All of lore.kernel.org
 help / color / mirror / Atom feed
From: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
To: David Lamparter <equinox@diac24.net>
Cc: Rodrigo Moya <rodrigo.moya@collabora.co.uk>,
	David Miller <davem@davemloft.net>,
	javier@collabora.co.uk, eric.dumazet@gmail.com,
	lennart@poettering.net, kay.sievers@vrfy.org,
	alban.crequy@collabora.co.uk, bart.cerneels@collabora.co.uk,
	sjoerd.simons@collabora.co.uk, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH 0/10] af_unix: add multicast and filtering features to AF_UNIX
Date: Tue, 28 Feb 2012 17:33:04 +0100	[thread overview]
Message-ID: <4F4D01C0.3050808@collabora.co.uk> (raw)
In-Reply-To: <4F4CF1BF.7080503@collabora.co.uk>

On 02/28/2012 04:24 PM, Javier Martinez Canillas wrote:
> On 02/28/2012 03:28 PM, David Lamparter wrote:
>> On Tue, Feb 28, 2012 at 11:47:39AM +0100, Rodrigo Moya wrote:
>>> > - slow readers: dropping packets vs blocking the sender. Although
>>> >   datagrams are not reliable on IP, datagrams on Unix sockets are
>>> never
>>> >   lost. So if one receiver has its buffer full the sender is blocked
>>> > instead of dropping packets. That way we guarantee a reliable
>>> > communication channel.
>> 
>> This sounds like a terribly nice way to f*ck the entire D-Bus system by
>> having one broken (or malicious) desktop application. What's the
>> intended way of coping with users that block the socket by not reading?
>> 
>> 
>> -David L.
> 
> The problem is that D-bus expects a reliable transport method (TCP or
> SOCK_STREAM Unix socks) but this is not the case with multicast Unix
> sockets. Since our implementation is for SOCK_SEQPACKET and SOCK_DGRAM
> socket types.
> 
> So, you have to either add another layer to the D-bus protocol to make
> it reliable (acks, retransmissions, flow control, etc) or avoid losing
> D-bus messages (by blocking the sender if one of the receivers has its
> buffer full).
> 

Also, this problem exists with current D-bus implementation. If a
malicious desktop application doesn't read its socket then the messages
sent to it will be buffered in the daemon:
https://bugs.freedesktop.org/show_bug.cgi?id=33606

dbus-daemon memory usage will ballooning until
max_incoming_bytes/max_outgoing_bytes limit is reached (1GB for session
bus in default configuration)

<limit name="max_incoming_bytes">1000000000</limit>
<limit name="max_outgoing_bytes">1000000000</limit>

It only works because not many applications are broken and user-space
memory is virtualized. But if you bypass the daemon and use a multicast
transport layer (as in our multicast Unix socket implementation) you
don't have that much memory to buffer the packets.

So you have to either block the senders or:

- drop the slow reader
- kill the spammer
- have an infinite amount of memory

Regards,
Javier

  reply	other threads:[~2012-02-28 16:32 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-20 15:57 [PATCH 0/10] af_unix: add multicast and filtering features to AF_UNIX Javier Martinez Canillas
2012-02-20 15:57 ` [PATCH 01/10] af_unix: Documentation on multicast unix sockets Javier Martinez Canillas
2012-02-20 15:57 ` [PATCH 02/10] af_unix: Add constant for unix socket options level Javier Martinez Canillas
2012-02-20 15:57 ` [PATCH 03/10] af_unix: add setsockopt on unix sockets Javier Martinez Canillas
2012-02-20 16:20   ` David Miller
2012-02-20 19:13 ` [PATCH 0/10] af_unix: add multicast and filtering features to AF_UNIX Colin Walters
2012-02-21  8:07   ` Rodrigo Moya
2012-02-24 20:36 ` David Miller
2012-02-27 14:00   ` Javier Martinez Canillas
2012-02-27 19:05     ` David Miller
2012-02-28 10:47       ` Rodrigo Moya
2012-02-28 14:28         ` David Lamparter
2012-02-28 15:24           ` Javier Martinez Canillas
2012-02-28 16:33             ` Javier Martinez Canillas [this message]
2012-02-28 19:05         ` David Miller
2012-03-01 11:57           ` Javier Martinez Canillas
2012-03-01 12:26             ` Eric Dumazet
2012-03-01 12:33               ` David Laight
2012-03-01 12:50                 ` Rodrigo Moya
2012-03-01 12:59                   ` Eric Dumazet
2012-03-01 13:56                     ` Javier Martinez Canillas
2012-03-01 16:00                       ` Eric Dumazet
2012-03-01 16:02                       ` Luiz Augusto von Dentz
2012-03-01 17:06                         ` Javier Martinez Canillas
2012-03-01 17:59                         ` Eric Dumazet
2012-03-01 18:10                           ` Alan Cox
2012-03-01 19:02                           ` Javier Martinez Canillas
2012-03-01 19:29                             ` Javier Martinez Canillas
2012-03-01 18:53                         ` David Dillow
2012-03-01 20:55                       ` David Miller
2012-03-02  4:40                         ` Stephen Hemminger
2012-03-01 20:44               ` David Miller
2012-03-01 22:01                 ` Luiz Augusto von Dentz
2012-03-01 22:08                   ` David Miller
2012-03-02  8:39                     ` Luiz Augusto von Dentz
2012-03-02  8:55                       ` David Miller
2012-03-02  9:27                         ` Javier Martinez Canillas
2012-03-02  9:39                           ` David Miller
2012-03-02 13:13                           ` Eric Dumazet
2012-03-02 16:34                             ` Javier Martinez Canillas
2012-03-02 17:08                               ` Alan Cox
2012-03-05  8:38                                 ` Luiz Augusto von Dentz
2012-03-05 14:05                                   ` Martin Mares
2012-03-05 15:11                                     ` Javier Martinez Canillas
2012-03-05 15:49                                       ` Martin Mares
2012-03-05 18:55                           ` David Lamparter
2012-03-02 10:08                         ` Luiz Augusto von Dentz
2012-03-03 12:20                           ` Martin Mares
2012-03-02 22:19                         ` david
2012-03-01 12:57             ` Luiz Augusto von Dentz
2012-03-01 20:42             ` David Miller
  -- strict thread matches above, loose matches on Subject: below --
2012-03-01 14:25 Erik Hugne
2012-03-01 14:25 ` Erik Hugne
2012-03-01 17:18 ` Rodrigo Moya
2012-03-02  7:01   ` Ying Xue
     [not found]   ` <4F506ABC.8050807@windriver.com>
2012-03-05 15:49     ` Erik Hugne

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4F4D01C0.3050808@collabora.co.uk \
    --to=javier.martinez@collabora.co.uk \
    --cc=alban.crequy@collabora.co.uk \
    --cc=bart.cerneels@collabora.co.uk \
    --cc=davem@davemloft.net \
    --cc=equinox@diac24.net \
    --cc=eric.dumazet@gmail.com \
    --cc=javier@collabora.co.uk \
    --cc=kay.sievers@vrfy.org \
    --cc=lennart@poettering.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=rodrigo.moya@collabora.co.uk \
    --cc=sjoerd.simons@collabora.co.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.