From owner-freebsd-hackers@FreeBSD.ORG Tue Apr 8 12:38:32 2014 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6B65F283 for ; Tue, 8 Apr 2014 12:38:32 +0000 (UTC) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0C9911BC8 for ; Tue, 8 Apr 2014 12:38:31 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.8/8.14.8) with ESMTP id s38CcRls064198; Tue, 8 Apr 2014 15:38:27 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua s38CcRls064198 Received: (from kostik@localhost) by tom.home (8.14.8/8.14.8/Submit) id s38CcRxm064197; Tue, 8 Apr 2014 15:38:27 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Tue, 8 Apr 2014 15:38:27 +0300 From: Konstantin Belousov To: Mateusz Guzik Subject: Re: pipe() resource exhaustion Message-ID: <20140408123827.GW21331@kib.kiev.ua> References: <20140408130206.e75f3bf6c6df28b6e4839e70@yahoo.es> <20140408121222.GB30326@dft-labs.eu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="xWiEbTquLUstXc+R" Content-Disposition: inline In-Reply-To: <20140408121222.GB30326@dft-labs.eu> User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tom.home Cc: freebsd-hackers@freebsd.org, Eduardo Morras X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 12:38:32 -0000 --xWiEbTquLUstXc+R Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 08, 2014 at 02:12:22PM +0200, Mateusz Guzik wrote: > On Tue, Apr 08, 2014 at 01:02:06PM +0200, Eduardo Morras wrote: > > On Mon, 7 Apr 2014 07:25:22 -0500 > > Mark Felder wrote: > >=20 > > > On 2014-04-07 06:02, Ivan Voras wrote: > > > > Hello, > > > >=20 > > > > Last time I mentioned this it didn't get any attention, so I'll try > > > > again. By accident (via a buggy synergy server process) I found > > > > that a simple userland process can exhaust kernel pipe memory=20 > > > > (kern.ipc.pipekva > > > > sysctl) which as a consequence has that new processes which use pipe > > > > cannot be started, which includes "su", by which an administrator > > > > could kill such a process. > > > >=20 > > >=20 > > > That's a pretty painful local denial of service :( > >=20 > > Yes it is. Perhaps there should be 8% fd reserved for root, su and setu= id family syscalls like in filesystem space or postgresql reserved connecti= ons for db admin. > >=20 >=20 > There is an fd reserve already. Report talks about problems with > creating a new *pipe*, not any fd in general. >=20 > That said, supporting a reserve for this one sounds like a good idea and > not that hard to implement - one can either play with atomics and double > check or just place a mutex-protected check in pipespace_new (before > vm_map_find). >=20 > I implemented the second one, which turned out to be surprisingly ugly. > For now it abuses PRIV_MAXPROC and has a reserve taken out of the blue. >=20 > Thoughts? >=20 =2E.. I think more reasonable behaviour there is to just fall back to the buffered pipe if the direct buffer allocation fails. Look at the pipespace_new() calls in the pipe_create(); probably ignoring the error would do the trick. --xWiEbTquLUstXc+R Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBAgAGBQJTQ+3CAAoJEJDCuSvBvK1BqH0P+wQnsyeovvCZQzO4/YXTPpfH Y35lDNoBNwNVIoCopU6WjGQem5yjIURiIyqTcdtcE9Dlsxn9+Z+5ocJng/cCVXZV 5zySaqHnenKmQOlBo0GmQmutxa7++cwNaG4q3iFKhoLJtgmD9gTVzlja2S/oZt7h 9KImUdV2SQo0AljLfxMD2Egi064B0w4vyO8Yy3sjZ8XqooRaxPgIdKL+u0GKtshI EZ9o1JRnyljEJtSt948+scwclIx5EnNfbdn7P2+a4Mt1aBk2rvpZZyi6bpTJIxL8 xsKB1ZSxV3BkiQXWuWCgAofFamx8B4z/XA0JSxdsrO6K/OgaVyqHfxPpBakYMn1t HBxfW/Q8ea6RmF8c0QQMJVjf96eAxMK8pmoBdsYSDHrPGmS9f2G+pVpuGKvDrpnr mXlcymjcoANvz8AOOdNzpC5coMpCnpfaAoaKrIU0hW6i0rWQ1N3OB8nlPJdnk0xG z8TSD0E4Kh6LRUze92bhRrTHL5yo2dHF+dgf4DlTShATpT1b8Y9bhBk+s2adL8Kg xUsCaPPt9YjoSiMVhF69LeWnzHVkDJjfNSAY9JQPIvuqOSDpiDvYw9b2togA0/EO BctLgpp2eUOiPWEldQneBURGgHYGQK+QdwOinnIstcYR3NxqqDLxhbwl5+ugirDh T4T+rsFB0TUsjWUeKOhg =bAAf -----END PGP SIGNATURE----- --xWiEbTquLUstXc+R--