Add a per-process limit on open UDP sockets.

This adds a default limit of 6000 on the open UDP sockets throughout the entire process, configurable with the "LimitOpenUDPSockets" feature. An "open UDP socket" specifically means a net::UDPSocket which successfully called Open(), and has not yet called Close(). Once the limit has been reached, opening UDP socket will fail with ERR_INSUFFICIENT_RESOURCES. In Chrome Browser, UDP sockets are brokered through a single process (that hosting the Network Service), so this is functionally a browser-wide limit too. Bug: 1083278 Change-Id: Ib95ab14b7ccf5e15410b9df9537c66c858de2d7d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2350395Reviewed-by: David Schinazi <dschinazi@chromium.org> Commit-Queue: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#797523}

Add a per-process limit on open UDP sockets.
This adds a default limit of 6000 on the open UDP sockets throughout the entire process, configurable with the "LimitOpenUDPSockets" feature. An "open UDP socket" specifically means a net::UDPSocket which successfully called Open(), and has not yet called Close(). Once the limit has been reached, opening UDP socket will fail with ERR_INSUFFICIENT_RESOURCES. In Chrome Browser, UDP sockets are brokered through a single process (that hosting the Network Service), so this is functionally a browser-wide limit too. Bug: 1083278 Change-Id: Ib95ab14b7ccf5e15410b9df9537c66c858de2d7d Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2350395Reviewed-by: David Schinazi <dschinazi@chromium.org> Commit-Queue: Eric Roman <eroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#797523}
5a841929 · Eric Roman · Commit Bot · 9b80c3e4 · 5a841929 · 5a841929
Commit 5a841929 authored Aug 13, 2020 by Eric Roman Committed by Commit Bot Aug 13, 2020
10 changed files
--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -1013,6 +1013,8 @@ component("net") {
      "socket/udp_server_socket.cc",
      "socket/udp_server_socket.h",
      "socket/udp_socket.h",
+      "socket/udp_socket_global_limits.cc",
+      "socket/udp_socket_global_limits.h",
      "socket/websocket_endpoint_lock_manager.cc",
      "socket/websocket_endpoint_lock_manager.h",
      "socket/websocket_transport_client_socket_pool.cc",

--- a/net/base/features.cc
+++ b/net/base/features.cc
@@ -170,5 +170,13 @@ const base::Feature kReportPoorConnectivity{"ReportPoorConnectivity",
 const base::Feature kPreemptiveMobileNetworkActivation{
    "PreemptiveMobileNetworkActivation", base::FEATURE_DISABLED_BY_DEFAULT};
+const base::Feature kLimitOpenUDPSockets{"LimitOpenUDPSockets",
+                                         base::FEATURE_ENABLED_BY_DEFAULT};
+extern const base::FeatureParam<int> kLimitOpenUDPSocketsMax(
+    &kLimitOpenUDPSockets,
+    "LimitOpenUDPSocketsMax",
+    6000);
 }  // namespace features
 }  // namespace net
--- a/net/base/features.h
+++ b/net/base/features.h
@@ -256,6 +256,16 @@ NET_EXPORT extern const base::Feature kReportPoorConnectivity;
 // the Wi-Fi connection.
 NET_EXPORT extern const base::Feature kPreemptiveMobileNetworkActivation;
+// Enables a process-wide limit on "open" UDP sockets. See
+// udp_socket_global_limits.h for details on what constitutes an "open" socket.
+NET_EXPORT extern const base::Feature kLimitOpenUDPSockets;
+// FeatureParams associated with kLimitOpenUDPSockets.
+// Sets the maximum allowed open UDP sockets. Provisioning more sockets than
+// this will result in a failure (ERR_INSUFFICIENT_RESOURCES).
+NET_EXPORT extern const base::FeatureParam<int> kLimitOpenUDPSocketsMax;
 }  // namespace features
 }  // namespace net

--- a/net/socket/udp_socket_global_limits.cc
+++ b/net/socket/udp_socket_global_limits.cc
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include <limits>
+#include "base/atomic_ref_count.h"
+#include "base/no_destructor.h"
+#include "net/base/features.h"
+#include "net/socket/udp_socket_global_limits.h"
+namespace net {
+namespace {
+// Threadsafe singleton for tracking the process-wide count of UDP sockets.
+class GlobalUDPSocketCounts {
+ public:
+  GlobalUDPSocketCounts() : count_(0) {}
+  ~GlobalUDPSocketCounts() = delete;
+  static GlobalUDPSocketCounts& Get() {
+    static base::NoDestructor<GlobalUDPSocketCounts> singleton;
+    return *singleton;
+  }
+  bool TryAcquireSocket() WARN_UNUSED_RESULT {
+    int previous = count_.Increment(1);
+    if (previous >= GetMax()) {
+      count_.Increment(-1);
+      return false;
+    }
+    return true;
+  }
+  int GetMax() {
+    if (base::FeatureList::IsEnabled(features::kLimitOpenUDPSockets))
+      return features::kLimitOpenUDPSocketsMax.Get();
+    return std::numeric_limits<int>::max();
+  }
+  void ReleaseSocket() { count_.Increment(-1); }
+  int GetCountForTesting() { return count_.SubtleRefCountForDebug(); }
+ private:
+  base::AtomicRefCount count_;
+};
+}  // namespace
+OwnedUDPSocketCount::OwnedUDPSocketCount() : OwnedUDPSocketCount(true) {}
+OwnedUDPSocketCount::OwnedUDPSocketCount(OwnedUDPSocketCount&& other) {
+  *this = std::move(other);
+}
+OwnedUDPSocketCount& OwnedUDPSocketCount::operator=(
+    OwnedUDPSocketCount&& other) {
+  Reset();
+  empty_ = other.empty_;
+  other.empty_ = true;
+  return *this;
+}
+OwnedUDPSocketCount::~OwnedUDPSocketCount() {
+  Reset();
+}
+void OwnedUDPSocketCount::Reset() {
+  if (!empty_) {
+    GlobalUDPSocketCounts::Get().ReleaseSocket();
+    empty_ = true;
+  }
+}
+OwnedUDPSocketCount::OwnedUDPSocketCount(bool empty) : empty_(empty) {}
+OwnedUDPSocketCount TryAcquireGlobalUDPSocketCount() {
+  bool success = GlobalUDPSocketCounts::Get().TryAcquireSocket();
+  return OwnedUDPSocketCount(!success);
+}
+int GetGlobalUDPSocketCountForTesting() {
+  return GlobalUDPSocketCounts::Get().GetCountForTesting();
+}
+}  // namespace net
--- a/net/socket/udp_socket_global_limits.h
+++ b/net/socket/udp_socket_global_limits.h
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#ifndef NET_SOCKET_UDP_SOCKET_GLOBAL_LIMITS_H_
+#define NET_SOCKET_UDP_SOCKET_GLOBAL_LIMITS_H_
+#include "base/compiler_specific.h"
+#include "net/base/net_errors.h"
+#include "net/base/net_export.h"
+namespace net {
+// Helper class for RAII-style management of the global count of "open UDP
+// sockets" [1] in the process.
+//
+// Keeping OwnedUDPSocketCount alive increases the global socket counter by 1.
+// When it goes out of scope - or is explicitly Reset() - the reference is
+// returned to the global counter.
+class NET_EXPORT OwnedUDPSocketCount {
+ public:
+  // The default constructor builds an empty OwnedUDPSocketCount (does not own a
+  // count).
+  OwnedUDPSocketCount();
+  // Any count held by OwnedUDPSocketCount is transferred when moving.
+  OwnedUDPSocketCount(OwnedUDPSocketCount&&);
+  OwnedUDPSocketCount& operator=(OwnedUDPSocketCount&&);
+  // This is a move-only type.
+  OwnedUDPSocketCount(const OwnedUDPSocketCount&) = delete;
+  OwnedUDPSocketCount& operator=(const OwnedUDPSocketCount&) = delete;
+  ~OwnedUDPSocketCount();
+  // Returns false if this instance "owns" a socket count. In
+  // other words, when |empty()|, destruction of |this| will
+  // not change the global socket count.
+  bool empty() const { return empty_; }
+  // Resets |this| to an empty state (|empty()| becomes true after
+  // calling this). If |this| was previously |!empty()|, the global
+  // socket count will be decremented.
+  void Reset();
+ private:
+  // Only TryAcquireGlobalUDPSocketCount() is allowed to construct a non-empty
+  // OwnedUDPSocketCount.
+  friend NET_EXPORT OwnedUDPSocketCount TryAcquireGlobalUDPSocketCount();
+  explicit OwnedUDPSocketCount(bool empty);
+  bool empty_;
+};
+// Attempts to increase the global "open UDP socket" [1] count.
+//
+// * On failure returns an OwnedUDPSocketCount that is |empty()|. This happens
+//   if the global socket limit has been reached.
+// * On success returns an OwnedUDPSocketCount that is |!empty()|. This
+//   OwnedUDPSocketCount should be kept alive until the socket resource is
+//   released.
+//
+// [1] For simplicity, an "open UDP socket" is defined as a net::UDPSocket that
+// successfully called Open(), and has not yet called Close(). This is
+// analogous to the number of open platform socket handles, and in practice
+// should also be a good proxy for the number of consumed UDP ports.
+NET_EXPORT OwnedUDPSocketCount TryAcquireGlobalUDPSocketCount()
+    WARN_UNUSED_RESULT;
+// Returns the current count of open UDP sockets (for testing only).
+NET_EXPORT int GetGlobalUDPSocketCountForTesting();
+}  // namespace net
+#endif  // NET_SOCKET_UDP_SOCKET_GLOBAL_LIMITS_H_
--- a/net/socket/udp_socket_posix.cc
+++ b/net/socket/udp_socket_posix.cc
@@ -215,6 +215,10 @@ int UDPSocketPosix::Open(AddressFamily address_family) {
  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
  DCHECK_EQ(socket_, kInvalidSocket);
+  auto owned_socket_count = TryAcquireGlobalUDPSocketCount();
+  if (owned_socket_count.empty())
+    return ERR_INSUFFICIENT_RESOURCES;
  addr_family_ = ConvertAddressFamily(address_family);
  socket_ = CreatePlatformSocket(addr_family_, SOCK_DGRAM, 0);
  if (socket_ == kInvalidSocket)
@@ -231,6 +235,8 @@ int UDPSocketPosix::Open(AddressFamily address_family) {
  }
  if (tag_ != SocketTag())
    tag_.Apply(socket_);
+  owned_socket_count_ = std::move(owned_socket_count);
  return OK;
 }
@@ -292,6 +298,8 @@ void UDPSocketPosix::ReceivedActivityMonitor::NetworkActivityMonitorIncrement(
 void UDPSocketPosix::Close() {
  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+  owned_socket_count_.Reset();
  if (socket_ == kInvalidSocket)
    return;

--- a/net/socket/udp_socket_posix.h
+++ b/net/socket/udp_socket_posix.h
@@ -30,6 +30,7 @@
 #include "net/socket/diff_serv_code_point.h"
 #include "net/socket/socket_descriptor.h"
 #include "net/socket/socket_tag.h"
+#include "net/socket/udp_socket_global_limits.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
 #if defined(__ANDROID__) && defined(__aarch64__)
@@ -630,6 +631,10 @@ class NET_EXPORT UDPSocketPosix {
  // enable_experimental_recv_optimization() method.
  bool experimental_recv_optimization_enabled_;
+  // Manages decrementing the global open UDP socket counter when this
+  // UDPSocket is destroyed.
+  OwnedUDPSocketCount owned_socket_count_;
  THREAD_CHECKER(thread_checker_);
  // Used for alternate writes that are posted for concurrent execution.

--- a/net/socket/udp_socket_unittest.cc
+++ b/net/socket/udp_socket_unittest.cc
@@ -14,8 +14,12 @@
 #include "base/scoped_clear_last_error.h"
 #include "base/single_thread_task_runner.h"
 #include "base/stl_util.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/test/scoped_feature_list.h"
+#include "base/threading/thread.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "build/build_config.h"
+#include "net/base/features.h"
 #include "net/base/io_buffer.h"
 #include "net/base/ip_address.h"
 #include "net/base/ip_endpoint.h"
@@ -29,6 +33,7 @@
 #include "net/socket/socket_test_util.h"
 #include "net/socket/udp_client_socket.h"
 #include "net/socket/udp_server_socket.h"
+#include "net/socket/udp_socket_global_limits.h"
 #include "net/test/gtest_util.h"
 #include "net/test/test_with_task_environment.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
@@ -1371,4 +1376,140 @@ TEST_F(UDPSocketTest, Tag) {
 }
 #endif
+// Scoped helper to override the process-wide UDP socket limit.
+class OverrideUDPSocketLimit {
+ public:
+  explicit OverrideUDPSocketLimit(int new_limit) {
+    base::FieldTrialParams params;
+    params[features::kLimitOpenUDPSocketsMax.name] =
+        base::NumberToString(new_limit);
+    scoped_feature_list_.InitAndEnableFeatureWithParameters(
+        features::kLimitOpenUDPSockets, params);
+  }
+ private:
+  base::test::ScopedFeatureList scoped_feature_list_;
+};
+// Tests that UDPClientSocket respects the global UDP socket limits.
+TEST_F(UDPSocketTest, LimitClientSocket) {
+  // Reduce the global UDP limit to 2.
+  OverrideUDPSocketLimit set_limit(2);
+  ASSERT_EQ(0, GetGlobalUDPSocketCountForTesting());
+  auto socket1 = std::make_unique<UDPClientSocket>(DatagramSocket::DEFAULT_BIND,
+                                                   nullptr, NetLogSource());
+  auto socket2 = std::make_unique<UDPClientSocket>(DatagramSocket::DEFAULT_BIND,
+                                                   nullptr, NetLogSource());
+  // Simply constructing a UDPClientSocket does not increase the limit (no
+  // Connect() or Bind() has been called yet).
+  ASSERT_EQ(0, GetGlobalUDPSocketCountForTesting());
+  // The specific value of this address doesn't really matter, and no server
+  // needs to be running here. The test only needs to call Connect() and won't
+  // send any datagrams.
+  IPEndPoint server_address(IPAddress::IPv4Localhost(), 8080);
+  // Successful Connect() on socket1 increases socket count.
+  EXPECT_THAT(socket1->Connect(server_address), IsOk());
+  EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+  // Successful Connect() on socket2 increases socket count.
+  EXPECT_THAT(socket2->Connect(server_address), IsOk());
+  EXPECT_EQ(2, GetGlobalUDPSocketCountForTesting());
+  // Attempting a third Connect() should fail with ERR_INSUFFICIENT_RESOURCES,
+  // as the limit is currently 2.
+  auto socket3 = std::make_unique<UDPClientSocket>(DatagramSocket::DEFAULT_BIND,
+                                                   nullptr, NetLogSource());
+  EXPECT_THAT(socket3->Connect(server_address),
+              IsError(ERR_INSUFFICIENT_RESOURCES));
+  EXPECT_EQ(2, GetGlobalUDPSocketCountForTesting());
+  // Check that explicitly closing socket2 free up a count.
+  socket2->Close();
+  EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+  // Since the socket was already closed, deleting it will not affect the count.
+  socket2.reset();
+  EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+  // Now that the count is below limit, try to connect socket3 again. This time
+  // it will work.
+  EXPECT_THAT(socket3->Connect(server_address), IsOk());
+  EXPECT_EQ(2, GetGlobalUDPSocketCountForTesting());
+  // Verify that closing the two remaining sockets brings the open count back to
+  // 0.
+  socket1.reset();
+  EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+  socket3.reset();
+  EXPECT_EQ(0, GetGlobalUDPSocketCountForTesting());
+}
+// Tests that UDPSocketClient updates the global counter
+// correctly when Connect() fails.
+TEST_F(UDPSocketTest, LimitConnectFail) {
+  ASSERT_EQ(0, GetGlobalUDPSocketCountForTesting());
+  {
+    // Simply allocating a UDPSocket does not increase count.
+    UDPSocket socket(DatagramSocket::DEFAULT_BIND, nullptr, NetLogSource());
+    EXPECT_EQ(0, GetGlobalUDPSocketCountForTesting());
+    // Calling Open() allocates the socket and increases the global counter.
+    EXPECT_THAT(socket.Open(ADDRESS_FAMILY_IPV4), IsOk());
+    EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+    // Connect to an IPv6 address should fail since the socket was created for
+    // IPv4.
+    EXPECT_THAT(socket.Connect(net::IPEndPoint(IPAddress::IPv6Localhost(), 53)),
+                Not(IsOk()));
+    // That Connect() failed doesn't change the global counter.
+    EXPECT_EQ(1, GetGlobalUDPSocketCountForTesting());
+  }
+  // Finally, destroying UDPSocket decrements the global counter.
+  EXPECT_EQ(0, GetGlobalUDPSocketCountForTesting());
+}
+// Tests allocating UDPClientSockets and Connect()ing them in parallel.
+//
+// This is primarily intended for coverage under TSAN, to check for races
+// enforcing the global socket counter.
+TEST_F(UDPSocketTest, LimitConnectMultithreaded) {
+  ASSERT_EQ(0, GetGlobalUDPSocketCountForTesting());
+  // Start up some threads.
+  std::vector<std::unique_ptr<base::Thread>> threads;
+  for (size_t i = 0; i < 5; ++i) {
+    threads.push_back(std::make_unique<base::Thread>("Worker thread"));
+    ASSERT_TRUE(threads.back()->Start());
+  }
+  // Post tasks to each of the threads.
+  for (const auto& thread : threads) {
+    thread->task_runner()->PostTask(
+        FROM_HERE, base::BindOnce([] {
+          // The specific value of this address doesn't really matter, and no
+          // server needs to be running here. The test only needs to call
+          // Connect() and won't send any datagrams.
+          IPEndPoint server_address(IPAddress::IPv4Localhost(), 8080);
+          UDPClientSocket socket(DatagramSocket::DEFAULT_BIND, nullptr,
+                                 NetLogSource());
+          EXPECT_THAT(socket.Connect(server_address), IsOk());
+        }));
+  }
+  // Complete all the tasks.
+  threads.clear();
+  EXPECT_EQ(0, GetGlobalUDPSocketCountForTesting());
+}
 }  // namespace net
--- a/net/socket/udp_socket_win.cc
+++ b/net/socket/udp_socket_win.cc
@@ -273,6 +273,10 @@ int UDPSocketWin::Open(AddressFamily address_family) {
  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
  DCHECK_EQ(socket_, INVALID_SOCKET);
+  auto owned_socket_count = TryAcquireGlobalUDPSocketCount();
+  if (owned_socket_count.empty())
+    return ERR_INSUFFICIENT_RESOURCES;
  addr_family_ = ConvertAddressFamily(address_family);
  socket_ = CreatePlatformSocket(addr_family_, SOCK_DGRAM, IPPROTO_UDP);
  if (socket_ == INVALID_SOCKET)
@@ -283,12 +287,16 @@ int UDPSocketWin::Open(AddressFamily address_family) {
    read_write_event_.Set(WSACreateEvent());
    WSAEventSelect(socket_, read_write_event_.Get(), FD_READ | FD_WRITE);
  }
+  owned_socket_count_ = std::move(owned_socket_count);
  return OK;
 }
 void UDPSocketWin::Close() {
  DCHECK_CALLED_ON_VALID_THREAD(thread_checker_);
+  owned_socket_count_.Reset();
  if (socket_ == INVALID_SOCKET)
    return;

--- a/net/socket/udp_socket_win.h
+++ b/net/socket/udp_socket_win.h
@@ -28,6 +28,7 @@
 #include "net/log/net_log_with_source.h"
 #include "net/socket/datagram_socket.h"
 #include "net/socket/diff_serv_code_point.h"
+#include "net/socket/udp_socket_global_limits.h"
 #include "net/traffic_annotation/network_traffic_annotation.h"
 namespace net {
@@ -485,6 +486,10 @@ class NET_EXPORT UDPSocketWin : public base::win::ObjectWatcher::Delegate {
  // Maintains remote addresses for QWAVE qos management.
  std::unique_ptr<DscpManager> dscp_manager_;
+  // Manages decrementing the global open UDP socket counter when this
+  // UDPSocket is destroyed.
+  OwnedUDPSocketCount owned_socket_count_;
  THREAD_CHECKER(thread_checker_);
  // Used to prevent null dereferences in OnObjectSignaled, when passing an