net: sk_add_backlog() take rmem_alloc into account

Current socket backlog limit is not enough to really stop DDOS attacks,
because user thread spend many time to process a full backlog each
round, and user might crazy spin on socket lock.

We should add backlog size and receive_queue size (aka rmem_alloc) to
pace writers, and let user run without being slow down too much.

Introduce a sk_rcvqueues_full() helper, to avoid taking socket lock in
stress situations.

Under huge stress from a multiqueue/RPS enabled NIC, a single flow udp
receiver can now process ~200.000 pps (instead of ~100 pps before the
patch) on a 8 core machine.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

4 files changed, 16 insertions, 4 deletions

diff --git a/net/core/sock.c b/net/core/sock.c
index 58ebd146ce5a..51041759517e 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -327,6 +327,10 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
 
         skb->dev = NULL;
 
+        if (sk_rcvqueues_full(sk, skb)) {
+                atomic_inc(&sk->sk_drops);
+                goto discard_and_relse;
+        }
         if (nested)
                 bh_lock_sock_nested(sk);
         else
@@ -1885,7 +1889,6 @@ void sock_init_data(struct socket *sock, struct sock *sk)
         sk->sk_allocation       =       GFP_KERNEL;
         sk->sk_rcvbuf           =       sysctl_rmem_default;
         sk->sk_sndbuf           =       sysctl_wmem_default;
-        sk->sk_backlog.limit    =       sk->sk_rcvbuf << 1;
         sk->sk_state            =       TCP_CLOSE;
         sk_set_socket(sk, sock);
 
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index fa3d2874db41..63eb56b2d873 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1372,6 +1372,10 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
                         goto drop;
         }
 
+
+        if (sk_rcvqueues_full(sk, skb))
+                goto drop;
+
         rc = 0;
 
         bh_lock_sock(sk);
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 2850e35cee3d..3ead20ad9d07 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -584,6 +584,10 @@ static void flush_stack(struct sock **stack, unsigned int count,
 
                 sk = stack[i];
                 if (skb1) {
+                        if (sk_rcvqueues_full(sk, skb)) {
+                                kfree_skb(skb1);
+                                goto drop;
+                        }
                         bh_lock_sock(sk);
                         if (!sock_owned_by_user(sk))
                                 udpv6_queue_rcv_skb(sk, skb1);
@@ -759,6 +763,10 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
 
         /* deliver */
 
+        if (sk_rcvqueues_full(sk, skb)) {
+                sock_put(sk);
+                goto discard;
+        }
         bh_lock_sock(sk);
         if (!sock_owned_by_user(sk))
                 udpv6_queue_rcv_skb(sk, skb);
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index f34adcca8a8c..13d8229f3a9c 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -3721,9 +3721,6 @@ SCTP_STATIC int sctp_init_sock(struct sock *sk)
         SCTP_DBG_OBJCNT_INC(sock);
         percpu_counter_inc(&sctp_sockets_allocated);
 
-        /* Set socket backlog limit. */
-        sk->sk_backlog.limit = sysctl_sctp_rmem[1];
-
         local_bh_disable();
         sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
         local_bh_enable();