summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorJohn Fastabend <john.fastabend@gmail.com>2020-11-17 01:29:28 +0300
committerDaniel Borkmann <daniel@iogearbox.net>2020-11-18 02:14:04 +0300
commit4363023d2668e621b0743db351a9555d6e6ea57e (patch)
treeaf1536961c439659efc1310db414eaece5c8a849 /net
parent2443ca66676d50a4eb3305c236bccd84a9828ce2 (diff)
downloadlinux-4363023d2668e621b0743db351a9555d6e6ea57e.tar.xz
bpf, sockmap: Avoid failures from skb_to_sgvec when skb has frag_list
When skb has a frag_list its possible for skb_to_sgvec() to fail. This happens when the scatterlist has fewer elements to store pages than would be needed for the initial skb plus any of its frags. This case appears rare, but is possible when running an RX parser/verdict programs exposed to the internet. Currently, when this happens we throw an error, break the pipe, and kfree the msg. This effectively breaks the application or forces it to do a retry. Lets catch this case and handle it by doing an skb_linearize() on any skb we receive with frags. At this point skb_to_sgvec should not fail because the failing conditions would require frags to be in place. Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://lore.kernel.org/bpf/160556576837.73229.14800682790808797635.stgit@john-XPS-13-9370
Diffstat (limited to 'net')
-rw-r--r--net/core/skmsg.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index 514bc9f6f8ae..25cdbb20f3a0 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -423,9 +423,16 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
struct sock *sk,
struct sk_msg *msg)
{
- int num_sge = skb_to_sgvec(skb, msg->sg.data, 0, skb->len);
- int copied;
+ int num_sge, copied;
+ /* skb linearize may fail with ENOMEM, but lets simply try again
+ * later if this happens. Under memory pressure we don't want to
+ * drop the skb. We need to linearize the skb so that the mapping
+ * in skb_to_sgvec can not error.
+ */
+ if (skb_linearize(skb))
+ return -EAGAIN;
+ num_sge = skb_to_sgvec(skb, msg->sg.data, 0, skb->len);
if (unlikely(num_sge < 0)) {
kfree(msg);
return num_sge;