Received: by 10.223.185.116 with SMTP id b49csp1133003wrg; Wed, 21 Feb 2018 12:42:18 -0800 (PST) X-Google-Smtp-Source: AH8x226ySWbL1847V2ubRMEhHFXIyyEv0Xwy/KtRR8iQHKiHpK9hww5frfzCG/ItaRVInAkCQuPy X-Received: by 2002:a17:902:8487:: with SMTP id c7-v6mr4223563plo.7.1519245738219; Wed, 21 Feb 2018 12:42:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519245738; cv=none; d=google.com; s=arc-20160816; b=DwgV62HRoIZ1cmsTd8Kg6sOprgaVWK3Hf1M6rDeHGrc+NHEV8CCdNO2h31aO0cFUFT 4xAx5mDLUK7tBifKHp4kGEApejckqZWkUYlFXxcdnf76o2MExlVCx6ZGEZPPwO30siEA GXvWH6xtgQLkdR8heY62CmUc5O8o1+AMElvkc45Dziyf/SD4PsJ4OJY6gdc18G268BQJ lBAzeeN6Z2T6Yt6aHLNiu8vr9alDNjWZ1Wc7jNoRY+goeDoWzwD/ewEYUmE93gT4FF7D ZKAowYzFtVzsqCyHGoyfDrkyqjjo5fHX/0T33kjimOmyjYitmZw1oU/1HURJn1iEezur cDqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=vegs/eCJ+qSi2ymCwiz9D9/P5nl2fQoeHvZb1Os6fVE=; b=tz+Blh0oHUpPkQ4TJZe7f5x1ETqBPHkPXHkfgMoLMTOXC48kgtWtdy+PtHGtGGZfOO 1oWDZxTxm2NJuvZMpgpWg9BmUmv6kpKF3X2EY3B5Ca6/AsXudYUJKxVnNAjXhssvo/Z/ sE9VS58qjs7uLbApDrwio5EooqgMPhyWCdgQVAyn5EQlDonVuWUzFuZxoDowtpdjpZS2 PljqGtpsBeeftOuOfwY9AhwxYHl+Wv6uRr9aTuxNQs6IF6fY1QHnTA/RvkdSBhk64lLM XfnatVAesIyK89ScbIHLcU6X0yNKdsvmCOMmJC1DQ1MOH+xyN8CKqfL+JJeu2DYPoA+D o9QQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=mB/JDTvK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n8-v6si267251pls.231.2018.02.21.12.41.59; Wed, 21 Feb 2018 12:42:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=mB/JDTvK; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751346AbeBUUkw (ORCPT + 99 others); Wed, 21 Feb 2018 15:40:52 -0500 Received: from mail-io0-f172.google.com ([209.85.223.172]:41612 "EHLO mail-io0-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750786AbeBUUku (ORCPT ); Wed, 21 Feb 2018 15:40:50 -0500 Received: by mail-io0-f172.google.com with SMTP id e4so3539780iob.8; Wed, 21 Feb 2018 12:40:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=vegs/eCJ+qSi2ymCwiz9D9/P5nl2fQoeHvZb1Os6fVE=; b=mB/JDTvKdmHLadbXL9Ixi5bBNyAcGDwVWifC6A+FG+5SrmcTgYnMzpHY/0XN1R+378 VL+w4WctL77bWIjaV+8rm9wl8ro0+u4BAn9Ik2aSNtblluOpJpYpAkYsAl1+pcRIjZz5 eub3cPSOAJhbAnjCm7Xgl1/z1KS3hJ5E+M5h+9bMoDiVB+eIJOPB8dnZCbJqR4RVY9id XBzzVbCmvFFfOMxRFd78LfjIx8QdnjKZOpahDGy2Oz3r8/qvktxssIPpKm5nazv9XFSa MBAwh1fEf5sSaTtNqKvfNV47SLi5jNuCfgpGppNE+GKZ4gW0dkpiUi2J3HJiXY6MXVln RREQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=vegs/eCJ+qSi2ymCwiz9D9/P5nl2fQoeHvZb1Os6fVE=; b=lbKxMVEk0D81bMsvwCVsELbIjJ5CUDQ0XgfQLlfKnHB6RphBOMNzq2QHVbzoWsKon4 CaIZEg+bsMJAfnjoRRvSxtdmCxEhbq0OeuDoJPKQwh4eJQOlrxj/TflfkoORU2aHhp+v eVU8PasD6kBrPa4sYhsdv+VAz4P82GQSXSGkhTzmxx1lRxr7AoL+2E6o2BIZS74KdzRR nZwuO9DtBQxqVZ+LtE/1mE4IJ89neVMUDQwJhfpws2wugCqsD2U0uiPVp8c7UmA5yC4Q q6dIIbtc0tg19hL9gn9+moQ4xv6jWjpEdYiAbbQojgZvdUOy7XAh2rgJu5imKkjPmrq6 nyew== X-Gm-Message-State: APf1xPAv9HxKaUfcdLiy35MJJuMz3EToEPt21iSkACJlz5FSbsOKsxSv L9OsTzCNpHJuHvzDtwOA7ekZPFVwqvsRA34q0dA= X-Received: by 10.107.12.213 with SMTP id 82mr5795037iom.48.1519245649355; Wed, 21 Feb 2018 12:40:49 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.135.221 with HTTP; Wed, 21 Feb 2018 12:40:48 -0800 (PST) In-Reply-To: <3908561D78D1C84285E8C5FCA982C28F7B37F130@ORSMSX110.amr.corp.intel.com> References: <6680a760-eb30-4daf-2dad-a9628f1c15a8@kernel.org> <20180220211849.fqjb6rdmypl6opir@agluck-desk> <20180220233008.55rfm7zw62hrao5p@agluck-desk> <3908561D78D1C84285E8C5FCA982C28F7B37DE1B@ORSMSX110.amr.corp.intel.com> <20180221182104.GI3231@tassilo.jf.intel.com> <20180221194731.t7jowrmicvaggu3x@agluck-desk> <3908561D78D1C84285E8C5FCA982C28F7B37F130@ORSMSX110.amr.corp.intel.com> From: Linus Torvalds Date: Wed, 21 Feb 2018 12:40:48 -0800 X-Google-Sender-Auth: YRQyTjqRwBUWthmIdpRK0y3Hkbw Message-ID: Subject: Re: [PATCH 1/2] fs/efivarfs: restrict inode permissions To: "Luck, Tony" Cc: Andi Kleen , Ard Biesheuvel , Joe Konno , "linux-efi@vger.kernel.org" , Linux Kernel Mailing List , Jeremy Kerr , Matthew Garrett , Peter Jones , Andy Lutomirski , James Bottomley Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 21, 2018 at 11:58 AM, Luck, Tony wrote: > > How are you envisioning this rate-limiting to be implemented? Are > you going to fail an EFI call if the rate is too high? I'm thinking that > we just add a delay to each call so that we can't exceed the limit. Delaying sounds ok, I guess. But the "obvious" implementation may be simple: static void efi_ratelimit(void) { static DEFINE_RATELIMIT_STATE(ratelimit, HZ, 100); if (!__ratelimit(&ratelimit)) msleep(10); } } but the above is actually completely broken. Why? If you have multiple processes, they can each only do a hundred per second, but globally they can do millions per second by just having a few thousand threads. They all sleep, but.. So how do you restrict it *globally*? If you put this all inside a lock like a mutex, you can generate basically arbitrary delays, and you're back to the DoS schenario. A fair lock will allow thousands of waiters to line up and make the delay be But maybe I'm missing some really obvious way. You *can* make the msleep be a spinning wait instead, and rely on the scheduler, I guess. Or maybe I'm just stupid and am overlooking the obvious case. Again, making the ratelimiting be per-user makes all of these issues go away. Then one user cannot delay another one. Linus