queue-4.4/tcp-dccp-drop-syn-packets-if-accept-queue-is-full.patch

   1 From 5ea8ea2cb7f1d0db15762c9b0bb9e7330425a071 Mon Sep 17 00:00:00 2001
   2 From: Eric Dumazet <edumazet@google.com>
   3 Date: Wed, 26 Oct 2016 09:27:57 -0700
   4 Subject: tcp/dccp: drop SYN packets if accept queue is full
   5
   6 From: Eric Dumazet <edumazet@google.com>
   7
   8 commit 5ea8ea2cb7f1d0db15762c9b0bb9e7330425a071 upstream.
   9
  10 Per listen(fd, backlog) rules, there is really no point accepting a SYN,
  11 sending a SYNACK, and dropping the following ACK packet if accept queue
  12 is full, because application is not draining accept queue fast enough.
  13
  14 This behavior is fooling TCP clients that believe they established a
  15 flow, while there is nothing at server side. They might then send about
  16 10 MSS (if using IW10) that will be dropped anyway while server is under
  17 stress.
  18
  19 Signed-off-by: Eric Dumazet <edumazet@google.com>
  20 Acked-by: Neal Cardwell <ncardwell@google.com>
  21 Acked-by: Yuchung Cheng <ycheng@google.com>
  22 Signed-off-by: David S. Miller <davem@davemloft.net>
  23 Signed-off-by: Arnd Bergmann <arnd@arndb.de>
  24 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  25
  26
  27 ---
  28  include/net/inet_connection_sock.h |    5 -----
  29  net/dccp/ipv4.c                    |    8 +-------
  30  net/dccp/ipv6.c                    |    2 +-
  31  net/ipv4/tcp_input.c               |    8 +-------
  32  4 files changed, 3 insertions(+), 20 deletions(-)
  33
  34 --- a/include/net/inet_connection_sock.h
  35 +++ b/include/net/inet_connection_sock.h
  36 @@ -289,11 +289,6 @@ static inline int inet_csk_reqsk_queue_l
  37         return reqsk_queue_len(&inet_csk(sk)->icsk_accept_queue);
  38  }
  39
  40 -static inline int inet_csk_reqsk_queue_young(const struct sock *sk)
  41 -{
  42 -       return reqsk_queue_len_young(&inet_csk(sk)->icsk_accept_queue);
  43 -}
  44 -
  45  static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk)
  46  {
  47         return inet_csk_reqsk_queue_len(sk) >= sk->sk_max_ack_backlog;
  48 --- a/net/dccp/ipv4.c
  49 +++ b/net/dccp/ipv4.c
  50 @@ -592,13 +592,7 @@ int dccp_v4_conn_request(struct sock *sk
  51         if (inet_csk_reqsk_queue_is_full(sk))
  52                 goto drop;
  53
  54 -       /*
  55 -        * Accept backlog is full. If we have already queued enough
  56 -        * of warm entries in syn queue, drop request. It is better than
  57 -        * clogging syn queue with openreqs with exponentially increasing
  58 -        * timeout.
  59 -        */
  60 -       if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
  61 +       if (sk_acceptq_is_full(sk))
  62                 goto drop;
  63
  64         req = inet_reqsk_alloc(&dccp_request_sock_ops, sk, true);
  65 --- a/net/dccp/ipv6.c
  66 +++ b/net/dccp/ipv6.c
  67 @@ -324,7 +324,7 @@ static int dccp_v6_conn_request(struct s
  68         if (inet_csk_reqsk_queue_is_full(sk))
  69                 goto drop;
  70
  71 -       if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
  72 +       if (sk_acceptq_is_full(sk))
  73                 goto drop;
  74
  75         req = inet_reqsk_alloc(&dccp6_request_sock_ops, sk, true);
  76 --- a/net/ipv4/tcp_input.c
  77 +++ b/net/ipv4/tcp_input.c
  78 @@ -6305,13 +6305,7 @@ int tcp_conn_request(struct request_sock
  79                         goto drop;
  80         }
  81
  82 -
  83 -       /* Accept backlog is full. If we have already queued enough
  84 -        * of warm entries in syn queue, drop request. It is better than
  85 -        * clogging syn queue with openreqs with exponentially increasing
  86 -        * timeout.
  87 -        */
  88 -       if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) {
  89 +       if (sk_acceptq_is_full(sk)) {
  90                 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
  91                 goto drop;
  92         }