Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755930AbcJZTkM (ORCPT ); Wed, 26 Oct 2016 15:40:12 -0400 Received: from mail-oi0-f41.google.com ([209.85.218.41]:36118 "EHLO mail-oi0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755762AbcJZTkI (ORCPT ); Wed, 26 Oct 2016 15:40:08 -0400 MIME-Version: 1.0 In-Reply-To: <20161026191810.12275-1-dh.herrmann@gmail.com> References: <20161026191810.12275-1-dh.herrmann@gmail.com> From: Linus Torvalds Date: Wed, 26 Oct 2016 12:39:54 -0700 X-Google-Sender-Auth: DQu3SoedR9Dv-OyjjljJuLe5tRM Message-ID: Subject: Re: [RFC v1 00/14] Bus1 Kernel Message Bus To: David Herrmann Cc: Linux Kernel Mailing List , Andy Lutomirski , Jiri Kosina , Greg KH , Hannes Reinecke , Steven Rostedt , Arnd Bergmann , Tom Gundersen , Josh Triplett , Andrew Morton Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1605 Lines: 33 So the thing that tends to worry me about these is resource management. If I understood the documentation correctly, this has per-user resource management, which guarantees that at least the system won't run out of memory. Good. The act of sending a message transfers the resource to the receiver end. Fine. However, the usual problem ends up being that a bad user can basically DoS a system agent, especially since for obvious performance reasons the send/receive has to be asynchronous. So the usual DoS model is that some user just sends a lot of messages to a system agent, filling up the system agent resource quota, and basically killing the system. No, it didn't run out of memory, but the system agent may not be able to do anything more, since it is now out of resources. Keeping the resource management with the sender doesn't solve the problem, it just reverses it: now the attack will be to send a lot of queries to the system agent, but then just refuse to listen to the replies - again causing the system agent to run out of resources. Usually the way this is resolved this is by forcing a "request-and-reply" resource management model, where the person who sends out a request is not only the one who is accounted for the request, but also accounted for the reply buffer. That way the system agent never runs out of resources, because it's always the requesting party that has its resources accounted, never the system agent. You may well have solved this, but can you describe what the solution is without forcing people to read the code and try to analyze it? Linus