Re: [PATCH net v2 1/1] net/sched: fix pedit partial COW leading to page cache corruption

From: Jamal Hadi Salim

Date: Wed May 27 2026 - 12:49:43 EST

On Wed, May 27, 2026 at 11:12 AM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote:
>
> Jamal Hadi Salim <jhs@xxxxxxxxxxxx> writes:
>
> > &&
> >
> > On Tue, May 26, 2026 at 3:22 PM Toke Høiland-Jørgensen <toke@xxxxxxxxxx> wrote:
> >>
> >> Jamal Hadi Salim <jhs@xxxxxxxxxxxx> writes:
> >>
> >> > From: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
> >> >
> >> > tcf_pedit_act() computes the COW range for skb_ensure_writable()
> >> > once before the key loop using tcfp_off_max_hint, but the hint does
> >> > not account for the runtime header offset added by typed keys. This
> >> > can leave part of the write region un-COW'd.
> >> >
> >> > Fix by moving skb_ensure_writable() inside the per-key loop where
> >> > the actual write offset is known, and add overflow checking on the
> >> > offset arithmetic. For negative offsets (e.g. Ethernet header edits
> >> > at ingress), use skb_cow() to COW the headroom instead. Guard
> >> > offset_valid() against INT_MIN, where negation is undefined.
> >> >
> >> > Additionally, linearize skbs with shared frags upfront to prevent
> >> > silent data corruption when pedit operates on zero-copy pages
> >> > (e.g. from sendfile).
> >> >
> >> > Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
> >> > Reported-by: Yiming Qian <yimingqian591@xxxxxxxxx>
> >> > Reported-by: Keenan Dong <keenanat2000@xxxxxxxxx>
> >> > Reported-by: Han Guidong <2045gemini@xxxxxxxxx>
> >> > Reported-by: Zhang Cen <rollkingzzc@xxxxxxxxx>
> >> > Tested-by: Victor Nogueira <victor@xxxxxxxxxxxx>
> >> > Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
> >> > Signed-off-by: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
> >>
> >> Re-ran the tests, and everything looks good, so:
> >>
> >> Tested-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> >>
> >> Also looked at the code, and I have a few nits below, but I'm really
> >> nitpicking here, so whether you end up fixing those or not:
> >>
> >> Reviewed-by: Toke Høiland-Jørgensen <toke@xxxxxxxxxx>
> >>
> >>
> >> [...]
> >>
> >> > @@ -323,7 +324,7 @@ static bool offset_valid(struct sk_buff *skb, int offset)
> >> > if (offset > 0 && offset > skb->len)
> >> > return false;
> >> >
> >> > - if (offset < 0 && -offset > skb_headroom(skb))
> >> > + if (offset < 0 && offset < -(int)skb_headroom(skb))
> >> > return false;
> >>
> >> This change makes it really obvious that this is really just:
> >>
> >> if (offset < -(int)skb_headroom(skb))
> >> return false;
> >>
> >> so, well, that would be clearer, IMO.
> >>
> >> But then I guess the same could be said of the positive case, so:
> >>
> >> static bool offset_valid(struct sk_buff *skb, int offset)
> >> {
> >> if (offset > skb->len || offset < -(int)skb_headroom(skb))
> >> return false;
> >>
> >> return true;
> >> }
> >>
> >
> > Yes, that improves readability. If i understood the discussion between
> > you and David L. something like this one liner would be reasonable?
> >
> > if (offset > (int)skb->len || offset < -(int)skb_headroom(skb))
>
> Yes, I believe that one is correct wrt the integer conversion rules.
>
> >> > @@ -393,18 +394,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> >> > struct tcf_pedit_key_ex *tkey_ex;
> >> > struct tcf_pedit_parms *parms;
> >> > struct tc_pedit_key *tkey;
> >> > - u32 max_offset;
> >> > int i;
> >> >
> >> > parms = rcu_dereference_bh(p->parms);
> >> >
> >> > - max_offset = (skb_transport_header_was_set(skb) ?
> >> > - skb_transport_offset(skb) :
> >> > - skb_network_offset(skb)) +
> >> > - parms->tcfp_off_max_hint;
> >> > - if (skb_ensure_writable(skb, min(skb->len, max_offset)))
> >> > - goto done;
> >> > -
> >> > tcf_lastuse_update(&p->tcf_tm);
> >> > tcf_action_update_bstats(&p->common, skb);
> >> >
> >> > @@ -412,9 +405,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> >> > tkey_ex = parms->tcfp_keys_ex;
> >> >
> >> > for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
> >> > + int write_offset, write_len;
> >> > int offset = tkey->off;
> >> > int hoffset = 0;
> >> > - u32 *ptr, hdata;
> >> > + u32 *ptr;
> >> > u32 val;
> >> > int rc;
> >> >
> >> > @@ -451,15 +445,38 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> >> > }
> >> > }
> >> >
> >> > - if (!offset_valid(skb, hoffset + offset)) {
> >> > - pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
> >> > + if (unlikely(check_add_overflow(hoffset, offset,
> >>
> >> It's a bit weird that this has the unlikely(), but the offset_valid()
> >> check doesn't?
> >>
> >
> > I focused on the bigger solution and worried more about timeliness to
> > get this patch in - but it seems the distros had already picked up the
> > first posted patch, so hakuna matata (Still, I should have caught
> > these unlikelies ;->). Yes on the second one you pointed out.
> > Will remove them.
>
> Cool.
>
> >> > + &write_offset))) {
> >> > + pr_info_ratelimited("tc action pedit offset overflow\n");
> >> > goto bad;
> >> > }
> >> >
> >> > - ptr = skb_header_pointer(skb, hoffset + offset,
> >> > - sizeof(hdata), &hdata);
> >> > - if (!ptr)
> >> > + if (!offset_valid(skb, write_offset)) {
> >> > + pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
> >> > + write_offset);
> >> > goto bad;
> >> > + }
> >> > +
> >> > + if (write_offset < 0) {
> >> > + if (skb_cow(skb, -write_offset))
> >> > + goto bad;
> >> > + if (write_offset + (int)sizeof(*ptr) > 0) {
> >> > + if (skb_ensure_writable(skb,
> >> > + min(skb->len,
> >> > + write_offset + sizeof(*ptr))))
> >>
> >> Combining these with && instead of the double indentation would be more
> >> readable IMO (shorter lines, aligning the 'goto bad' labels).
> >
> > hrm. So:
> > if ((write_offset < 0 && ((skb_cow(skb, -write_offset)) &&
> > (write_offset + (int)sizeof(*ptr) > 0) &&
> > (skb_ensure_writable(skb,min(skb->len,write_offset + sizeof(*ptr)))) {
> > goto bad;
> > else {
> > ...
> > }
> >
> > Not sure which is more readable.
>
> No, I meant just collapsing the two inner levels - this, on top of your
> patch:
>
> diff --git i/net/sched/act_pedit.c w/net/sched/act_pedit.c
> index 719bee335e1f..eb61d73730c4 100644
> --- i/net/sched/act_pedit.c
> +++ w/net/sched/act_pedit.c
> @@ -460,12 +460,11 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> if (write_offset < 0) {
> if (skb_cow(skb, -write_offset))
> goto bad;
> - if (write_offset + (int)sizeof(*ptr) > 0) {
> - if (skb_ensure_writable(skb,
> - min(skb->len,
> - write_offset + sizeof(*ptr))))
> - goto bad;
> - }
> + if (write_offset + (int)sizeof(*ptr) > 0 &&
> + skb_ensure_writable(skb,
> + min(skb->len,
> + write_offset + sizeof(*ptr))))
> + goto bad;
> } else {
> if (unlikely(check_add_overflow(write_offset,
> (int)sizeof(*ptr),
>
> (You could do the other thing you suggested, but as you point out that
> quickly becomes a too dense soup of && :)
>

What you shared is better. Will use that one.

cheers,
jamal
> -Toke
>