Linux Test Project
 help / color / mirror / Atom feed
From: linuxtestproject.agent@gmail.com
To: Andrea Cervesato <andrea.cervesato@suse.de>
Cc: ltp@lists.linux.it
Subject: Re: [LTP] lapi: Add pkt_cls.h fallback
Date: Tue,  7 Jul 2026 14:28:10 +0000	[thread overview]
Message-ID: <20260707142810.4143-1-linuxtestproject.agent@gmail.com> (raw)
In-Reply-To: <20260707-cve-2026-46331-v3-1-3f6f1d697eec@suse.com>

Hi Andrea,

On Tue, 7 Jul 2026 15:42:27 +0200, Andrea Cervesato wrote:
> lapi: Add pkt_cls.h fallback

--- [PATCH 3/4] ---

> +#ifndef TCA_PEDIT_KEY_EX
> +# define TCA_PEDIT_KEY_EX		3
> +#endif

The value is wrong. Counting from TCA_PEDIT_UNSPEC = 0 in the kernel
anonymous enum:

  TCA_PEDIT_UNSPEC  = 0
  TCA_PEDIT_TM      = 1
  TCA_PEDIT_PARMS   = 2
  TCA_PEDIT_PAD     = 3   <-- 3 is PAD, not KEY_EX
  TCA_PEDIT_PARMS_EX = 4
  TCA_PEDIT_KEYS_EX  = 5
  TCA_PEDIT_KEY_EX   = 6  <-- should be 6

With value 3 the kernel would receive a TCA_PEDIT_PAD attribute where
TCA_PEDIT_KEY_EX is expected and reject the filter with "Unknown
attribute, expected extended key".

This also breaks the test in patch 4/4 which uses TCA_PEDIT_KEY_EX
as a netlink attribute type.

> +#ifndef TCA_PEDIT_PARMS_EX
> +# define TCA_PEDIT_PARMS_EX		4
> +#endif
> +
> +#ifndef TCA_PEDIT_KEYS_EX
> +# define TCA_PEDIT_KEYS_EX		5
> +#endif
> +
> +#ifndef TCA_PEDIT_KEY_EX
> +# define TCA_PEDIT_KEY_EX		3
> +#endif
> +
> +#ifndef TCA_PEDIT_KEY_EX_HTYPE
> +# define TCA_PEDIT_KEY_EX_HTYPE		1
> +#endif
> +
> +#ifndef TCA_PEDIT_KEY_EX_CMD
> +# define TCA_PEDIT_KEY_EX_CMD		2
> +#endif

All five of these are anonymous enum values in the kernel header, not
preprocessor macros. A #ifndef guard tests the preprocessor symbol
table, which does not include enum constants. So every one of these
#define lines executes unconditionally even on systems that already
have the full kernel header -- the enum values are silently shadowed
by the macros.

For the four correctly-valued ones this has no observable impact
today, but the guard gives a false sense of safety. For
TCA_PEDIT_KEY_EX the wrong value makes the situation permanent on
every system.

The correct approach for enum-valued constants is to use
AC_CHECK_DECLS in configure.ac, the same way this patch already uses
AC_CHECK_TYPES for the two enum types:

  AC_CHECK_DECLS([TCA_PEDIT_PARMS_EX, TCA_PEDIT_KEYS_EX,
                  TCA_PEDIT_KEY_EX, TCA_PEDIT_KEY_EX_HTYPE,
                  TCA_PEDIT_KEY_EX_CMD],,,[
  #include <linux/tc_act/tc_pedit.h>])

That generates HAVE_DECL_* macros which can be used as guards around
the fallback defines.

--- [PATCH 4/4] ---

> +cve: Add act_pedit page-cache corruption test

The fix commit 899ee91156e5 does not exist in torvalds/linux, and the
field `tcfp_off_max_hint` mentioned in the commit body is absent from
the kernel source. The fix has not been merged to mainline and is
therefore not in any released kernel, including 7.2.

Per the staging rule, a test for an unreleased fix must:
  - carry a [STAGING] subject prefix, and
  - be listed in runtest/staging, not runtest/cve.

> +	.tags = (const struct tst_tag[]) {
> +		{"linux-git", "899ee91156e5"},

The SHA 899ee91156e5 cannot be resolved in torvalds/linux. Update
this to the correct SHA once the fix is merged.

Verdict - Needs revision

---
Note:

The agent can sometimes produce false positives although often its
findings are genuine. If you find issues with the review, please
comment this email or ignore the suggestions.

Regards,
LTP AI Reviewer

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

  reply	other threads:[~2026-07-07 14:28 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-07 13:42 [LTP] [PATCH v3 0/4] Reproducer for cve-2026-46331 Andrea Cervesato
2026-07-07 13:42 ` [LTP] [PATCH v3 1/4] lapi: Add pkt_cls.h fallback Andrea Cervesato
2026-07-07 14:28   ` linuxtestproject.agent [this message]
2026-07-07 14:53     ` [LTP] " Cyril Hrubis
2026-07-08 11:48   ` [LTP] [PATCH v3 1/4] " Petr Vorel
2026-07-07 13:42 ` [LTP] [PATCH v3 2/4] lapi: Add pkt_sched.h fallback Andrea Cervesato
2026-07-08 13:31   ` Petr Vorel
2026-07-07 13:42 ` [LTP] [PATCH v3 3/4] lapi: Add tc_pedit.h fallback Andrea Cervesato
2026-07-07 13:42 ` [LTP] [PATCH v3 4/4] cve: Add act_pedit page-cache corruption test Andrea Cervesato
2026-07-07 14:23   ` Cyril Hrubis
2026-07-08 11:41     ` Petr Vorel
2026-07-13 12:34       ` Andrea Cervesato via ltp
  -- strict thread matches above, loose matches on Subject: below --
2026-07-13 12:37 [LTP] [PATCH v4 1/4] lapi: Add pkt_cls.h fallback Andrea Cervesato
2026-07-13 14:13 ` [LTP] " linuxtestproject.agent
2026-07-14  8:38 [LTP] [PATCH v5 1/4] " Andrea Cervesato
2026-07-14 10:53 ` [LTP] " linuxtestproject.agent

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260707142810.4143-1-linuxtestproject.agent@gmail.com \
    --to=linuxtestproject.agent@gmail.com \
    --cc=andrea.cervesato@suse.de \
    --cc=ltp@lists.linux.it \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox