From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 94E962F851 for ; Sat, 23 May 2026 00:55:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779497710; cv=none; b=diFgLYDALkOyeHee20NMyKcA89jv/Mo2awAIvZrWeX1CYdAVA8RgQ60qcY2JcUwPulJafZl3Zv3HEg00gBtsxd+jmjaHKO2xdPqbQKt6QS+MmMTwyu2v/0a8FSD+YmmXvqSVXuFkXj1rRcPTeQzTSormyrVon4Qi7n6WqafH/YM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779497710; c=relaxed/simple; bh=LotI6VUGcOmu6tofMf+PH7eXPCpn/ujXO2Ax6sKLlTU=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=RJKU3AepbQAoVpDjLm0JTcIiEgVUzg9/HGcTcSYuzugeBPmPq+U8syrEJ4qC9u0G45x/XzZDvMGk14OUeBWvZO8aXSN8uHbnIOJZSLCNA/uD8iKE/VdDTdU+cBg4SAFyLFpr5tSYsH2ygpf+hQDSYVEKTiYiWJ6SVZYEh9fVuGk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=mlC0jsd/; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="mlC0jsd/" Received: by smtp.kernel.org (Postfix) with ESMTPSA id A82A71F000E9; Sat, 23 May 2026 00:55:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779497709; bh=ZfG8u3L5rRrwqByXFr3fJzGxx+EK5ubjIrDVTRKy46Q=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=mlC0jsd/vVlPmUQndeRRebPlNvC75e3M3/xgejf4omk+thW2L3M7xNhgDqPCXOqIE 8+OHZACI4feFchYv1vz3JHU6mcowbXIiNJwoPREreQqbkBWeLUWhtWzowlw8GnRjg8 nXXLFnb8hKn6KfSzWNXwo2b8ZGqXnQxwDO6IClds0Twv9NFys7Mt1QfZJN1IyOPxCG AfTMYVmjYV/BxoLDSYGBdVEGFEcX6MFWovV476kPBwVkVIqkLLG5OZ8zd8Yp3kFg4J LDj+YM0vqvVtbA69w9g64ggFxR39SyITUXuOJAcubCwAC1fhTZc92c3k7+jrfHSCJY azWxPC1FthURg== Date: Fri, 22 May 2026 17:55:07 -0700 From: Jakub Kicinski To: Jamal Hadi Salim Cc: Rajat Gupta , netdev@vger.kernel.org, davem@davemloft.net, edumazet@google.com, pabeni@redhat.com, horms@kernel.org, jiri@resnulli.us, yimingqian591@gmail.com, keenanat2000@gmail.com, 2045gemini@gmail.com, rollkingzzc@gmail.com Subject: Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption Message-ID: <20260522175507.02b4fe83@kernel.org> In-Reply-To: References: <20260519033950.2037-1-rajat.gupta@oss.qualcomm.com> <20260521073526.793d30c3@kernel.org> <20260521084640.683c1ee6@kernel.org> <20260522084611.390fd0a6@kernel.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Fri, 22 May 2026 13:01:49 -0400 Jamal Hadi Salim wrote: > > > I must be missing something. What's the problem with changing the patch > > > to pull headers instead? I mean - if we agree that this is where we'll > > > end up - we should just do it now. It's the long standing kernel policy > > > to "fix things right" instead of creating temporary fixes which then > > > have to be reworked in -next > > > > I may be the one missing things. You main concern is with this: > > + /* > > + * If the skb has shared frags the user is likely using zero-copy > > + * (e.g. sendfile). Those page frags may point to page-cache pages; > > + * writing into them would silently corrupt the page cache. > > + * Linearize so pedit operates on a private copy. > > + * TL;DR: if you want zero-copy, don't use pedit. > > + */ > > + if (skb_has_shared_frag(skb)) { > > + if (__skb_linearize(skb)) > > + goto bad; > > + } > > + > > > > i.e you want that gone, correct? > > And my concern was whether removing this still exposes things to > > exploit even if temporarily. > > Likely it wont. I have time, let me test the exploit with that code > > ifdef'ed out. > > Ok, it fixes the issue even i ifdef that out. > We still need the little patchlet i sent ... More and more I feel like I'm completely missing the plot but for the portion of the problem that's "we are writing to frags" the fix I was trying to describe is: diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c index bc20f08a2789..3a74cef58e17 100644 --- a/net/sched/act_pedit.c +++ b/net/sched/act_pedit.c @@ -414,7 +414,7 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb, for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) { int offset = tkey->off; int hoffset = 0; - u32 *ptr, hdata; + u32 *ptr; u32 val; int rc; @@ -456,10 +456,9 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb, goto bad; } - ptr = skb_header_pointer(skb, hoffset + offset, - sizeof(hdata), &hdata); - if (!ptr) + if (!pskb_may_pull(skb, hoffset + offset + sizeof(*ptr))) goto bad; + ptr = (u32 *)(skb->data + hoffset + offset); /* just do it, baby */ switch (cmd) { case TCA_PEDIT_KEY_EX_CMD_SET: @@ -474,8 +473,6 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb, } *ptr = ((*ptr & tkey->mask) ^ val); - if (ptr == &hdata) - skb_store_bits(skb, hoffset + offset, ptr, 4); } goto done;