Add a per-process limit on open UDP sockets.
This adds a default limit of 6000 on the open UDP sockets throughout the entire process, configurable with the "LimitOpenUDPSockets" feature.
An "open UDP socket" specifically means a net::UDPSocket which successfully called Open(), and has not yet called Close().
Once the limit has been reached, opening UDP socket will fail with ERR_INSUFFICIENT_RESOURCES.
In Chrome Browser, UDP sockets are brokered through a single process (that hosting the Network Service), so this is functionally a browser-wide limit too.
Bug: 1083278
Change-Id: Ib95ab14b7ccf5e15410b9df9537c66c858de2d7d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2350395
Reviewed-by: David Schinazi <[email protected]>
Commit-Queue: Eric Roman <[email protected]>
Cr-Commit-Position: refs/heads/master@{#797523}
diff --git a/net/BUILD.gn b/net/BUILD.gn
index 1e9f449..bc526e8e 100644
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -1013,6 +1013,8 @@
"socket/udp_server_socket.cc",
"socket/udp_server_socket.h",
"socket/udp_socket.h",
+ "socket/udp_socket_global_limits.cc",
+ "socket/udp_socket_global_limits.h",
"socket/websocket_endpoint_lock_manager.cc",
"socket/websocket_endpoint_lock_manager.h",
"socket/websocket_transport_client_socket_pool.cc",
diff --git a/net/base/features.cc b/net/base/features.cc
index ea8bd1f0..e840f6643 100644
--- a/net/base/features.cc
+++ b/net/base/features.cc
@@ -170,5 +170,13 @@
const base::Feature kPreemptiveMobileNetworkActivation{
"PreemptiveMobileNetworkActivation", base::FEATURE_DISABLED_BY_DEFAULT};
+const base::Feature kLimitOpenUDPSockets{"LimitOpenUDPSockets",
+ base::FEATURE_ENABLED_BY_DEFAULT};
+
+extern const base::FeatureParam<int> kLimitOpenUDPSocketsMax(
+ &kLimitOpenUDPSockets,
+ "LimitOpenUDPSocketsMax",
+ 6000);
+
} // namespace features
} // namespace net
diff --git a/net/base/features.h b/net/base/features.h
index a2a94e50..54c5705a 100644
--- a/net/base/features.h
+++ b/net/base/features.h
@@ -256,6 +256,16 @@
// the Wi-Fi connection.
NET_EXPORT extern const base::Feature kPreemptiveMobileNetworkActivation;
+// Enables a process-wide limit on "open" UDP sockets. See
+// udp_socket_global_limits.h for details on what constitutes an "open" socket.
+NET_EXPORT extern const base::Feature kLimitOpenUDPSockets;
+
+// FeatureParams associated with kLimitOpenUDPSockets.
+
+// Sets the maximum allowed open UDP sockets. Provisioning more sockets than
+// this will result in a failure (ERR_INSUFFICIENT_RESOURCES).
+NET_EXPORT extern const base::FeatureParam<int> kLimitOpenUDPSocketsMax;
+
} // namespace features
} // namespace net
diff --git a/net/socket/udp_socket_global_limits.cc b/net/socket/udp_socket_global_limits.cc
new file mode 100644
index 0000000..60c1cc7
--- /dev/null
+++ b/net/socket/udp_socket_global_limits.cc
@@ -0,0 +1,91 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <limits>
+
+#include "base/atomic_ref_count.h"
+#include "base/no_destructor.h"
+#include "net/base/features.h"
+#include "net/socket/udp_socket_global_limits.h"
+
+namespace net {
+
+namespace {
+
+// Threadsafe singleton for tracking the process-wide count of UDP sockets.
+class GlobalUDPSocketCounts {
+ public:
+ GlobalUDPSocketCounts() : count_(0) {}
+
+ ~GlobalUDPSocketCounts() = delete;
+
+ static GlobalUDPSocketCounts& Get() {
+ static base::NoDestructor<GlobalUDPSocketCounts> singleton;
+ return *singleton;
+ }
+
+ bool TryAcquireSocket() WARN_UNUSED_RESULT {
+ int previous = count_.Increment(1);
+ if (previous >= GetMax()) {
+ count_.Increment(-1);
+ return false;
+ }
+
+ return true;
+ }
+
+ int GetMax() {
+ if (base::FeatureList::IsEnabled(features::kLimitOpenUDPSockets))
+ return features::kLimitOpenUDPSocketsMax.Get();
+
+ return std::numeric_limits<int>::max();
+ }
+
+ void ReleaseSocket() { count_.Increment(-1); }
+
+ int GetCountForTesting() { return count_.SubtleRefCountForDebug(); }
+
+ private:
+ base::AtomicRefCount count_;
+};
+
+} // namespace
+
+OwnedUDPSocketCount::OwnedUDPSocketCount() : OwnedUDPSocketCount(true) {}
+
+OwnedUDPSocketCount::OwnedUDPSocketCount(OwnedUDPSocketCount&& other) {
+ *this = std::move(other);
+}
+
+OwnedUDPSocketCount& OwnedUDPSocketCount::operator=(
+ OwnedUDPSocketCount&& other) {
+ Reset();
+ empty_ = other.empty_;
+ other.empty_ = true;
+ return *this;
+}
+
+OwnedUDPSocketCount::~OwnedUDPSocketCount() {
+ Reset();
+}
+
+void OwnedUDPSocketCount::Reset() {
+ if (!empty_) {
+ GlobalUDPSocketCounts::Get().ReleaseSocket();
+ empty_ = true;
+ }
+}
+
+OwnedUDPSocketCount::OwnedUDPSocketCount(bool empty) : empty_(empty) {}
+
+OwnedUDPSocketCount TryAcquireGlobalUDPSocketCount() {
+ bool success = GlobalUDPSocketCounts::Get().TryAcquireSocket();
+ return OwnedUDPSocketCount(!success);
+}
+
+int GetGlobalUDPSocketCountForTesting() {
+ return GlobalUDPSocketCounts::Get().GetCountForTesting();
+}
+
+} // namespace net
diff --git a/net/socket/udp_socket_global_limits.h b/net/socket/udp_socket_global_limits.h
new file mode 100644
index 0000000..55364cf4
--- /dev/null
+++ b/net/socket/udp_socket_global_limits.h
@@ -0,0 +1,75 @@
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef NET_SOCKET_UDP_SOCKET_GLOBAL_LIMITS_H_
+#define NET_SOCKET_UDP_SOCKET_GLOBAL_LIMITS_H_
+
+#include "base/compiler_specific.h"
+#include "net/base/net_errors.h"
+#include "net/base/net_export.h"
+
+namespace net {
+
+// Helper class for RAII-style management of the global count of "open UDP
+// sockets" [1] in the process.
+//
+// Keeping OwnedUDPSocketCount alive increases the global socket counter by 1.
+// When it goes out of scope - or is explicitly Reset() - the reference is
+// returned to the global counter.
+class NET_EXPORT OwnedUDPSocketCount {
+ public:
+ // The default constructor builds an empty OwnedUDPSocketCount (does not own a
+ // count).
+ OwnedUDPSocketCount();
+
+ // Any count held by OwnedUDPSocketCount is transferred when moving.
+ OwnedUDPSocketCount(OwnedUDPSocketCount&&);
+ OwnedUDPSocketCount& operator=(OwnedUDPSocketCount&&);
+
+ // This is a move-only type.
+ OwnedUDPSocketCount(const OwnedUDPSocketCount&) = delete;
+ OwnedUDPSocketCount& operator=(const OwnedUDPSocketCount&) = delete;
+
+ ~OwnedUDPSocketCount();
+
+ // Returns false if this instance "owns" a socket count. In
+ // other words, when |empty()|, destruction of |this| will
+ // not change the global socket count.
+ bool empty() const { return empty_; }
+
+ // Resets |this| to an empty state (|empty()| becomes true after
+ // calling this). If |this| was previously |!empty()|, the global
+ // socket count will be decremented.
+ void Reset();
+
+ private:
+ // Only TryAcquireGlobalUDPSocketCount() is allowed to construct a non-empty
+ // OwnedUDPSocketCount.
+ friend NET_EXPORT OwnedUDPSocketCount TryAcquireGlobalUDPSocketCount();
+ explicit OwnedUDPSocketCount(bool empty);
+
+ bool empty_;
+};
+
+// Attempts to increase the global "open UDP socket" [1] count.
+//
+// * On failure returns an OwnedUDPSocketCount that is |empty()|. This happens
+// if the global socket limit has been reached.
+// * On success returns an OwnedUDPSocketCount that is |!empty()|. This
+// OwnedUDPSocketCount should be kept alive until the socket resource is
+// released.
+//
+// [1] For simplicity, an "open UDP socket" is defined as a net::UDPSocket that
+// successfully called Open(), and has not yet called Close(). This is
+// analogous to the number of open platform socket handles, and in practice
+// should also be a good proxy for the number of consumed UDP ports.
+NET_EXPORT OwnedUDPSocketCount TryAcquireGlobalUDPSocketCount()
+ WARN_UNUSED_RESULT;
+
+// Returns the current count of open UDP sockets (for testing only).
+NET_EXPORT int GetGlobalUDPSocketCountForTesting();
+
+} // namespace net
+
+#endif // NET_SOCKET_UDP_SOCKET_GLOBAL_LIMITS_H_
diff --git a/net/socket/udp_socket_posix.cc b/net/socket/udp_socket_posix.cc
index 6fe907e0..8369ac37 100644
--- a/net/socket/udp_socket_posix.cc
+++ b/net/socket/udp_socket_posix.cc
@@ -215,6 +215,10 @@
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
DCHECK_EQ(socket_, kInvalidSocket);
+ auto owned_socket_count = TryAcquireGlobalUDPSocketCount();
+ if (owned_socket_count.empty())
+ return ERR_INSUFFICIENT_RESOURCES;
+
addr_family_ = ConvertAddressFamily(address_family);
socket_ = CreatePlatformSocket(addr_family_, SOCK_DGRAM, 0);
if (socket_ == kInvalidSocket)
@@ -231,6 +235,8 @@
}
if (tag_ != SocketTag())
tag_.Apply(socket_);
+
+ owned_socket_count_ = std::move(owned_socket_count);
return OK;
}
@@ -292,6 +298,8 @@
void UDPSocketPosix::Close() {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+ owned_socket_count_.Reset();
+
if (socket_ == kInvalidSocket)
return;
diff --git a/net/socket/udp_socket_posix.h b/net/socket/udp_socket_posix.h
index df3bf973..6b77e9c 100644
--- a/net/socket/udp_socket_posix.h
+++ b/net/socket/udp_socket_posix.h
@@ -30,6 +30,7 @@
#include "net/socket/diff_serv_code_point.h"
#include "net/socket/socket_descriptor.h"
#include "net/socket/socket_tag.h"
+#include "net/socket/udp_socket_global_limits.h"
#include "net/traffic_annotation/network_traffic_annotation.h"
#if defined(__ANDROID__) && defined(__aarch64__)
@@ -630,6 +631,10 @@
// enable_experimental_recv_optimization() method.
bool experimental_recv_optimization_enabled_;
+ // Manages decrementing the global open UDP socket counter when this
+ // UDPSocket is destroyed.
+ OwnedUDPSocketCount owned_socket_count_;
+
THREAD_CHECKER(thread_checker_);
// Used for alternate writes that are posted for concurrent execution.
diff --git a/net/socket/udp_socket_unittest.cc b/net/socket/udp_socket_unittest.cc
index f434e44f..c2dba54 100644
--- a/net/socket/udp_socket_unittest.cc
+++ b/net/socket/udp_socket_unittest.cc
@@ -14,8 +14,12 @@
#include "base/scoped_clear_last_error.h"
#include "base/single_thread_task_runner.h"
#include "base/stl_util.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/test/scoped_feature_list.h"
+#include "base/threading/thread.h"
#include "base/threading/thread_task_runner_handle.h"
#include "build/build_config.h"
+#include "net/base/features.h"
#include "net/base/io_buffer.h"
#include "net/base/ip_address.h"
#include "net/base/ip_endpoint.h"
@@ -29,6 +33,7 @@
#include "net/socket/socket_test_util.h"
#include "net/socket/udp_client_socket.h"
#include "net/socket/udp_server_socket.h"
+#include "net/socket/udp_socket_global_limits.h"
#include "net/test/gtest_util.h"
#include "net/test/test_with_task_environment.h"
#include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
@@ -1371,4 +1376,140 @@
}
#endif
+// Scoped helper to override the process-wide UDP socket limit.
+class OverrideUDPSocketLimit {
+ public:
+ explicit OverrideUDPSocketLimit(int new_limit) {
+ base::FieldTrialParams params;
+ params[features::kLimitOpenUDPSocketsMax.name] =
+ base::NumberToString(new_limit);
+
+ scoped_feature_list_.InitAndEnableFeatureWithParameters(
+ features::kLimitOpenUDPSockets, params);
+ }
+
+ private:
+ base::test::ScopedFeatureList scoped_feature_list_;
+};
+
+// Tests that UDPClientSocket respects the global UDP socket limits.
+TEST_F(UDPSocketTest, LimitClientSocket) {
+ // Reduce the global UDP limit to 2.
+ OverrideUDPSocketLimit set_limit(2);
+
+ ASSERT_EQ(0, GetGlobalUDPSocketCountForTesting());
+
+ auto socket1 = std::make_unique<UDPClientSocket>(DatagramSocket::DEFAULT_BIND,
+ nullptr, NetLogSource());
+ auto socket2 = std::make_unique<UDPClientSocket>(DatagramSocket::DEFAULT_BIND,
+ nullptr, NetLogSource());
+
+ // Simply constructing a UDPClientSocket does not increase the limit (no
+ // Connect() or Bind() has been called yet).
+ ASSERT_EQ(0, GetGlobalUDPSocketCountForTesting());
+
+ // The specific value of this address doesn't really matter, and no server
+ // needs to be running here. The test only needs to call Connect() and won't
+ // send any datagrams.
+ IPEndPoint server_address(IPAddress::IPv4Localhost(), 8080);
+
+ // Successful Connect() on socket1 increases socket count.
+ EXPECT_THAT(socket1->Connect(server_address), IsOk());
+ EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+
+ // Successful Connect() on socket2 increases socket count.
+ EXPECT_THAT(socket2->Connect(server_address), IsOk());
+ EXPECT_EQ(2, GetGlobalUDPSocketCountForTesting());
+
+ // Attempting a third Connect() should fail with ERR_INSUFFICIENT_RESOURCES,
+ // as the limit is currently 2.
+ auto socket3 = std::make_unique<UDPClientSocket>(DatagramSocket::DEFAULT_BIND,
+ nullptr, NetLogSource());
+ EXPECT_THAT(socket3->Connect(server_address),
+ IsError(ERR_INSUFFICIENT_RESOURCES));
+ EXPECT_EQ(2, GetGlobalUDPSocketCountForTesting());
+
+ // Check that explicitly closing socket2 free up a count.
+ socket2->Close();
+ EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+
+ // Since the socket was already closed, deleting it will not affect the count.
+ socket2.reset();
+ EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+
+ // Now that the count is below limit, try to connect socket3 again. This time
+ // it will work.
+ EXPECT_THAT(socket3->Connect(server_address), IsOk());
+ EXPECT_EQ(2, GetGlobalUDPSocketCountForTesting());
+
+ // Verify that closing the two remaining sockets brings the open count back to
+ // 0.
+ socket1.reset();
+ EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+ socket3.reset();
+ EXPECT_EQ(0, GetGlobalUDPSocketCountForTesting());
+}
+
+// Tests that UDPSocketClient updates the global counter
+// correctly when Connect() fails.
+TEST_F(UDPSocketTest, LimitConnectFail) {
+ ASSERT_EQ(0, GetGlobalUDPSocketCountForTesting());
+
+ {
+ // Simply allocating a UDPSocket does not increase count.
+ UDPSocket socket(DatagramSocket::DEFAULT_BIND, nullptr, NetLogSource());
+ EXPECT_EQ(0, GetGlobalUDPSocketCountForTesting());
+
+ // Calling Open() allocates the socket and increases the global counter.
+ EXPECT_THAT(socket.Open(ADDRESS_FAMILY_IPV4), IsOk());
+ EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+
+ // Connect to an IPv6 address should fail since the socket was created for
+ // IPv4.
+ EXPECT_THAT(socket.Connect(net::IPEndPoint(IPAddress::IPv6Localhost(), 53)),
+ Not(IsOk()));
+
+ // That Connect() failed doesn't change the global counter.
+ EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+ }
+
+ // Finally, destroying UDPSocket decrements the global counter.
+ EXPECT_EQ(0, GetGlobalUDPSocketCountForTesting());
+}
+
+// Tests allocating UDPClientSockets and Connect()ing them in parallel.
+//
+// This is primarily intended for coverage under TSAN, to check for races
+// enforcing the global socket counter.
+TEST_F(UDPSocketTest, LimitConnectMultithreaded) {
+ ASSERT_EQ(0, GetGlobalUDPSocketCountForTesting());
+
+ // Start up some threads.
+ std::vector<std::unique_ptr<base::Thread>> threads;
+ for (size_t i = 0; i < 5; ++i) {
+ threads.push_back(std::make_unique<base::Thread>("Worker thread"));
+ ASSERT_TRUE(threads.back()->Start());
+ }
+
+ // Post tasks to each of the threads.
+ for (const auto& thread : threads) {
+ thread->task_runner()->PostTask(
+ FROM_HERE, base::BindOnce([] {
+ // The specific value of this address doesn't really matter, and no
+ // server needs to be running here. The test only needs to call
+ // Connect() and won't send any datagrams.
+ IPEndPoint server_address(IPAddress::IPv4Localhost(), 8080);
+
+ UDPClientSocket socket(DatagramSocket::DEFAULT_BIND, nullptr,
+ NetLogSource());
+ EXPECT_THAT(socket.Connect(server_address), IsOk());
+ }));
+ }
+
+ // Complete all the tasks.
+ threads.clear();
+
+ EXPECT_EQ(0, GetGlobalUDPSocketCountForTesting());
+}
+
} // namespace net
diff --git a/net/socket/udp_socket_win.cc b/net/socket/udp_socket_win.cc
index f58a2b4..4fec002 100644
--- a/net/socket/udp_socket_win.cc
+++ b/net/socket/udp_socket_win.cc
@@ -273,6 +273,10 @@
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
DCHECK_EQ(socket_, INVALID_SOCKET);
+ auto owned_socket_count = TryAcquireGlobalUDPSocketCount();
+ if (owned_socket_count.empty())
+ return ERR_INSUFFICIENT_RESOURCES;
+
addr_family_ = ConvertAddressFamily(address_family);
socket_ = CreatePlatformSocket(addr_family_, SOCK_DGRAM, IPPROTO_UDP);
if (socket_ == INVALID_SOCKET)
@@ -283,12 +287,16 @@
read_write_event_.Set(WSACreateEvent());
WSAEventSelect(socket_, read_write_event_.Get(), FD_READ | FD_WRITE);
}
+
+ owned_socket_count_ = std::move(owned_socket_count);
return OK;
}
void UDPSocketWin::Close() {
DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+ owned_socket_count_.Reset();
+
if (socket_ == INVALID_SOCKET)
return;
diff --git a/net/socket/udp_socket_win.h b/net/socket/udp_socket_win.h
index 380ff03..a11d07a 100644
--- a/net/socket/udp_socket_win.h
+++ b/net/socket/udp_socket_win.h
@@ -28,6 +28,7 @@
#include "net/log/net_log_with_source.h"
#include "net/socket/datagram_socket.h"
#include "net/socket/diff_serv_code_point.h"
+#include "net/socket/udp_socket_global_limits.h"
#include "net/traffic_annotation/network_traffic_annotation.h"
namespace net {
@@ -485,6 +486,10 @@
// Maintains remote addresses for QWAVE qos management.
std::unique_ptr<DscpManager> dscp_manager_;
+ // Manages decrementing the global open UDP socket counter when this
+ // UDPSocket is destroyed.
+ OwnedUDPSocketCount owned_socket_count_;
+
THREAD_CHECKER(thread_checker_);
// Used to prevent null dereferences in OnObjectSignaled, when passing an
