Re: [PATCH net v2 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[David Laight]

On Tue, 26 May 2026 21:22:52 +0200
Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote:

> Jamal Hadi Salim <jhs@xxxxxxxxxxxx> writes:
> 
> > From: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
> >
> > tcf_pedit_act() computes the COW range for skb_ensure_writable()
> > once before the key loop using tcfp_off_max_hint, but the hint does
> > not account for the runtime header offset added by typed keys. This
> > can leave part of the write region un-COW'd.
> >
> > Fix by moving skb_ensure_writable() inside the per-key loop where
> > the actual write offset is known, and add overflow checking on the
> > offset arithmetic. For negative offsets (e.g. Ethernet header edits
> > at ingress), use skb_cow() to COW the headroom instead. Guard
> > offset_valid() against INT_MIN, where negation is undefined.
> >
> > Additionally, linearize skbs with shared frags upfront to prevent
> > silent data corruption when pedit operates on zero-copy pages
> > (e.g. from sendfile).
> >
> > Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
> > Reported-by: Yiming Qian <yimingqian591@xxxxxxxxx>
> > Reported-by: Keenan Dong <keenanat2000@xxxxxxxxx>
> > Reported-by: Han Guidong <2045gemini@xxxxxxxxx>
> > Reported-by: Zhang Cen <rollkingzzc@xxxxxxxxx>
> > Tested-by: Victor Nogueira <victor@xxxxxxxxxxxx>
> > Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
> > Signed-off-by: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>  
> 
> Re-ran the tests, and everything looks good, so:
> 
> Tested-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> 
> Also looked at the code, and I have a few nits below, but I'm really
> nitpicking here, so whether you end up fixing those or not:
> 
> Reviewed-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> 
> 
> [...]
> 
> > @@ -323,7 +324,7 @@ static bool offset_valid(struct sk_buff *skb, int offset)
> >  	if (offset > 0 && offset > skb->len)
> >  		return false;
> >  
> > -	if  (offset < 0 && -offset > skb_headroom(skb))
> > +	if (offset < 0 && offset < -(int)skb_headroom(skb))
> >  		return false;  
> 
> This change makes it really obvious that this is really just:
> 
> 	if (offset < -(int)skb_headroom(skb))
>   		return false;
> 
> so, well, that would be clearer, IMO.
> 
> But then I guess the same could be said of the positive case, so:
> 
> static bool offset_valid(struct sk_buff *skb, int offset)
> {
> 	if (offset > skb->len || offset < -(int)skb_headroom(skb))
> 		return false;
> 
> 	return true;
> }

There are all sorts of integer conversions going on.
IIRC Both skb->len and skb_headroom() are 32bit unsigned.
skb_headroom() is relatively small, skb->len can be over 64k but nowhere
near MAX_INT.
offset is signed 32bit and the code is allowing for it being -MAX_INT
(but I'm not at all sure whether that can happen without overflow being likely).

So I think the single test:
	if (offset + skb_headroom(skb) >= skb->len + skb_headroom(skb))
		return false;
is correct.
If offset is 'too negative' the LHS will be 'very large postitive' and
the test fails.

-- David

> 
> > @@ -393,18 +394,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> >  	struct tcf_pedit_key_ex *tkey_ex;
> >  	struct tcf_pedit_parms *parms;
> >  	struct tc_pedit_key *tkey;
> > -	u32 max_offset;
> >  	int i;
> >  
> >  	parms = rcu_dereference_bh(p->parms);
> >  
> > -	max_offset = (skb_transport_header_was_set(skb) ?
> > -		      skb_transport_offset(skb) :
> > -		      skb_network_offset(skb)) +
> > -		     parms->tcfp_off_max_hint;
> > -	if (skb_ensure_writable(skb, min(skb->len, max_offset)))
> > -		goto done;
> > -
> >  	tcf_lastuse_update(&p->tcf_tm);
> >  	tcf_action_update_bstats(&p->common, skb);
> >  
> > @@ -412,9 +405,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> >  	tkey_ex = parms->tcfp_keys_ex;
> >  
> >  	for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
> > +		int write_offset, write_len;
> >  		int offset = tkey->off;
> >  		int hoffset = 0;
> > -		u32 *ptr, hdata;
> > +		u32 *ptr;
> >  		u32 val;
> >  		int rc;
> >  
> > @@ -451,15 +445,38 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> >  			}
> >  		}
> >  
> > -		if (!offset_valid(skb, hoffset + offset)) {
> > -			pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
> > +		if (unlikely(check_add_overflow(hoffset, offset,  
> 
> It's a bit weird that this has the unlikely(), but the offset_valid()
> check doesn't?
> 
> > +						&write_offset))) {
> > +			pr_info_ratelimited("tc action pedit offset overflow\n");
> >  			goto bad;
> >  		}
> >  
> > -		ptr = skb_header_pointer(skb, hoffset + offset,
> > -					 sizeof(hdata), &hdata);
> > -		if (!ptr)
> > +		if (!offset_valid(skb, write_offset)) {
> > +			pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
> > +					    write_offset);
> >  			goto bad;
> > +		}
> > +
> > +		if (write_offset < 0) {
> > +			if (skb_cow(skb, -write_offset))
> > +				goto bad;
> > +			if (write_offset + (int)sizeof(*ptr) > 0) {
> > +				if (skb_ensure_writable(skb,
> > +							min(skb->len,
> > +							    write_offset + sizeof(*ptr))))  
> 
> Combining these with && instead of the double indentation would be more
> readable IMO (shorter lines, aligning the 'goto bad' labels).
> 
> > +					goto bad;
> > +			}
> > +		} else {
> > +			if (unlikely(check_add_overflow(write_offset,
> > +							(int)sizeof(*ptr),
> > +							&write_len)))  
> 
> Same comment wrt unlikely()
>