* [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption
@ 2026-05-27 18:17 Jamal Hadi Salim
2026-05-28 7:28 ` Han Guidong
2026-05-28 10:03 ` Toke Høiland-Jørgensen
0 siblings, 2 replies; 5+ messages in thread
From: Jamal Hadi Salim @ 2026-05-27 18:17 UTC (permalink / raw)
To: netdev
Cc: davem, edumazet, kuba, pabeni, horms, jiri, victor,
david.laight.linux, yimingqian591, keenanat2000, 2045gemini,
rollkingzzc, toke, dcaratti, security, linux-kernel, Rajat Gupta,
Jamal Hadi Salim
From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.
Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Reported-by: Han Guidong <2045gemini@gmail.com>
Reported-by: Zhang Cen <rollkingzzc@gmail.com>
Reviewed-by: Han Guidong <2045gemini@gmail.com>
Tested-by: Han Guidong <2045gemini@gmail.com>
Reviewed-by: Davide Caratti <dcaratti@redhat.com>
Tested-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
---
Changes v2->v3:
1) Fixup commit log not to talk about linearize
2) Add more optimal boundary checks (Toke & David L.)
3) Fixup if statement for readability (Toke)
---
net/sched/act_pedit.c | 45 +++++++++++++++++++++++++++----------------
1 file changed, 28 insertions(+), 17 deletions(-)
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index bc20f08a2789..e01865af8ca0 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -16,6 +16,7 @@
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/slab.h>
+#include <linux/overflow.h>
#include <net/ipv6.h>
#include <net/netlink.h>
#include <net/pkt_sched.h>
@@ -323,7 +324,7 @@ static bool offset_valid(struct sk_buff *skb, int offset)
if (offset > 0 && offset > skb->len)
return false;
- if (offset < 0 && -offset > skb_headroom(skb))
+ if (offset < 0 && offset < -(int)skb_headroom(skb))
return false;
return true;
@@ -393,18 +394,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
struct tcf_pedit_key_ex *tkey_ex;
struct tcf_pedit_parms *parms;
struct tc_pedit_key *tkey;
- u32 max_offset;
int i;
parms = rcu_dereference_bh(p->parms);
- max_offset = (skb_transport_header_was_set(skb) ?
- skb_transport_offset(skb) :
- skb_network_offset(skb)) +
- parms->tcfp_off_max_hint;
- if (skb_ensure_writable(skb, min(skb->len, max_offset)))
- goto done;
-
tcf_lastuse_update(&p->tcf_tm);
tcf_action_update_bstats(&p->common, skb);
@@ -412,9 +405,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
tkey_ex = parms->tcfp_keys_ex;
for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
+ int write_offset, write_len;
int offset = tkey->off;
int hoffset = 0;
- u32 *ptr, hdata;
+ u32 *ptr;
u32 val;
int rc;
@@ -451,15 +445,34 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
}
}
- if (!offset_valid(skb, hoffset + offset)) {
- pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
+ if (check_add_overflow(hoffset, offset, &write_offset)) {
+ pr_info_ratelimited("tc action pedit offset overflow\n");
goto bad;
}
- ptr = skb_header_pointer(skb, hoffset + offset,
- sizeof(hdata), &hdata);
- if (!ptr)
+ if (!offset_valid(skb, write_offset)) {
+ pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
+ write_offset);
goto bad;
+ }
+
+ if (write_offset < 0) {
+ if (skb_cow(skb, -write_offset))
+ goto bad;
+ if (write_offset + (int)sizeof(*ptr) > 0 &&
+ skb_ensure_writable(skb, min(skb->len,
+ write_offset + sizeof(*ptr))))
+ goto bad;
+ } else {
+ if (check_add_overflow(write_offset, (int)sizeof(*ptr),
+ &write_len))
+ goto bad;
+ if (skb_ensure_writable(skb, min_t(int, skb->len,
+ write_len)))
+ goto bad;
+ }
+
+ ptr = (u32 *)(skb->data + write_offset);
/* just do it, baby */
switch (cmd) {
case TCA_PEDIT_KEY_EX_CMD_SET:
@@ -474,8 +487,6 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
}
*ptr = ((*ptr & tkey->mask) ^ val);
- if (ptr == &hdata)
- skb_store_bits(skb, hoffset + offset, ptr, 4);
}
goto done;
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption
2026-05-27 18:17 [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption Jamal Hadi Salim
@ 2026-05-28 7:28 ` Han Guidong
2026-05-28 10:03 ` Toke Høiland-Jørgensen
1 sibling, 0 replies; 5+ messages in thread
From: Han Guidong @ 2026-05-28 7:28 UTC (permalink / raw)
To: Jamal Hadi Salim
Cc: netdev, davem, edumazet, kuba, pabeni, horms, jiri, victor,
david.laight.linux, yimingqian591, keenanat2000, rollkingzzc,
toke, dcaratti, security, linux-kernel, Rajat Gupta
On Thu, May 28, 2026 at 2:17 AM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>
> From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
>
> tcf_pedit_act() computes the COW range for skb_ensure_writable()
> once before the key loop using tcfp_off_max_hint, but the hint does
> not account for the runtime header offset added by typed keys. This
> can leave part of the write region un-COW'd.
>
> Fix by moving skb_ensure_writable() inside the per-key loop where
> the actual write offset is known, and add overflow checking on the
> offset arithmetic. For negative offsets (e.g. Ethernet header edits
> at ingress), use skb_cow() to COW the headroom instead. Guard
> offset_valid() against INT_MIN, where negation is undefined.
>
> Reported-by: Yiming Qian <yimingqian591@gmail.com>
> Reported-by: Keenan Dong <keenanat2000@gmail.com>
> Reported-by: Han Guidong <2045gemini@gmail.com>
> Reported-by: Zhang Cen <rollkingzzc@gmail.com>
> Reviewed-by: Han Guidong <2045gemini@gmail.com>
> Tested-by: Han Guidong <2045gemini@gmail.com>
> Reviewed-by: Davide Caratti <dcaratti@redhat.com>
> Tested-by: Davide Caratti <dcaratti@redhat.com>
> Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
> Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
> Reviewed-by: Victor Nogueira <victor@mojatatu.com>
> Tested-by: Victor Nogueira <victor@mojatatu.com>
> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
> Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> ---
> Changes v2->v3:
> 1) Fixup commit log not to talk about linearize
> 2) Add more optimal boundary checks (Toke & David L.)
> 3) Fixup if statement for readability (Toke)
Retested this with various debug options enabled, and everything still
looks good here.
Thanks.
> ---
> net/sched/act_pedit.c | 45 +++++++++++++++++++++++++++----------------
> 1 file changed, 28 insertions(+), 17 deletions(-)
>
> diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
> index bc20f08a2789..e01865af8ca0 100644
> --- a/net/sched/act_pedit.c
> +++ b/net/sched/act_pedit.c
> @@ -16,6 +16,7 @@
> #include <linux/ip.h>
> #include <linux/ipv6.h>
> #include <linux/slab.h>
> +#include <linux/overflow.h>
> #include <net/ipv6.h>
> #include <net/netlink.h>
> #include <net/pkt_sched.h>
> @@ -323,7 +324,7 @@ static bool offset_valid(struct sk_buff *skb, int offset)
> if (offset > 0 && offset > skb->len)
> return false;
>
> - if (offset < 0 && -offset > skb_headroom(skb))
> + if (offset < 0 && offset < -(int)skb_headroom(skb))
> return false;
>
> return true;
> @@ -393,18 +394,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> struct tcf_pedit_key_ex *tkey_ex;
> struct tcf_pedit_parms *parms;
> struct tc_pedit_key *tkey;
> - u32 max_offset;
> int i;
>
> parms = rcu_dereference_bh(p->parms);
>
> - max_offset = (skb_transport_header_was_set(skb) ?
> - skb_transport_offset(skb) :
> - skb_network_offset(skb)) +
> - parms->tcfp_off_max_hint;
> - if (skb_ensure_writable(skb, min(skb->len, max_offset)))
> - goto done;
> -
> tcf_lastuse_update(&p->tcf_tm);
> tcf_action_update_bstats(&p->common, skb);
>
> @@ -412,9 +405,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> tkey_ex = parms->tcfp_keys_ex;
>
> for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
> + int write_offset, write_len;
> int offset = tkey->off;
> int hoffset = 0;
> - u32 *ptr, hdata;
> + u32 *ptr;
> u32 val;
> int rc;
>
> @@ -451,15 +445,34 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> }
> }
>
> - if (!offset_valid(skb, hoffset + offset)) {
> - pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
> + if (check_add_overflow(hoffset, offset, &write_offset)) {
> + pr_info_ratelimited("tc action pedit offset overflow\n");
> goto bad;
> }
>
> - ptr = skb_header_pointer(skb, hoffset + offset,
> - sizeof(hdata), &hdata);
> - if (!ptr)
> + if (!offset_valid(skb, write_offset)) {
> + pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
> + write_offset);
> goto bad;
> + }
> +
> + if (write_offset < 0) {
> + if (skb_cow(skb, -write_offset))
> + goto bad;
> + if (write_offset + (int)sizeof(*ptr) > 0 &&
> + skb_ensure_writable(skb, min(skb->len,
> + write_offset + sizeof(*ptr))))
> + goto bad;
> + } else {
> + if (check_add_overflow(write_offset, (int)sizeof(*ptr),
> + &write_len))
> + goto bad;
> + if (skb_ensure_writable(skb, min_t(int, skb->len,
> + write_len)))
> + goto bad;
> + }
> +
> + ptr = (u32 *)(skb->data + write_offset);
> /* just do it, baby */
> switch (cmd) {
> case TCA_PEDIT_KEY_EX_CMD_SET:
> @@ -474,8 +487,6 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> }
>
> *ptr = ((*ptr & tkey->mask) ^ val);
> - if (ptr == &hdata)
> - skb_store_bits(skb, hoffset + offset, ptr, 4);
> }
>
> goto done;
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption
2026-05-27 18:17 [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption Jamal Hadi Salim
2026-05-28 7:28 ` Han Guidong
@ 2026-05-28 10:03 ` Toke Høiland-Jørgensen
2026-05-28 10:26 ` Jamal Hadi Salim
2026-05-28 11:31 ` David Laight
1 sibling, 2 replies; 5+ messages in thread
From: Toke Høiland-Jørgensen @ 2026-05-28 10:03 UTC (permalink / raw)
To: Jamal Hadi Salim, netdev
Cc: davem, edumazet, kuba, pabeni, horms, jiri, victor,
david.laight.linux, yimingqian591, keenanat2000, 2045gemini,
rollkingzzc, dcaratti, security, linux-kernel, Rajat Gupta,
Jamal Hadi Salim
Jamal Hadi Salim <jhs@mojatatu.com> writes:
> From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
>
> tcf_pedit_act() computes the COW range for skb_ensure_writable()
> once before the key loop using tcfp_off_max_hint, but the hint does
> not account for the runtime header offset added by typed keys. This
> can leave part of the write region un-COW'd.
>
> Fix by moving skb_ensure_writable() inside the per-key loop where
> the actual write offset is known, and add overflow checking on the
> offset arithmetic. For negative offsets (e.g. Ethernet header edits
> at ingress), use skb_cow() to COW the headroom instead. Guard
> offset_valid() against INT_MIN, where negation is undefined.
So you did tell us not to nitpick, but...
> 2) Add more optimal boundary checks (Toke & David L.)
[..]
> - if (offset < 0 && -offset > skb_headroom(skb))
> + if (offset < 0 && offset < -(int)skb_headroom(skb))
Seems that bit of the changelog isn't actually accurate.
However, I don't think this matters, this version is not actually buggy;
so let's just get this merged, and we can code-golf the offset check on
top :)
I did re-run the tests on this version, and they look fine, so
re-affirming my tags.
-Toke
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption
2026-05-28 10:03 ` Toke Høiland-Jørgensen
@ 2026-05-28 10:26 ` Jamal Hadi Salim
2026-05-28 11:31 ` David Laight
1 sibling, 0 replies; 5+ messages in thread
From: Jamal Hadi Salim @ 2026-05-28 10:26 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: netdev, davem, edumazet, kuba, pabeni, horms, jiri, victor,
david.laight.linux, yimingqian591, keenanat2000, 2045gemini,
rollkingzzc, dcaratti, security, linux-kernel, Rajat Gupta
On Thu, May 28, 2026 at 6:03 AM Toke Høiland-Jørgensen <toke@redhat.com> wrote:
>
> Jamal Hadi Salim <jhs@mojatatu.com> writes:
>
> > From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> >
> > tcf_pedit_act() computes the COW range for skb_ensure_writable()
> > once before the key loop using tcfp_off_max_hint, but the hint does
> > not account for the runtime header offset added by typed keys. This
> > can leave part of the write region un-COW'd.
> >
> > Fix by moving skb_ensure_writable() inside the per-key loop where
> > the actual write offset is known, and add overflow checking on the
> > offset arithmetic. For negative offsets (e.g. Ethernet header edits
> > at ingress), use skb_cow() to COW the headroom instead. Guard
> > offset_valid() against INT_MIN, where negation is undefined.
>
> So you did tell us not to nitpick, but...
>
Actually, an opportunity to nitpick has opened up;-> I have to resend.
In my rush to send the patch out i accidentally deleted the "Fixes"
while adding names and removing obsolete commit log. Probably missed
something else.
cheers,
jamal
> > 2) Add more optimal boundary checks (Toke & David L.)
>
> [..]
>
> > - if (offset < 0 && -offset > skb_headroom(skb))
> > + if (offset < 0 && offset < -(int)skb_headroom(skb))
>
> Seems that bit of the changelog isn't actually accurate.
>
> However, I don't think this matters, this version is not actually buggy;
> so let's just get this merged, and we can code-golf the offset check on
> top :)
>
> I did re-run the tests on this version, and they look fine, so
> re-affirming my tags.
>
> -Toke
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption
2026-05-28 10:03 ` Toke Høiland-Jørgensen
2026-05-28 10:26 ` Jamal Hadi Salim
@ 2026-05-28 11:31 ` David Laight
1 sibling, 0 replies; 5+ messages in thread
From: David Laight @ 2026-05-28 11:31 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: Jamal Hadi Salim, netdev, davem, edumazet, kuba, pabeni, horms,
jiri, victor, yimingqian591, keenanat2000, 2045gemini,
rollkingzzc, dcaratti, security, linux-kernel, Rajat Gupta
On Thu, 28 May 2026 12:03:04 +0200
Toke Høiland-Jørgensen <toke@redhat.com> wrote:
...
> > 2) Add more optimal boundary checks (Toke & David L.)
>
> [..]
>
> > - if (offset < 0 && -offset > skb_headroom(skb))
> > + if (offset < 0 && offset < -(int)skb_headroom(skb))
>
...
>
> However, I don't think this matters, this version is not actually buggy;
> so let's just get this merged, and we can code-golf the offset check on
> top :)
I prefer it in pink :-)
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-05-28 11:31 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-27 18:17 [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption Jamal Hadi Salim
2026-05-28 7:28 ` Han Guidong
2026-05-28 10:03 ` Toke Høiland-Jørgensen
2026-05-28 10:26 ` Jamal Hadi Salim
2026-05-28 11:31 ` David Laight
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox