Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption

Next message: K Prateek Nayak: "[PATCH 4/5] sched/fair: Move the throttled tasks to a local list in tg_unthrottle_up()"
Previous message: Alexander Koskovich: "[PATCH v7 4/6] drm/msm/adreno: set cx_misc_mmio regardless of if platform has LLCC"
In reply to: Han Guidong: "Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption"
Next in thread: Jamal Hadi Salim: "Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Toke Høiland-Jørgensen

Date: Thu May 28 2026 - 06:03:17 EST

Jamal Hadi Salim <jhs@xxxxxxxxxxxx> writes:

> From: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
>
> tcf_pedit_act() computes the COW range for skb_ensure_writable()
> once before the key loop using tcfp_off_max_hint, but the hint does
> not account for the runtime header offset added by typed keys. This
> can leave part of the write region un-COW'd.
>
> Fix by moving skb_ensure_writable() inside the per-key loop where
> the actual write offset is known, and add overflow checking on the
> offset arithmetic. For negative offsets (e.g. Ethernet header edits
> at ingress), use skb_cow() to COW the headroom instead. Guard
> offset_valid() against INT_MIN, where negation is undefined.

So you did tell us not to nitpick, but...

> 2) Add more optimal boundary checks (Toke & David L.)

[..]

> - if (offset < 0 && -offset > skb_headroom(skb))
> + if (offset < 0 && offset < -(int)skb_headroom(skb))

Seems that bit of the changelog isn't actually accurate.

However, I don't think this matters, this version is not actually buggy;
so let's just get this merged, and we can code-golf the offset check on
top :)

I did re-run the tests on this version, and they look fine, so
re-affirming my tags.

-Toke