Re: [PATCH net v4 1/1] net/sched: fix pedit partial COW leading to page cache corruption
From: Toke Høiland-Jørgensen
Date: Sat May 30 2026 - 11:19:40 EST
Jamal Hadi Salim <jhs@xxxxxxxxxxxx> writes:
> From: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
>
> tcf_pedit_act() computes the COW range for skb_ensure_writable()
> once before the key loop using tcfp_off_max_hint, but the hint does
> not account for the runtime header offset added by typed keys. This
> can leave part of the write region un-COW'd.
>
> Fix by moving skb_ensure_writable() inside the per-key loop where
> the actual write offset is known, and add overflow checking on the
> offset arithmetic. For negative offsets (e.g. Ethernet header edits
> at ingress), use skb_cow() to COW the headroom instead. Guard
> offset_valid() against INT_MIN, where negation is undefined.
>
> Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
> Reported-by: Yiming Qian <yimingqian591@xxxxxxxxx>
> Reported-by: Keenan Dong <keenanat2000@xxxxxxxxx>
> Reported-by: Han Guidong <2045gemini@xxxxxxxxx>
> Reported-by: Zhang Cen <rollkingzzc@xxxxxxxxx>
> Reviewed-by: Han Guidong <2045gemini@xxxxxxxxx>
> Tested-by: Han Guidong <2045gemini@xxxxxxxxx>
> Reviewed-by: Davide Caratti <dcaratti@xxxxxxxxxx>
> Tested-by: Davide Caratti <dcaratti@xxxxxxxxxx>
> Reviewed-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> Tested-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> Reviewed-by: Victor Nogueira <victor@xxxxxxxxxxxx>
> Tested-by: Victor Nogueira <victor@xxxxxxxxxxxx>
> Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
> Signed-off-by: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
> ---
> v3->v4
> 1) Restore the Fixes tag which was accidentally deleted in v3
> 2) Remove tcfp_off_max_hint as pointed by sashiko [1]
> 3) Fix a boundary condition identified by sashiko [1]
> 4) Add unaligned access support to safely access ptr support to compensate for
> removal of skb_header_pointer() / skb_store_bits() which handled it fine
>
> [1]https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260527181731.1166373-1-jhs%40mojatatu.com
Re-tested and LGTM. Let's hope this is the last one ;)
-Toke