Re: [PATCH net v2 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[Toke Høiland-Jørgensen]

Jamal Hadi Salim <jhs@xxxxxxxxxxxx> writes:

>  &&
>
> On Tue, May 26, 2026 at 3:22 PM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote:
>>
>> Jamal Hadi Salim <jhs@xxxxxxxxxxxx> writes:
>>
>> > From: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
>> >
>> > tcf_pedit_act() computes the COW range for skb_ensure_writable()
>> > once before the key loop using tcfp_off_max_hint, but the hint does
>> > not account for the runtime header offset added by typed keys. This
>> > can leave part of the write region un-COW'd.
>> >
>> > Fix by moving skb_ensure_writable() inside the per-key loop where
>> > the actual write offset is known, and add overflow checking on the
>> > offset arithmetic. For negative offsets (e.g. Ethernet header edits
>> > at ingress), use skb_cow() to COW the headroom instead. Guard
>> > offset_valid() against INT_MIN, where negation is undefined.
>> >
>> > Additionally, linearize skbs with shared frags upfront to prevent
>> > silent data corruption when pedit operates on zero-copy pages
>> > (e.g. from sendfile).
>> >
>> > Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
>> > Reported-by: Yiming Qian <yimingqian591@xxxxxxxxx>
>> > Reported-by: Keenan Dong <keenanat2000@xxxxxxxxx>
>> > Reported-by: Han Guidong <2045gemini@xxxxxxxxx>
>> > Reported-by: Zhang Cen <rollkingzzc@xxxxxxxxx>
>> > Tested-by: Victor Nogueira <victor@xxxxxxxxxxxx>
>> > Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
>> > Signed-off-by: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
>>
>> Re-ran the tests, and everything looks good, so:
>>
>> Tested-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
>>
>> Also looked at the code, and I have a few nits below, but I'm really
>> nitpicking here, so whether you end up fixing those or not:
>>
>> Reviewed-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
>>
>>
>> [...]
>>
>> > @@ -323,7 +324,7 @@ static bool offset_valid(struct sk_buff *skb, int offset)
>> >       if (offset > 0 && offset > skb->len)
>> >               return false;
>> >
>> > -     if  (offset < 0 && -offset > skb_headroom(skb))
>> > +     if (offset < 0 && offset < -(int)skb_headroom(skb))
>> >               return false;
>>
>> This change makes it really obvious that this is really just:
>>
>>         if (offset < -(int)skb_headroom(skb))
>>                 return false;
>>
>> so, well, that would be clearer, IMO.
>>
>> But then I guess the same could be said of the positive case, so:
>>
>> static bool offset_valid(struct sk_buff *skb, int offset)
>> {
>>         if (offset > skb->len || offset < -(int)skb_headroom(skb))
>>                 return false;
>>
>>         return true;
>> }
>>
>
> Yes, that improves readability. If i understood the discussion between
> you and David L. something like this one liner would be reasonable?
>
> if (offset > (int)skb->len || offset < -(int)skb_headroom(skb))

Yes, I believe that one is correct wrt the integer conversion rules.

>> > @@ -393,18 +394,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
>> >       struct tcf_pedit_key_ex *tkey_ex;
>> >       struct tcf_pedit_parms *parms;
>> >       struct tc_pedit_key *tkey;
>> > -     u32 max_offset;
>> >       int i;
>> >
>> >       parms = rcu_dereference_bh(p->parms);
>> >
>> > -     max_offset = (skb_transport_header_was_set(skb) ?
>> > -                   skb_transport_offset(skb) :
>> > -                   skb_network_offset(skb)) +
>> > -                  parms->tcfp_off_max_hint;
>> > -     if (skb_ensure_writable(skb, min(skb->len, max_offset)))
>> > -             goto done;
>> > -
>> >       tcf_lastuse_update(&p->tcf_tm);
>> >       tcf_action_update_bstats(&p->common, skb);
>> >
>> > @@ -412,9 +405,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
>> >       tkey_ex = parms->tcfp_keys_ex;
>> >
>> >       for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
>> > +             int write_offset, write_len;
>> >               int offset = tkey->off;
>> >               int hoffset = 0;
>> > -             u32 *ptr, hdata;
>> > +             u32 *ptr;
>> >               u32 val;
>> >               int rc;
>> >
>> > @@ -451,15 +445,38 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
>> >                       }
>> >               }
>> >
>> > -             if (!offset_valid(skb, hoffset + offset)) {
>> > -                     pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
>> > +             if (unlikely(check_add_overflow(hoffset, offset,
>>
>> It's a bit weird that this has the unlikely(), but the offset_valid()
>> check doesn't?
>>
>
> I focused on the bigger solution and worried more about timeliness to
> get this patch in - but it seems the distros had already picked up the
> first posted patch, so hakuna matata (Still, I should have caught
> these unlikelies ;->). Yes on the second one you pointed out.
> Will remove them.

Cool.

>> > +                                             &write_offset))) {
>> > +                     pr_info_ratelimited("tc action pedit offset overflow\n");
>> >                       goto bad;
>> >               }
>> >
>> > -             ptr = skb_header_pointer(skb, hoffset + offset,
>> > -                                      sizeof(hdata), &hdata);
>> > -             if (!ptr)
>> > +             if (!offset_valid(skb, write_offset)) {
>> > +                     pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
>> > +                                         write_offset);
>> >                       goto bad;
>> > +             }
>> > +
>> > +             if (write_offset < 0) {
>> > +                     if (skb_cow(skb, -write_offset))
>> > +                             goto bad;
>> > +                     if (write_offset + (int)sizeof(*ptr) > 0) {
>> > +                             if (skb_ensure_writable(skb,
>> > +                                                     min(skb->len,
>> > +                                                         write_offset + sizeof(*ptr))))
>>
>> Combining these with && instead of the double indentation would be more
>> readable IMO (shorter lines, aligning the 'goto bad' labels).
>
> hrm. So:
> if ((write_offset < 0 && ((skb_cow(skb, -write_offset)) &&
> (write_offset + (int)sizeof(*ptr) > 0) &&
> (skb_ensure_writable(skb,min(skb->len,write_offset + sizeof(*ptr)))) {
>             goto bad;
> else {
>   ...
> }
>
> Not sure which is more readable.

No, I meant just collapsing the two inner levels - this, on top of your
patch:

diff --git i/net/sched/act_pedit.c w/net/sched/act_pedit.c
index 719bee335e1f..eb61d73730c4 100644
--- i/net/sched/act_pedit.c
+++ w/net/sched/act_pedit.c
@@ -460,12 +460,11 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
                if (write_offset < 0) {
                        if (skb_cow(skb, -write_offset))
                                goto bad;
-                       if (write_offset + (int)sizeof(*ptr) > 0) {
-                               if (skb_ensure_writable(skb,
-                                                       min(skb->len,
-                                                           write_offset + sizeof(*ptr))))
-                                       goto bad;
-                       }
+                       if (write_offset + (int)sizeof(*ptr) > 0 &&
+                           skb_ensure_writable(skb,
+                                               min(skb->len,
+                                                   write_offset + sizeof(*ptr))))
+                               goto bad;
                } else {
                        if (unlikely(check_add_overflow(write_offset,
                                                        (int)sizeof(*ptr),

(You could do the other thing you suggested, but as you point out that
quickly becomes a too dense soup of && :)

-Toke