         ` david
2012-03-01 12:57             ` Luiz Augusto von Dentz
2012-03-01 20:42             ` David Miller
2012-03-01 14:25 Erik Hugne
2012-03-01 17:18 ` Rodrigo Moya
2012-03-02  7:01   ` Ying Xue
     [not found]   ` <4F506ABC.8050807@windriver.com>
2012-03-05 15:49     ` Erik Hugne

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F4D01C0.3050808@collabora.co.uk \
    --to=javier.martinez@collabora.co.uk \
    --cc=alban.crequy@collabora.co.uk \
    --cc=bart.cerneels@collabora.co.uk \
    --cc=davem@davemloft.net \
    --cc=equinox@diac24.net \
    --cc=eric.dumazet@gmail.com \
    --cc=javier@collabora.co.uk \
    --cc=kay.sievers@vrfy.org \
    --cc=lennart@poettering.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=rodrigo.moya@collabora.co.uk \
    --cc=sjoerd.simons@collabora.co.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).