From: "Toke Høiland-Jørgensen" <toke@kernel.org>
To: Rajat Gupta <rajat.gupta@oss.qualcomm.com>, netdev@vger.kernel.org
Cc: davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
pabeni@redhat.com, horms@kernel.org, jhs@mojatatu.com,
jiri@resnulli.us, yimingqian591@gmail.com,
keenanat2000@gmail.com, 2045gemini@gmail.com,
rollkingzzc@gmail.com, Rajat Gupta <rajat.gupta@oss.qualcomm.com>
Subject: Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption
Date: Tue, 19 May 2026 13:18:58 +0200 [thread overview]
Message-ID: <87cxyrmyu5.fsf@toke.dk> (raw)
In-Reply-To: <20260519033950.2037-1-rajat.gupta@oss.qualcomm.com>
Rajat Gupta <rajat.gupta@oss.qualcomm.com> writes:
> tcf_pedit_act() computes the COW range for skb_ensure_writable()
> once before the key loop using tcfp_off_max_hint, but the hint does
> not account for the runtime header offset added by typed keys. This
> can leave part of the write region un-COW'd.
>
> Fix by moving skb_ensure_writable() inside the per-key loop where
> the actual write offset is known, and add overflow checking on the
> offset arithmetic. For negative offsets (e.g. Ethernet header edits
> at ingress), use skb_cow() to COW the headroom instead. Guard
> offset_valid() against INT_MIN, where negation is undefined.
>
> Additionally, linearize skbs with shared frags upfront to prevent
> silent data corruption when pedit operates on zero-copy pages
> (e.g. from sendfile).
>
> Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
> Reported-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> Reported-by: Yiming Qian <yimingqian591@gmail.com>
> Reported-by: Keenan Dong <keenanat2000@gmail.com>
> Reported-by: Han Guidong <2045gemini@gmail.com>
> Reported-by: Zhang Cen <rollkingzzc@gmail.com>
> Tested-by: Han Guidong <2045gemini@gmail.com>
> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
> Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@kernel.org>
Also applied this to -net and ran the TC pedit selftests and the
pedit_* scripts in net/forwarding, none of which turned up any
regressions, so:
Tested-by: Toke Høiland-Jørgensen <toke@kernel.org>
next prev parent reply other threads:[~2026-05-19 11:19 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-18 1:30 [PATCH net] net/sched: fix pedit partial COW leading to page cache Rajat Gupta
2026-05-18 13:10 ` Han Guidong
2026-05-18 13:31 ` Jamal Hadi Salim
2026-05-19 3:39 ` [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption Rajat Gupta
2026-05-19 11:18 ` Toke Høiland-Jørgensen [this message]
2026-05-19 15:10 ` Han Guidong
2026-05-20 9:12 ` Jamal Hadi Salim
2026-05-20 10:04 ` Han Guidong
2026-05-20 10:36 ` Han Guidong
2026-05-20 11:40 ` Jamal Hadi Salim
2026-05-20 9:23 ` Jamal Hadi Salim
2026-05-20 20:00 ` Jamal Hadi Salim
2026-05-21 9:53 ` Jamal Hadi Salim
2026-05-21 10:15 ` Jamal Hadi Salim
2026-05-21 14:35 ` Jakub Kicinski
2026-05-21 15:16 ` Jamal Hadi Salim
2026-05-21 15:46 ` Jakub Kicinski
2026-05-22 11:47 ` Jamal Hadi Salim
2026-05-22 15:46 ` Jakub Kicinski
2026-05-22 16:37 ` Jamal Hadi Salim
2026-05-22 17:01 ` Jamal Hadi Salim
2026-05-23 0:55 ` Jakub Kicinski
2026-05-23 12:07 ` Jamal Hadi Salim
2026-05-23 12:13 ` Jamal Hadi Salim
2026-05-23 16:46 ` Jakub Kicinski
2026-05-23 16:57 ` Jamal Hadi Salim
2026-05-25 15:39 ` Jakub Kicinski
2026-05-25 16:22 ` Jamal Hadi Salim
2026-05-25 17:34 ` Jakub Kicinski
2026-05-25 19:03 ` Jamal Hadi Salim
2026-05-26 2:06 ` Rajat Gupta
2026-05-26 9:48 ` David Laight
2026-05-26 11:57 ` Jamal Hadi Salim
2026-05-26 13:08 ` David Laight
2026-05-26 14:22 ` Jamal Hadi Salim
[not found] ` <CAKa-r6soz=iMBiYG0Grhhc12yhdw9vMNV+XjjEPCmtgKK6+rhA@mail.gmail.com>
2026-05-21 15:56 ` Jakub Kicinski
2026-05-22 11:49 ` Jamal Hadi Salim
2026-05-22 12:00 ` Toke Høiland-Jørgensen
2026-05-22 14:49 ` Davide Caratti
2026-05-22 7:49 ` Han Guidong
2026-05-26 9:53 ` David Laight
2026-05-26 12:01 ` Jamal Hadi Salim
2026-05-26 12:47 ` David Laight
2026-05-26 12:48 ` Jamal Hadi Salim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87cxyrmyu5.fsf@toke.dk \
--to=toke@kernel.org \
--cc=2045gemini@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=keenanat2000@gmail.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rajat.gupta@oss.qualcomm.com \
--cc=rollkingzzc@gmail.com \
--cc=yimingqian591@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.