Received: by 10.223.185.116 with SMTP id b49csp1380302wrg; Wed, 21 Feb 2018 18:00:08 -0800 (PST) X-Google-Smtp-Source: AH8x226pupJTOGAIO0EVU2GvRYO7VZaKK56iK0GYg1WC4xYdzuLyZJiHGuvuEUcdBd3rQqbT0k+A X-Received: by 10.101.73.7 with SMTP id p7mr4247434pgs.250.1519264808863; Wed, 21 Feb 2018 18:00:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519264808; cv=none; d=google.com; s=arc-20160816; b=kmR8SEpfM0VNPAGya9h2dl5sYFMFBbLv55N7/9miSB7nWwaJKKIHRmBdH8RcBEY8ls BB6F3GBeA1KCAVPYL1Jk48MUepayCpBe/hoO2IwAmxO+PGUlDhXRWdDes/akn9se9kXQ jE3Ztfo2+YMrl6No+E4gFfBwKSvSNsilVZE2JiBbE8jKJ9tb/G7UToC5wzMSPRkHj7mI xecdV6+5QK+e3UjLWbpJ7ASahTfO2FugAludwwl7pSKIPBQOqx2A/uIT/Z6a8reeDEI+ IOxXagbJNiD2doO589Atuy/a4ErnlD2AbEHtKrFJ0qJJgkuwdmUyjjft4hYEDpvP4l2F QGFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=dRkvPVng1OjkKzxQ2AfYrsIxEsLpTAhudyf8z8RfVHw=; b=xt6/Wqqc7YvAWgAtuF42jWoTB8v0lZqKjAhjmVyzbaIPY/oFYw0heNglC5VJ8adzZR p3fQFDIggASLtl34DiJSY5mm0EpzIm3YoQTEabS4z9F01HmjW8YJJiK3o2kDvyWevtZw MqEJtcFzZtm9dJic8v9P66W1T4s6+cnjuH403xM/9yQS8oh7hYhQKF1AhhFvOXKY5jTC i1U+X8GwciM1WYPIXxDMJQ6b5Cy6+S5HJZlJFjZ306xjuqTLDCq1/DQzSkbZxfaRxyTL cG2Piv+Ol4Fwz5qGyVImNiQnbnzdiNzlUKTpnR2wbYJZIoWVmXo+vs1Vj9w9YFUfKQht WU7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=TxpCeGno; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q3si716976pgp.701.2018.02.21.17.59.54; Wed, 21 Feb 2018 18:00:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=TxpCeGno; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752413AbeBVB6t (ORCPT + 99 others); Wed, 21 Feb 2018 20:58:49 -0500 Received: from mail-io0-f176.google.com ([209.85.223.176]:35390 "EHLO mail-io0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752375AbeBVB6i (ORCPT ); Wed, 21 Feb 2018 20:58:38 -0500 Received: by mail-io0-f176.google.com with SMTP id 30so4305628iog.2; Wed, 21 Feb 2018 17:58:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=dRkvPVng1OjkKzxQ2AfYrsIxEsLpTAhudyf8z8RfVHw=; b=TxpCeGnowZYx09eRLIz4WltAAiEAWgr4UErwUUow5QVibQqUQP7otd3DirDM5/rB/0 UcE1YGfcPe70wLBwlNKzcx+kbDOb2AZLNuv2ANXpVhRXPIM5AQuPY8zBx7+ar6Zd8zGx aOObOHSnGOWzYVGJIpIkD3L6hLD765vaeOSdmOpR40mZMpfArzA8CPLjKZdcUPqICfv5 KVsrIGfmo89OP2195nh5bONR0Qk9EoHNU0MPLZ/sMAGyirxUiq8uzu0t55I5YHXbzGII 28MEUR2ke5sHKj/1wkUn/jph0JZrgoiDVHhHZ/CtuwKP9+JlU0LFlBLtCQ1qSOxpXCD0 +CKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=dRkvPVng1OjkKzxQ2AfYrsIxEsLpTAhudyf8z8RfVHw=; b=GITUW1rmCa9p0qdpjAs4N71q8t718B+zNvJFJa3GOG1QDqNI4qFDeGGEcoctW05vyM eEMS8ndvhFEio6a8HEwXfwg5Fgsjdfg3tNgFIFrU1ObhY9vBKWQ6oqSfxCilaxt6yHCs d6Gia/wB1Yooyqxp5XHeevKij4i2wpd+lj1/9PklsPzP5v4cTTIihQ309NcDN6cbJakA 9mgIRjXwTINIBcRkh5MAQ/GmVDs5IaMA8auH5az7POboEFozivVl/2ZXBWn5SitpJgXs CnqK4negy4VNKj5LHcpJmszVyBH32baH2NFFiFXJa3lsAlKvmJPm0vCmwEaygrIlknBO 8Y3w== X-Gm-Message-State: APf1xPDLCFNp7BHwDut75cH+xPxdiaHj/XfBNmNfeEuRGdvhB/3Om4AV Jfsdu/OOA1w4f3N1XuvfwTUbvHqfsKk5yJ48EXk= X-Received: by 10.107.9.138 with SMTP id 10mr6736294ioj.257.1519264717678; Wed, 21 Feb 2018 17:58:37 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.135.221 with HTTP; Wed, 21 Feb 2018 17:58:37 -0800 (PST) In-Reply-To: <20180222014505.2l76ccrrs36y3b26@agluck-desk> References: <3908561D78D1C84285E8C5FCA982C28F7B37DE1B@ORSMSX110.amr.corp.intel.com> <20180221182104.GI3231@tassilo.jf.intel.com> <20180221194731.t7jowrmicvaggu3x@agluck-desk> <3908561D78D1C84285E8C5FCA982C28F7B37F130@ORSMSX110.amr.corp.intel.com> <20180222014505.2l76ccrrs36y3b26@agluck-desk> From: Linus Torvalds Date: Wed, 21 Feb 2018 17:58:37 -0800 X-Google-Sender-Auth: EODwPEEKcLlyYEJcSB_hRuKPmh4 Message-ID: Subject: Re: [PATCH] efivarfs: Limit the rate for non-root to read files To: "Luck, Tony" Cc: Andi Kleen , Ard Biesheuvel , Joe Konno , "linux-efi@vger.kernel.org" , Linux Kernel Mailing List , Jeremy Kerr , Matthew Garrett , Peter Jones , Andy Lutomirski , James Bottomley Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Feb 21, 2018 at 5:45 PM, Luck, Tony wrote: > > Linus suggested per-user rate limit to solve this. Note that you also need to serialize per user, because otherwise.. > + if (!__ratelimit(&file->f_cred->user->ratelimit)) > + usleep_range(10000, 10000); ..this doesn't really ratelimit anything, because you can just start a thousand threads, and they all end up being rate-limited, but they all just sleep for 10ms each, so you can get a hundred thousand accesses per second anyway. To fix that, you can either: - just make it return -EAGAIN instead of sleeping (which probably just works fine and doesn't break anything and is simple) - add a per-user mutex, and do the usleep inside of it, so that anybody who tries to do a thousand threads will just be serialized by the mutex. Note that the mutex needs to be per-user, because otherwise it will be a DoS for the other users. Of course, to avoid *another* DoS, the mutex should probably be interruptible, and return -EAGAIN, so that you don't have a thousand thread waiting for the mutex and have something that is effectively unkillable for ten seconds. Can it be hard and annoying to avoid DoS by rate limiting? Why, yes. Yes it can. Linus