Re: [PATCH net v5 1/1] net/sched: fix pedit partial COW leading to page cache corruption
From: Jamal Hadi Salim
Date: Sun May 31 2026 - 13:28:04 EST
On Sun, May 31, 2026 at 12:15 PM David Laight
<david.laight.linux@xxxxxxxxx> wrote:
>
> On Sun, 31 May 2026 08:32:21 -0400
> Jamal Hadi Salim <jhs@xxxxxxxxxxxx> wrote:
>
> > From: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
> >
> > tcf_pedit_act() computes the COW range for skb_ensure_writable()
> > once before the key loop using tcfp_off_max_hint, but the hint does
> > not account for the runtime header offset added by typed keys. This
> > can leave part of the write region un-COW'd.
> >
> > Fix by moving skb_ensure_writable() inside the per-key loop where
> > the actual write offset is known, and add overflow checking on the
> > offset arithmetic. For negative offsets (e.g. Ethernet header edits
> > at ingress), use skb_cow() to COW the headroom instead. Guard
> > offset_valid() against INT_MIN, where negation is undefined.
>
> This code has all got out of hand somewhere.
> I've only been looking at offset_valid() code.
>
> > Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
> > Reported-by: Yiming Qian <yimingqian591@xxxxxxxxx>
> > Reported-by: Keenan Dong <keenanat2000@xxxxxxxxx>
> > Reported-by: Han Guidong <2045gemini@xxxxxxxxx>
> > Reported-by: Zhang Cen <rollkingzzc@xxxxxxxxx>
> > Reviewed-by: Han Guidong <2045gemini@xxxxxxxxx>
> > Tested-by: Han Guidong <2045gemini@xxxxxxxxx>
> > Reviewed-by: Davide Caratti <dcaratti@xxxxxxxxxx>
> > Tested-by: Davide Caratti <dcaratti@xxxxxxxxxx>
> > Reviewed-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> > Tested-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> > Reviewed-by: Victor Nogueira <victor@xxxxxxxxxxxx>
> > Tested-by: Victor Nogueira <victor@xxxxxxxxxxxx>
> > Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
> > Signed-off-by: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
> > ---
> > v4->v5:
> > 1) Dead code removal obsoleted after removing tcfp_off_max_hint as identified
> > by sashiko-claude[1]. Remove dead code updating "cur".
> > 2) Addition of hoffset at tkey->at promotes hoffset to unsigned int,
> > wraps on overflow. Claim made by both sashiko-claude[1] and sashiko-gemini[2]
> > I think this is far fetched but possible. Cast tkey->at to int.
> > 3) Signedness mismatch in min() macro may potentially cause build issues.
> > Claim made by both sashiko-claude[1] and sashiko-gemini[2].
> > Go back to min_t() for now. David L. can make a better proposal later..
> >
> > [1]https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
> > [2]https://sashiko.dev/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
> > ---
> > include/net/tc_act/tc_pedit.h | 1 -
> > net/sched/act_pedit.c | 77 +++++++++++++++++++----------------
> > 2 files changed, 41 insertions(+), 37 deletions(-)
> >
> > diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h
> > index f58ee15cd858..cb7b82f2cbc7 100644
> > --- a/include/net/tc_act/tc_pedit.h
> > +++ b/include/net/tc_act/tc_pedit.h
> > @@ -15,7 +15,6 @@ struct tcf_pedit_parms {
> > struct tc_pedit_key *tcfp_keys;
> > struct tcf_pedit_key_ex *tcfp_keys_ex;
> > int action;
> > - u32 tcfp_off_max_hint;
> > unsigned char tcfp_nkeys;
> > unsigned char tcfp_flags;
> > struct rcu_head rcu;
> > diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
> > index bc20f08a2789..bd3b1da3cd63 100644
> > --- a/net/sched/act_pedit.c
> > +++ b/net/sched/act_pedit.c
> > @@ -16,6 +16,8 @@
> > #include <linux/ip.h>
> > #include <linux/ipv6.h>
> > #include <linux/slab.h>
> > +#include <linux/overflow.h>
> > +#include <linux/unaligned.h>
> > #include <net/ipv6.h>
> > #include <net/netlink.h>
> > #include <net/pkt_sched.h>
> > @@ -242,7 +244,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
> > goto out_free_ex;
> > }
> >
> > - nparms->tcfp_off_max_hint = 0;
> > nparms->tcfp_flags = parm->flags;
> > nparms->tcfp_nkeys = parm->nkeys;
> >
> > @@ -268,14 +269,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
> > BITS_PER_TYPE(int) - 1,
> > nparms->tcfp_keys[i].shift);
> >
> > - /* The AT option can read a single byte, we can bound the actual
> > - * value with uchar max.
> > - */
> > - cur += (0xff & offmask) >> nparms->tcfp_keys[i].shift;
> > -
> > - /* Each key touches 4 bytes starting from the computed offset */
> > - nparms->tcfp_off_max_hint =
> > - max(nparms->tcfp_off_max_hint, cur + 4);
> > }
> >
> > p = to_pedit(*a);
> > @@ -318,15 +311,12 @@ static void tcf_pedit_cleanup(struct tc_action *a)
> > call_rcu(&parms->rcu, tcf_pedit_cleanup_rcu);
> > }
> >
> > -static bool offset_valid(struct sk_buff *skb, int offset)
> > +static bool offset_valid(struct sk_buff *skb, int offset, int len)
> > {
> > - if (offset > 0 && offset > skb->len)
> > - return false;
> > -
> > - if (offset < 0 && -offset > skb_headroom(skb))
> > + if (offset < -(int)skb_headroom(skb))
> > return false;
> >
> > - return true;
> > + return offset <= (int)skb->len - len;
> > }
> >
> > static int pedit_l4_skb_offset(struct sk_buff *skb, int *hoffset, const int header_type)
> > @@ -393,18 +383,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> > struct tcf_pedit_key_ex *tkey_ex;
> > struct tcf_pedit_parms *parms;
> > struct tc_pedit_key *tkey;
> > - u32 max_offset;
> > int i;
> >
> > parms = rcu_dereference_bh(p->parms);
> >
> > - max_offset = (skb_transport_header_was_set(skb) ?
> > - skb_transport_offset(skb) :
> > - skb_network_offset(skb)) +
> > - parms->tcfp_off_max_hint;
> > - if (skb_ensure_writable(skb, min(skb->len, max_offset)))
> > - goto done;
> > -
> > tcf_lastuse_update(&p->tcf_tm);
> > tcf_action_update_bstats(&p->common, skb);
> >
> > @@ -412,10 +394,11 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> > tkey_ex = parms->tcfp_keys_ex;
> >
> > for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
> > + int write_offset, write_len;
> > int offset = tkey->off;
> > int hoffset = 0;
> > - u32 *ptr, hdata;
> > - u32 val;
> > + u32 cur_val, val;
> > + u32 *ptr;
> > int rc;
> >
> > if (tkey_ex) {
> > @@ -433,13 +416,15 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> >
> > if (tkey->offmask) {
> > u8 *d, _d;
> > + int at_offset;
> >
> > - if (!offset_valid(skb, hoffset + tkey->at)) {
> > + if (check_add_overflow(hoffset, (int)tkey->at, &at_offset) ||
>
> There is no real reason for checking the add.
> All that matters is that offset_valid() and skb_header_pointer() are
> passed the same offset.
> Assigning it to a local would make that clearer.
You are technically correct - but earlier discussion was I believe
that signed integer overflow as undefined behavior and those checks
are there to avoid that and logic bypasses.
>
> > + !offset_valid(skb, at_offset, sizeof(_d))) {
> > pr_info_ratelimited("tc action pedit 'at' offset %d out of bounds\n",
> > hoffset + tkey->at);
> > goto bad;
> > }
> > - d = skb_header_pointer(skb, hoffset + tkey->at,
> > + d = skb_header_pointer(skb, at_offset,
> > sizeof(_d), &_d);
> > if (!d)
> > goto bad;
> > @@ -451,31 +436,51 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> > }
> > }
> >
> > - if (!offset_valid(skb, hoffset + offset)) {
> > - pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
> > + if (check_add_overflow(hoffset, offset, &write_offset)) {
> > + pr_info_ratelimited("tc action pedit offset overflow\n");
> > goto bad;
> > }
> >
> > - ptr = skb_header_pointer(skb, hoffset + offset,
> > - sizeof(hdata), &hdata);
> > - if (!ptr)
> > + if (!offset_valid(skb, write_offset, sizeof(*ptr))) {
> > + pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
> > + write_offset);
> > goto bad;
> > + }
>
> Again all that matters is that the same value is passed to offset_valid()
> and skb_header_pointer().
Same comment as earlier.
Note: we replaced skb_header_pointer() with direct memory access "ptr
= (u32 *)(skb->data + write_offset)" further down.
so extra validation of write_offset is justifiable, no?
> > +
> > + if (write_offset < 0) {
> > + if (skb_cow(skb, -write_offset))
> > + goto bad;
> > + if (write_offset + (int)sizeof(*ptr) > 0) {
> > + if (skb_ensure_writable(skb,
> > + min_t(int, skb->len,
> > + write_offset + (int)sizeof(*ptr))))
>
> That min isn't needed (same as below).
Ok - yes, i see that. Same with the min(). Why did we think we needed
min/min_t() before?
> > + goto bad;
> > + }
> > + } else {
> > + if (check_add_overflow(write_offset, (int)sizeof(*ptr),
> > + &write_len))
>
> That can't fail because of the 'return offset <= (int)skb->len - len;' check.
True.
>
> > + goto bad;
> > + if (skb_ensure_writable(skb, min_t(int, skb->len,
> > + write_len)))
>
> Similarly that min_t() will return 'write_len'.
> But is that even correct?
> The code wants to write 4 bytes at skb->data + write_offset.
> I can't see where the offset is used.
> All the overflow tests have made the logic far too hard to follow.
>
> I think that whole lot can just be:
> hoffset += offset;
> if (offset_valid(skb, hoffset, sizeof(hdata)))
> goto bad;
>
> /* Ensure any needed headroom is writeable */
> if (hoffset < 0 && skb_cow(skb, -hoffset)
> goto bad;
> /* Ensure the skb is writeable to the end of the area to be written.
> * The data is pulled into the skb header. */
> if ((hoffset >= 0 || hoffset + (int)sizeof(hdata) > 0) &&
> skb_ensure_writable(skb, hoffset + (int)sizeof(hdata))
> goto bad;
> The call to offset_valid() does all the other checks.
> (The hoffset >= 0 check is the inverse of the earlier check and will
> be optimised away - skipping the second second test which is then
> always true.)
Yes, that code is more readable.
> If you really want a warning message, put a generic one on 'bad;'.
>
> > + goto bad;
> > + }
> > +
> > + ptr = (u32 *)(skb->data + write_offset);
> > + cur_val = get_unaligned(ptr);
>
> Given you are doing an unaligned read you could remove the check in the
> 'offmask' path that the final offset is a multiple of 4.
> Nothing checked that tkey->off is a multiple of 4, and I suspect that
> is user-specifiable?
The only reason i will keep that check is because we have always
checked for the 32b alignment from an API perspective. I am less
worried about than potentially breaking something in the hardware
offload path when a user passes unaligned offsets down given that
these code paths (towards hardware) have been well vetted.
I am trying to get this security fix in. Do you see anything in what
you stated as a show stopper? IOW introducing regression or plain
wrong?
If not, I will wait for the AI review or if someone finds an issue
which breaks something - and if it is worth going back then i will
consider your suggestions as part of the next update.
Does that sound reasonable?
cheers,
jamal
> I'm also not entirely that the mac_header is aligned.
>
> -- David
>
> > /* just do it, baby */
> > switch (cmd) {
> > case TCA_PEDIT_KEY_EX_CMD_SET:
> > val = tkey->val;
> > break;
> > case TCA_PEDIT_KEY_EX_CMD_ADD:
> > - val = (*ptr + tkey->val) & ~tkey->mask;
> > + val = (cur_val + tkey->val) & ~tkey->mask;
> > break;
> > default:
> > pr_info_ratelimited("tc action pedit bad command (%d)\n", cmd);
> > goto bad;
> > }
> >
> > - *ptr = ((*ptr & tkey->mask) ^ val);
> > - if (ptr == &hdata)
> > - skb_store_bits(skb, hoffset + offset, ptr, 4);
> > + put_unaligned((cur_val & tkey->mask) ^ val, ptr);
> > }
> >
> > goto done;
>