Re: [PATCH net v4 1/1] net/sched: fix pedit partial COW leading to page cache corruption

From: Jamal Hadi Salim

Date: Sat May 30 2026 - 12:16:51 EST

On Sat, May 30, 2026 at 11:19 AM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote:
>
> Jamal Hadi Salim <jhs@xxxxxxxxxxxx> writes:
>
> > From: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
> >
> > tcf_pedit_act() computes the COW range for skb_ensure_writable()
> > once before the key loop using tcfp_off_max_hint, but the hint does
> > not account for the runtime header offset added by typed keys. This
> > can leave part of the write region un-COW'd.
> >
> > Fix by moving skb_ensure_writable() inside the per-key loop where
> > the actual write offset is known, and add overflow checking on the
> > offset arithmetic. For negative offsets (e.g. Ethernet header edits
> > at ingress), use skb_cow() to COW the headroom instead. Guard
> > offset_valid() against INT_MIN, where negation is undefined.
> >
> > Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
> > Reported-by: Yiming Qian <yimingqian591@xxxxxxxxx>
> > Reported-by: Keenan Dong <keenanat2000@xxxxxxxxx>
> > Reported-by: Han Guidong <2045gemini@xxxxxxxxx>
> > Reported-by: Zhang Cen <rollkingzzc@xxxxxxxxx>
> > Reviewed-by: Han Guidong <2045gemini@xxxxxxxxx>
> > Tested-by: Han Guidong <2045gemini@xxxxxxxxx>
> > Reviewed-by: Davide Caratti <dcaratti@xxxxxxxxxx>
> > Tested-by: Davide Caratti <dcaratti@xxxxxxxxxx>
> > Reviewed-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> > Tested-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> > Reviewed-by: Victor Nogueira <victor@xxxxxxxxxxxx>
> > Tested-by: Victor Nogueira <victor@xxxxxxxxxxxx>
> > Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
> > Signed-off-by: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
> > ---
> > v3->v4
> > 1) Restore the Fixes tag which was accidentally deleted in v3
> > 2) Remove tcfp_off_max_hint as pointed by sashiko [1]
> > 3) Fix a boundary condition identified by sashiko [1]
> > 4) Add unaligned access support to safely access ptr support to compensate for
> > removal of skb_header_pointer() / skb_store_bits() which handled it fine
> >
> > [1]https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260527181731.1166373-1-jhs%40mojatatu.com
>
> Re-tested and LGTM. Let's hope this is the last one ;)
>

Fingers crossed ;-> Let's see what our new overlords say tomorrow morning.

cheers,
jamal

> -Toke
>