Changeset 90238 in vbox

Timestamp:

Jul 19, 2021 1:48:09 PM (4 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

145776

Message:

HGCM,HostServices: Extended VBOXHGCMSVCFNTABLE with client and call limits. Tried to pick reasonable values for all services. bugref:9379

Location:

trunk

Files:

• include/VBox/err.h (modified) (1 diff)
• include/VBox/hgcmsvc.h (modified) (5 diffs)
• src/VBox/HostServices/DragAndDrop/VBoxDragAndDropSvc.cpp (modified) (1 diff)
• src/VBox/HostServices/GuestControl/VBoxGuestControlSvc.cpp (modified) (1 diff)
• src/VBox/HostServices/GuestProperties/VBoxGuestPropSvc.cpp (modified) (1 diff)
• src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc-darwin.cpp (modified) (1 diff)
• src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc-internal.h (modified) (1 diff)
• src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc-win.cpp (modified) (1 diff)
• src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc-x11-stubs.cpp (modified) (1 diff)
• src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc-x11.cpp (modified) (1 diff)
• src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc.cpp (modified) (4 diffs)
• src/VBox/HostServices/SharedClipboard/testcase/tstClipboardServiceHost.cpp (modified) (1 diff)
• src/VBox/HostServices/SharedClipboard/testcase/tstClipboardServiceImpl.cpp (modified) (1 diff)
• src/VBox/HostServices/SharedFolders/VBoxSharedFoldersSvc.cpp (modified) (1 diff)
• src/VBox/Main/src-client/HGCM.cpp (modified) (22 diffs)

trunk/include/VBox/err.h

@@ -1623 +1623 @@
 /** Requested service already exists. */
 #define VERR_HGCM_SERVICE_EXISTS                    (-2907)
-
+/** Too many clients for the service. */
+#define VERR_HGCM_TOO_MANY_CLIENTS                  (-2908)
+/** Too many calls to the service from a client. */
+#define VERR_HGCM_TOO_MANY_CLIENT_CALLS             (-2909)
 /** @} */
 

trunk/include/VBox/hgcmsvc.h

@@ -81 +81 @@
  * 6.5->7.1 Because pfnNotify was added (VBox 6.0).
  * 7.1->8.1 Because pfnCancelled & pfnIsCallCancelled were added (VBox 6.0).
+ * 8.1->9.1 Because pfnDisconnectClient was (temporarily) removed, and
+ *          acMaxClients and acMaxCallsPerClient added (VBox 6.1.26).
  */
-#define VBOX_HGCM_SVC_VERSION_MAJOR (0x0008)
+#define VBOX_HGCM_SVC_VERSION_MAJOR (0x0009)
 #define VBOX_HGCM_SVC_VERSION_MINOR (0x0001)
 #define VBOX_HGCM_SVC_VERSION ((VBOX_HGCM_SVC_VERSION_MAJOR << 16) + VBOX_HGCM_SVC_VERSION_MINOR)
@@ -99 +101 @@
     void *pvInstance;
 
+#if 0 /* Not thread safe. */
     /** The service disconnects the client. */
     DECLR3CALLBACKMEMBER(void, pfnDisconnectClient, (void *pvInstance, uint32_t u32ClientID));
+#endif
 
     /**
@@ -594 +598 @@
 } HGCMNOTIFYEVENT;
 
+/** @name HGCM_CLIENT_CATEGORY_XXX - Client categories
+ * @{ */
+#define HGCM_CLIENT_CATEGORY_KERNEL 0   /**< Guest kernel mode and legacy client. */
+#define HGCM_CLIENT_CATEGORY_ROOT   1   /**< Guest root or admin client. */
+#define HGCM_CLIENT_CATEGORY_USER   2   /**< Regular guest user client. */
+#define HGCM_CLIENT_CATEGORY_MAX    3   /**< Max number of categories. */
+/** @} */
+
 
 /** The Service DLL entry points.
@@ -610 +622 @@
 
     /** Size of the structure. */
-    uint32_t                 cbSize;
-
-    /** Version of the structure, including the helpers. */
-    uint32_t                 u32Version;
-
-    PVBOXHGCMSVCHELPERS      pHelpers;
+    uint32_t                cbSize;
+
+    /** Version of the structure, including the helpers. (VBOX_HGCM_SVC_VERSION) */
+    uint32_t                u32Version;
+
+    PVBOXHGCMSVCHELPERS     pHelpers;
     /** @} */
 
@@ -622 +634 @@
 
     /** Size of client information the service want to have. */
-    uint32_t                 cbClient;
-#if ARCH_BITS == 64
-    /** Ensure that the following pointers are properly aligned on 64-bit system. */
-    uint32_t                 u32Alignment0;
-#endif
+    uint32_t                cbClient;
+
+    /** The maximum number of clients per category.  Leave entries as zero for defaults. */
+    uint32_t                acMaxClients[HGCM_CLIENT_CATEGORY_MAX];
+    /** The maximum number of concurrent calls per client for each category.
+     *  Leave entries as as zero for default. */
+    uint32_t                acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_MAX];
+    /** The HGCM_CLIENT_CATEGORY_XXX value for legacy clients.
+     *  Defaults to HGCM_CLIENT_CATEGORY_KERNEL. */
+    uint32_t                idxLegacyClientCategory;
 
     /** Uninitialize service */

trunk/src/VBox/HostServices/DragAndDrop/VBoxDragAndDropSvc.cpp

@@ -181 +181 @@
 int DragAndDropService::init(VBOXHGCMSVCFNTABLE *pTable) RT_NOEXCEPT
 {
+    /* Legacy clients map to the root category. */
+    pTable->idxLegacyClientCategory = HGCM_CLIENT_CATEGORY_ROOT;
+
+    /* Limit to 255 clients (see also DragAndDropService::clientConnect). */
+    for (uintptr_t i = 0; i < RT_ELEMENTS(pTable->acMaxClients); i++)
+        pTable->acMaxClients[i] = UINT8_MAX;
+
+    /* Limit the number of concurrent calls to 256 (playing safe).  */
+    /** @todo Properly determin the max number of pending/concurrent calls for DnD. */
+    for (uintptr_t i = 0; i < RT_ELEMENTS(pTable->acMaxClients); i++)
+        pTable->acMaxCallsPerClient[i] = 256;
+
     /* Register functions. */
     pTable->pfnHostCall          = svcHostCall;

trunk/src/VBox/HostServices/GuestControl/VBoxGuestControlSvc.cpp

@@ -2534 +2534 @@
                 pTable->cbClient = sizeof(ClientState);
 
+                /* Limit pending calls to 8 pending per connection (doubt we need more than
+                   one).  Map legacy clients to the root and limit kernel to 1 (zero would
+                   be default) and use defaults for root and user clients. */
+                for (uintptr_t i = 0; i < RT_ELEMENTS(pTable->acMaxClients); i++)
+                    pTable->acMaxCallsPerClient[i] = 8;
+
+                pTable->idxLegacyClientCategory = HGCM_CLIENT_CATEGORY_ROOT;
+                pTable->acMaxClients[HGCM_CLIENT_CATEGORY_KERNEL] = 1;
+
                 /* Register functions. */
                 pTable->pfnUnload               = GstCtrlService::svcUnload;

trunk/src/VBox/HostServices/GuestProperties/VBoxGuestPropSvc.cpp

@@ -1865 +1865 @@
                 ptable->cbClient = 0;
 
+                /* Legacy clients map to the kernel category. */
+                ptable->idxLegacyClientCategory = HGCM_CLIENT_CATEGORY_KERNEL;
+
+                /* Go with default client limits, but we won't ever need more than
+                   16 pending calls per client I would think (1 should be enough). */
+                for (uintptr_t i = 0; i < RT_ELEMENTS(ptable->acMaxClients); i++)
+                    ptable->acMaxCallsPerClient[i] = 16;
+
                 ptable->pfnUnload             = Service::svcUnload;
                 ptable->pfnConnect            = Service::svcConnect;

trunk/src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc-darwin.cpp

@@ -119 +119 @@
 
 
-int ShClBackendInit(void)
-{
+int ShClBackendInit(VBOXHGCMSVCFNTABLE *pTable)
+{
+    RT_NOREF(pTable);
     g_ctx.fTerminate = false;
 

trunk/src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc-internal.h

@@ -306 +306 @@
 /**
  * Called on initialization.
- */
-int ShClBackendInit(void);
+ *
+ * @param   pTable      The HGCM service call and parameter table.  Mainly for
+ *                      adjusting the limits.
+ */
+int ShClBackendInit(VBOXHGCMSVCFNTABLE *pTable);
 
 /**

trunk/src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc-win.cpp

@@ -604 +604 @@
  */
 
-int ShClBackendInit(void)
-{
+int ShClBackendInit(VBOXHGCMSVCFNTABLE *pTable)
+{
+    RT_NOREF(pTable);
 #ifdef VBOX_WITH_SHARED_CLIPBOARD_TRANSFERS
     HRESULT hr = OleInitialize(NULL);

trunk/src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc-x11-stubs.cpp

@@ -41 +41 @@
  * Initialise the host side of the shared clipboard - called by the hgcm layer.
  */
-int ShClBackendInit(void)
+int ShClBackendInit(VBOXHGCMSVCFNTABLE *pTable)
 {
+    RT_NOREF(pTable);
     LogFlowFunc(("called, returning VINF_SUCCESS\n"));
     return VINF_SUCCESS;

trunk/src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc-x11.cpp

@@ -61 +61 @@
 
 
-int ShClBackendInit(void)
-{
-    LogFlowFuncEnter();
+int ShClBackendInit(VBOXHGCMSVCFNTABLE *pTable)
+{
+    LogFlowFuncEnter();
+
+    /* Override the connection limit. */
+    for (uintptr_t i = 0; i < RT_ELEMENTS(pTable->acMaxClients); i++)
+        pTable->acMaxClients[i] = RT_MIN(VBOX_SHARED_CLIPBOARD_X11_CONNECTIONS_MAX, pTable->acMaxClients[i]);
+
     return VINF_SUCCESS;
 }

trunk/src/VBox/HostServices/SharedClipboard/VBoxSharedClipboardSvc.cpp

@@ -1932 +1932 @@
 }
 
-static int svcInit(void)
+static int svcInit(VBOXHGCMSVCFNTABLE *pTable)
 {
     int rc = RTCritSectInit(&g_CritSect);
@@ -1940 +1940 @@
         shClSvcModeSet(VBOX_SHCL_MODE_OFF);
 
-        rc = ShClBackendInit();
+        rc = ShClBackendInit(pTable);
 
         /* Clean up on failure, because 'svnUnload' will not be called
@@ -2722 +2722 @@
             pTable->cbClient = sizeof(SHCLCLIENT);
 
+            /* Map legacy clients to root. */
+            pTable->idxLegacyClientCategory = HGCM_CLIENT_CATEGORY_ROOT;
+
+            /* Limit the number of clients to 128 in each category (should be enough),
+               but set kernel clients to 1 (zero would be default). */
+            for (uintptr_t i = 0; i < RT_ELEMENTS(pTable->acMaxClients); i++)
+                pTable->acMaxClients[i] = 128;
+            pTable->acMaxClients[HGCM_CLIENT_CATEGORY_KERNEL] = 1;
+
+            /* Only 16 pending calls per client (1 should be enough). */
+            for (uintptr_t i = 0; i < RT_ELEMENTS(pTable->acMaxClients); i++)
+                pTable->acMaxCallsPerClient[i] = 16;
+
             pTable->pfnUnload            = svcUnload;
             pTable->pfnConnect           = svcConnect;
@@ -2734 +2747 @@
 
             /* Service specific initialization. */
-            rc = svcInit();
+            rc = svcInit(pTable);
         }
     }

trunk/src/VBox/HostServices/SharedClipboard/testcase/tstClipboardServiceHost.cpp

@@ -310 +310 @@
 }
 
-int ShClBackendInit() { return VINF_SUCCESS; }
+int ShClBackendInit(VBOXHGCMSVCFNTABLE *) { return VINF_SUCCESS; }
 void ShClBackendDestroy() { }
 int ShClBackendDisconnect(PSHCLCLIENT) { return VINF_SUCCESS; }

trunk/src/VBox/HostServices/SharedClipboard/testcase/tstClipboardServiceImpl.cpp

@@ -52 +52 @@
 }
 
-int ShClBackendInit(void) { return VINF_SUCCESS; }
+int ShClBackendInit(VBOXHGCMSVCFNTABLE *) { return VINF_SUCCESS; }
 void ShClBackendDestroy(void) { }
 int ShClBackendDisconnect(PSHCLCLIENT) { return VINF_SUCCESS; }

trunk/src/VBox/HostServices/SharedFolders/VBoxSharedFoldersSvc.cpp

@@ -1851 +1851 @@
             ptable->cbClient = sizeof (SHFLCLIENTDATA);
 
+            /* Map legacy clients to the kernel category. */
+            ptable->idxLegacyClientCategory = HGCM_CLIENT_CATEGORY_KERNEL;
+
+            /* Only 64K pending calls per kernel client, root gets 16K and regular users 1K. */
+            ptable->acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_KERNEL] = _64K;
+            ptable->acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_ROOT]   = _16K;
+            ptable->acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_USER]   = _1K;
+
+            /* Reduce the number of clients to SHFL_MAX_MAPPINGS + 2 in each category,
+               so the increased calls-per-client value causes less trouble.
+               ((64 + 2) * 3 * 65536 = 12 976 128) */
+            for (uintptr_t i = 0; i < RT_ELEMENTS(ptable->acMaxClients); i++)
+                ptable->acMaxClients[i] = SHFL_MAX_MAPPINGS + 2;
+
             ptable->pfnUnload     = svcUnload;
             ptable->pfnConnect    = svcConnect;

trunk/src/VBox/Main/src-client/HGCM.cpp

@@ -27 +27 @@
 #include <VBox/vmm/stam.h>
 #include <VBox/sup.h>
+#include <VBox/AssertGuest.h>
 
 #include <iprt/alloc.h>
@@ -108 +109 @@
         VBOXHGCMSVCFNTABLE m_fntable;
 
+        uint32_t m_acClients[HGCM_CLIENT_CATEGORY_MAX]; /**< Clients per category. */
         uint32_t m_cClients;
         uint32_t m_cClientsAllocated;
@@ -121 +123 @@
          * @{ */
         STAMPROFILE m_StatHandleMsg;
+        STAMCOUNTER m_StatTooManyClients;
+        STAMCOUNTER m_StatTooManyCalls;
         /** @} */
 
@@ -187 +191 @@
          */
 
-        int GuestCall(PPDMIHGCMPORT pHGCMPort, PVBOXHGCMCMD pCmd, uint32_t u32ClientId,
+        int GuestCall(PPDMIHGCMPORT pHGCMPort, PVBOXHGCMCMD pCmd, uint32_t u32ClientId, HGCMClient *pClient,
                       uint32_t u32Function, uint32_t cParms, VBOXHGCMSVCPARM aParms[], uint64_t tsArrival);
         void GuestCancelled(PPDMIHGCMPORT pHGCMPort, PVBOXHGCMCMD pCmd, uint32_t idClient);
@@ -196 +200 @@
 {
     public:
-        HGCMClient(uint32_t a_fRequestor)
+        HGCMClient(uint32_t a_fRequestor, uint32_t a_idxCategory)
             : HGCMObject(HGCMOBJ_CLIENT)
             , pService(NULL)
             , pvData(NULL)
             , fRequestor(a_fRequestor)
-        {}
+            , idxCategory(a_idxCategory)
+            , cPendingCalls(0)
+        {
+            Assert(idxCategory < HGCM_CLIENT_CATEGORY_MAX);
+        }
         ~HGCMClient();
 
@@ -215 +223 @@
          * @sa VMMDevRequestHeader::fRequestor */
         uint32_t fRequestor;
+
+        /** The client category (HGCM_CLIENT_CATEGORY_XXX). */
+        uint32_t idxCategory;
+
+        /** Number of pending calls. */
+        uint32_t volatile cPendingCalls;
 
     private: /* none of this: */
@@ -275 +289 @@
     m_pHgcmPort  (NULL)
 {
+    RT_ZERO(m_acClients);
     RT_ZERO(m_fntable);
 }
@@ -340 +355 @@
             if (RT_SUCCESS(rc))
             {
-                if (   m_fntable.pfnUnload == NULL
-                    || m_fntable.pfnConnect == NULL
-                    || m_fntable.pfnDisconnect == NULL
-                    || m_fntable.pfnCall == NULL
+                if (   m_fntable.pfnUnload != NULL
+                    && m_fntable.pfnConnect != NULL
+                    && m_fntable.pfnDisconnect != NULL
+                    && m_fntable.pfnCall != NULL
                    )
+                {
+                    /*
+                     * Set default limits if not filled in by the service.
+                     *  Total max calls: (2048 + 1024 + 1024) * 8192 = 33 554 432
+                     */
+                    Assert(m_fntable.idxLegacyClientCategory < RT_ELEMENTS(m_fntable.acMaxClients));
+
+                    if (m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_KERNEL] == 0)
+                        m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_KERNEL] = _2K;
+                    if (m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_ROOT]   == 0)
+                        m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_ROOT]   = _1K;
+                    if (m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_USER]   == 0)
+                        m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_USER]   = _1K;
+
+                    if (m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_KERNEL] == 0)
+                        m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_KERNEL] = _8K;
+                    if (m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_ROOT]   == 0)
+                        m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_ROOT]   = _4K;
+                    if (m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_USER]   == 0)
+                        m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_USER]   = _2K;
+
+                    /** @todo provide way to configure different values via extra data.   */
+
+                    LogRel2(("HGCMService::loadServiceDLL: acMaxClients={%u,%u,%u} acMaxCallsPerClient={%u,%u,%u} => %RU64 calls; idxLegacyClientCategory=%d; %s\n",
+                             m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_KERNEL],
+                             m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_ROOT],
+                             m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_USER],
+                             m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_KERNEL],
+                             m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_ROOT],
+                             m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_USER],
+                                 (uint64_t)m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_KERNEL]
+                               *    m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_KERNEL]
+                             +   (uint64_t)m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_ROOT]
+                               *    m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_ROOT]
+                             +   (uint64_t)m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_USER]
+                               *    m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_USER],
+                             m_fntable.idxLegacyClientCategory, m_pszSvcName));
+                }
+                else
                 {
                     Log(("HGCMService::loadServiceDLL: at least one of function pointers is NULL\n"));
@@ -455 +509 @@
 {
     public:
-        HGCMMsgCall() {}
+        HGCMMsgCall() : pcCounter(NULL)
+        { }
 
         HGCMMsgCall(HGCMThread *pThread)
+            : pcCounter(NULL)
         {
             InitializeCore(SVC_MSG_GUESTCALL, pThread);
             Initialize();
         }
-        ~HGCMMsgCall() { Log(("~HGCMMsgCall %p\n", this)); }
+        ~HGCMMsgCall()
+        {
+            Log(("~HGCMMsgCall %p\n", this));
+            Assert(!pcCounter);
+        }
+
+        /** Points to HGCMClient::cPendingCalls if it needs to be decremented. */
+        uint32_t volatile *pcCounter;
 
         /* client identifier */
@@ -861 +924 @@
 }
 
+#if 0 /* not thread safe */
 /**
  * @interface_method_impl{VBOXHGCMSVCHELPERS,pfnDisconnectClient}
@@ -876 +940 @@
      }
 }
+#endif
 
 /**
@@ -1051 +1116 @@
             STAMR3RegisterFU(pUVM, &m_StatHandleMsg, STAMTYPE_PROFILE, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES,
                              "Message handling", "/HGCM/%s/Msg", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_StatTooManyCalls, STAMTYPE_COUNTER, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES,
+                             "Too many calls (per client)", "/HGCM/%s/TooManyCalls", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_StatTooManyClients, STAMTYPE_COUNTER, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES,
+                             "Too many clients", "/HGCM/%s/TooManyClients", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_cClients, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_OCCURENCES,
+                             "Number of clients", "/HGCM/%s/Clients", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_acClients[HGCM_CLIENT_CATEGORY_KERNEL], STAMTYPE_U32, STAMVISIBILITY_ALWAYS,
+                             STAMUNIT_OCCURENCES, "Number of kernel clients", "/HGCM/%s/Clients/Kernel", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_acClients[HGCM_CLIENT_CATEGORY_ROOT], STAMTYPE_U32, STAMVISIBILITY_ALWAYS,
+                             STAMUNIT_OCCURENCES, "Number of root/admin clients", "/HGCM/%s/Clients/Root", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_acClients[HGCM_CLIENT_CATEGORY_USER], STAMTYPE_U32, STAMVISIBILITY_ALWAYS,
+                             STAMUNIT_OCCURENCES, "Number of regular user clients", "/HGCM/%s/Clients/User", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_KERNEL], STAMTYPE_U32, STAMVISIBILITY_ALWAYS,
+                             STAMUNIT_OCCURENCES, "Max number of kernel clients", "/HGCM/%s/Clients/KernelMax", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_ROOT], STAMTYPE_U32, STAMVISIBILITY_ALWAYS,
+                             STAMUNIT_OCCURENCES, "Max number of root clients", "/HGCM/%s/Clients/RootMax", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_fntable.acMaxClients[HGCM_CLIENT_CATEGORY_USER], STAMTYPE_U32, STAMVISIBILITY_ALWAYS,
+                             STAMUNIT_OCCURENCES, "Max number of user clients", "/HGCM/%s/Clients/UserMax", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_fntable.idxLegacyClientCategory, STAMTYPE_U32, STAMVISIBILITY_ALWAYS,
+                             STAMUNIT_OCCURENCES, "Legacy client mapping", "/HGCM/%s/Clients/LegacyClientMapping", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_KERNEL], STAMTYPE_U32, STAMVISIBILITY_ALWAYS,
+                             STAMUNIT_OCCURENCES, "Max number of call per kernel client", "/HGCM/%s/MaxCallsKernelClient", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_ROOT], STAMTYPE_U32, STAMVISIBILITY_ALWAYS,
+                             STAMUNIT_OCCURENCES, "Max number of call per root client", "/HGCM/%s/MaxCallsRootClient", pszServiceName);
+            STAMR3RegisterFU(pUVM, &m_fntable.acMaxCallsPerClient[HGCM_CLIENT_CATEGORY_USER], STAMTYPE_U32, STAMVISIBILITY_ALWAYS,
+                             STAMUNIT_OCCURENCES, "Max number of call per user client", "/HGCM/%s/MaxCallsUserClient", pszServiceName);
 
             /* Initialize service helpers table. */
             m_svcHelpers.pfnCallComplete       = svcHlpCallComplete;
             m_svcHelpers.pvInstance            = this;
+#if 0 /* not thread safe */
             m_svcHelpers.pfnDisconnectClient   = svcHlpDisconnectClient;
+#endif
             m_svcHelpers.pfnIsCallRestored     = svcHlpIsCallRestored;
             m_svcHelpers.pfnIsCallCancelled    = svcHlpIsCallCancelled;
@@ -1557 +1650 @@
                  pu32ClientIdOut, u32ClientIdIn, fRequestor, fRestoring));
 
+    /*
+     * Categorize the client (compress VMMDEV_REQUESTOR_USR_MASK)
+     * and check the respective client limit.
+     */
+    uint32_t idxClientCategory;
+    if (fRequestor == VMMDEV_REQUESTOR_LEGACY)
+    {
+        idxClientCategory = m_fntable.idxLegacyClientCategory;
+        AssertStmt(idxClientCategory < RT_ELEMENTS(m_acClients), idxClientCategory = HGCM_CLIENT_CATEGORY_KERNEL);
+    }
+    else
+        switch (fRequestor & VMMDEV_REQUESTOR_USR_MASK)
+        {
+            case VMMDEV_REQUESTOR_USR_DRV:
+            case VMMDEV_REQUESTOR_USR_DRV_OTHER:
+                idxClientCategory = HGCM_CLIENT_CATEGORY_KERNEL;
+                break;
+            case VMMDEV_REQUESTOR_USR_ROOT:
+            case VMMDEV_REQUESTOR_USR_SYSTEM:
+                idxClientCategory = HGCM_CLIENT_CATEGORY_ROOT;
+                break;
+            default:
+                idxClientCategory = HGCM_CLIENT_CATEGORY_USER;
+                break;
+        }
+
+    if (   m_acClients[idxClientCategory] < m_fntable.acMaxClients[idxClientCategory]
+        || fRestoring)
+    { }
+    else
+    {
+        LogRel2(("Too many concurrenct clients for HGCM service '%s': %u, max %u; category %u\n",
+                 m_pszSvcName, m_cClients, m_fntable.acMaxClients[idxClientCategory], idxClientCategory));
+        STAM_REL_COUNTER_INC(&m_StatTooManyClients);
+        return VERR_HGCM_TOO_MANY_CLIENTS;
+    }
+
     /* Allocate a client information structure. */
-    HGCMClient *pClient = new (std::nothrow) HGCMClient(fRequestor);
+    HGCMClient *pClient = new (std::nothrow) HGCMClient(fRequestor, idxClientCategory);
 
     if (!pClient)
@@ -1633 +1763 @@
                 }
 
-                m_paClientIds[m_cClients] = handle;
-                m_cClients++;
+                if (RT_SUCCESS(rc))
+                {
+                    m_paClientIds[m_cClients] = handle;
+                    m_cClients++;
+                    m_acClients[idxClientCategory]++;
+                    LogFunc(("idClient=%u m_cClients=%u m_acClients[%u]=%u %s\n", 
+                             handle, m_cClients, idxClientCategory, m_acClients[idxClientCategory]));
+                }
             }
         }
     }
 
-    if (RT_FAILURE(rc))
+    if (RT_SUCCESS(rc))
+    {
+        if (pu32ClientIdOut != NULL)
+        {
+            *pu32ClientIdOut = handle;
+        }
+
+        ReferenceService();
+    }
+    else
     {
         hgcmObjDeleteHandle(handle);
-    }
-    else
-    {
-        if (pu32ClientIdOut != NULL)
-        {
-            *pu32ClientIdOut = handle;
-        }
-
-        ReferenceService();
     }
 
@@ -1678 +1814 @@
      * for further details.
      */
+    Assert(pClient->idxCategory < HGCM_CLIENT_CATEGORY_MAX);
+    Assert(m_acClients[pClient->idxCategory] > 0);
+
     bool fReleaseService = false;
     int  rc              = VERR_NOT_FOUND;
@@ -1684 +1823 @@
         if (m_paClientIds[i] == u32ClientId)
         {
+            if (m_acClients[pClient->idxCategory] > 0)
+                m_acClients[pClient->idxCategory]--;
+
             m_cClients--;
 
@@ -1702 +1844 @@
     if (rc == VERR_NOT_FOUND && !fFromService)
     {
+        if (m_acClients[pClient->idxCategory] > 0)
+            m_acClients[pClient->idxCategory]--;
+
         hgcmObjDeleteHandle(u32ClientId);
         fReleaseService = true;
     }
+
+    if (pClient)
+        LogFunc(("idClient=%u m_cClients=%u m_acClients[%u]=%u %s (cPendingCalls=%u) rc=%Rrc\n",
+                 u32ClientId, m_cClients, pClient->idxCategory, m_acClients[pClient->idxCategory], pClient->cPendingCalls, rc));
 
     /*
@@ -1786 +1935 @@
 }
 
+/** @callback_method_impl{FNHGCMMSGCALLBACK}   */
+static DECLCALLBACK(int) hgcmMsgCallCompletionCallback(int32_t result, HGCMMsgCore *pMsgCore)
+{
+    /*
+     * Do common message completion then decrement the call counter
+     * for the client if necessary.
+     */
+    int rc = hgcmMsgCompletionCallback(result, pMsgCore);
+
+    HGCMMsgCall *pMsg = (HGCMMsgCall *)pMsgCore;
+    if (pMsg->pcCounter)
+    {
+        uint32_t cCalls = ASMAtomicDecU32(pMsg->pcCounter);
+        AssertStmt(cCalls < UINT32_MAX / 2, ASMAtomicWriteU32(pMsg->pcCounter, 0));
+        pMsg->pcCounter = NULL;
+        Log3Func(("pMsg=%p cPendingCalls=%u / %u (fun %u, %u parms)\n",
+                  pMsg, cCalls, pMsg->u32ClientId, pMsg->u32Function, pMsg->cParms));
+    }
+
+    return rc;
+}
+
 /** Perform a guest call to the service.
  *
@@ -1791 +1962 @@
  * @param pCmd           The VBox HGCM context.
  * @param u32ClientId    The client handle to be disconnected and deleted.
+ * @param pClient        The client data.
  * @param u32Function    The function number.
  * @param cParms         Number of parameters.
@@ -1798 +1970 @@
  * @retval VINF_HGCM_ASYNC_EXECUTE on success.
  */
-int HGCMService::GuestCall(PPDMIHGCMPORT pHGCMPort, PVBOXHGCMCMD pCmd, uint32_t u32ClientId, uint32_t u32Function,
-                           uint32_t cParms, VBOXHGCMSVCPARM paParms[], uint64_t tsArrival)
+int HGCMService::GuestCall(PPDMIHGCMPORT pHGCMPort, PVBOXHGCMCMD pCmd, uint32_t u32ClientId, HGCMClient *pClient,
+                           uint32_t u32Function, uint32_t cParms, VBOXHGCMSVCPARM paParms[], uint64_t tsArrival)
 {
     LogFlow(("MAIN::HGCMService::GuestCall\n"));
 
     int rc;
-    HGCMMsgCall *pMsg = new (std::nothrow) HGCMMsgCall(m_pThread);
+    HGCMMsgCall *pMsg = new(std::nothrow) HGCMMsgCall(m_pThread);
     if (pMsg)
     {
         pMsg->Reference(); /** @todo starts out with zero references. */
 
-        pMsg->pCmd        = pCmd;
-        pMsg->pHGCMPort   = pHGCMPort;
-        pMsg->u32ClientId = u32ClientId;
-        pMsg->u32Function = u32Function;
-        pMsg->cParms      = cParms;
-        pMsg->paParms     = paParms;
-        pMsg->tsArrival   = tsArrival;
-
-        rc = hgcmMsgPost(pMsg, hgcmMsgCompletionCallback);
+        uint32_t cCalls = ASMAtomicIncU32(&pClient->cPendingCalls);
+        Assert(pClient->idxCategory < RT_ELEMENTS(m_fntable.acMaxCallsPerClient));
+        if (cCalls < m_fntable.acMaxCallsPerClient[pClient->idxCategory])
+        {
+            pMsg->pcCounter   = &pClient->cPendingCalls;
+            Log3(("MAIN::HGCMService::GuestCall: pMsg=%p cPendingCalls=%u / %u / %s (fun %u, %u parms)\n",
+                  pMsg, cCalls, u32ClientId, m_pszSvcName, u32Function, cParms));
+
+            pMsg->pCmd        = pCmd;
+            pMsg->pHGCMPort   = pHGCMPort;
+            pMsg->u32ClientId = u32ClientId;
+            pMsg->u32Function = u32Function;
+            pMsg->cParms      = cParms;
+            pMsg->paParms     = paParms;
+            pMsg->tsArrival   = tsArrival;
+
+            rc = hgcmMsgPost(pMsg, hgcmMsgCallCompletionCallback);
+
+            if (RT_SUCCESS(rc))
+            { /* Reference donated on success. */ }
+            else
+            {
+                ASMAtomicDecU32(&pClient->cPendingCalls);
+                pMsg->pcCounter = NULL;
+                Log(("MAIN::HGCMService::GuestCall: hgcmMsgPost failed: %Rrc\n", rc));
+                pMsg->Dereference();
+            }
+        }
+        else
+        {
+            ASMAtomicDecU32(&pClient->cPendingCalls);
+            LogRel2(("HGCM: Too many calls to '%s' from client %u: %u, max %u; category %u\n", m_pszSvcName, u32ClientId,
+                     cCalls, m_fntable.acMaxCallsPerClient[pClient->idxCategory], pClient->idxCategory));
+            pMsg->Dereference();
+            STAM_REL_COUNTER_INC(&m_StatTooManyCalls);
+            rc = VERR_HGCM_TOO_MANY_CLIENT_CALLS;
+        }
     }
     else
@@ -1831 +2031 @@
 /** Guest cancelled a request (call, connection attempt, disconnect attempt).
  *
- * @param   pHGCMPort      The port to be used for completion confirmation.
+ * @param   pHGCMPort      The port to be used for completion confirmation
  * @param   pCmd           The VBox HGCM context.
  * @param   idClient       The client handle to be disconnected and deleted.
@@ -2572 +2772 @@
 
         /* Forward the message to the service thread. */
-        rc = pClient->pService->GuestCall(pHGCMPort, pCmd, u32ClientId, u32Function, cParms, paParms, tsArrival);
+        rc = pClient->pService->GuestCall(pHGCMPort, pCmd, u32ClientId, pClient, u32Function, cParms, paParms, tsArrival);
 
         hgcmObjDereference(pClient);