[PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[Jamal Hadi Salim]

From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>

tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.

Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.

Reported-by: Yiming Qian <yimingqian591@gmail.com>
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Reported-by: Han Guidong <2045gemini@gmail.com>
Reported-by: Zhang Cen <rollkingzzc@gmail.com>
Reviewed-by: Han Guidong <2045gemini@gmail.com>
Tested-by: Han Guidong <2045gemini@gmail.com>
Reviewed-by: Davide Caratti <dcaratti@redhat.com>
Tested-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
---
Changes v2->v3:
1) Fixup commit log not to talk about linearize
2) Add more optimal boundary checks (Toke & David L.)
3) Fixup if statement for readability (Toke)
---
 net/sched/act_pedit.c | 45 +++++++++++++++++++++++++++----------------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index bc20f08a2789..e01865af8ca0 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -16,6 +16,7 @@
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <linux/slab.h>
+#include <linux/overflow.h>
 #include <net/ipv6.h>
 #include <net/netlink.h>
 #include <net/pkt_sched.h>
@@ -323,7 +324,7 @@ static bool offset_valid(struct sk_buff *skb, int offset)
 	if (offset > 0 && offset > skb->len)
 		return false;
 
-	if  (offset < 0 && -offset > skb_headroom(skb))
+	if (offset < 0 && offset < -(int)skb_headroom(skb))
 		return false;
 
 	return true;
@@ -393,18 +394,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
 	struct tcf_pedit_key_ex *tkey_ex;
 	struct tcf_pedit_parms *parms;
 	struct tc_pedit_key *tkey;
-	u32 max_offset;
 	int i;
 
 	parms = rcu_dereference_bh(p->parms);
 
-	max_offset = (skb_transport_header_was_set(skb) ?
-		      skb_transport_offset(skb) :
-		      skb_network_offset(skb)) +
-		     parms->tcfp_off_max_hint;
-	if (skb_ensure_writable(skb, min(skb->len, max_offset)))
-		goto done;
-
 	tcf_lastuse_update(&p->tcf_tm);
 	tcf_action_update_bstats(&p->common, skb);
 
@@ -412,9 +405,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
 	tkey_ex = parms->tcfp_keys_ex;
 
 	for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
+		int write_offset, write_len;
 		int offset = tkey->off;
 		int hoffset = 0;
-		u32 *ptr, hdata;
+		u32 *ptr;
 		u32 val;
 		int rc;
 
@@ -451,15 +445,34 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
 			}
 		}
 
-		if (!offset_valid(skb, hoffset + offset)) {
-			pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
+		if (check_add_overflow(hoffset, offset, &write_offset)) {
+			pr_info_ratelimited("tc action pedit offset overflow\n");
 			goto bad;
 		}
 
-		ptr = skb_header_pointer(skb, hoffset + offset,
-					 sizeof(hdata), &hdata);
-		if (!ptr)
+		if (!offset_valid(skb, write_offset)) {
+			pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
+					    write_offset);
 			goto bad;
+		}
+
+		if (write_offset < 0) {
+			if (skb_cow(skb, -write_offset))
+				goto bad;
+			if (write_offset + (int)sizeof(*ptr) > 0 &&
+			    skb_ensure_writable(skb, min(skb->len,
+							 write_offset + sizeof(*ptr))))
+				goto bad;
+		} else {
+			if (check_add_overflow(write_offset, (int)sizeof(*ptr),
+					       &write_len))
+				goto bad;
+			if (skb_ensure_writable(skb, min_t(int, skb->len,
+							   write_len)))
+				goto bad;
+		}
+
+		ptr = (u32 *)(skb->data + write_offset);
 		/* just do it, baby */
 		switch (cmd) {
 		case TCA_PEDIT_KEY_EX_CMD_SET:
@@ -474,8 +487,6 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
 		}
 
 		*ptr = ((*ptr & tkey->mask) ^ val);
-		if (ptr == &hdata)
-			skb_store_bits(skb, hoffset + offset, ptr, 4);
 	}
 
 	goto done;
-- 
2.34.1

Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[Han Guidong]

On Thu, May 28, 2026 at 2:17 AM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>
> From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
>
> tcf_pedit_act() computes the COW range for skb_ensure_writable()
> once before the key loop using tcfp_off_max_hint, but the hint does
> not account for the runtime header offset added by typed keys. This
> can leave part of the write region un-COW'd.
>
> Fix by moving skb_ensure_writable() inside the per-key loop where
> the actual write offset is known, and add overflow checking on the
> offset arithmetic. For negative offsets (e.g. Ethernet header edits
> at ingress), use skb_cow() to COW the headroom instead. Guard
> offset_valid() against INT_MIN, where negation is undefined.
>
> Reported-by: Yiming Qian <yimingqian591@gmail.com>
> Reported-by: Keenan Dong <keenanat2000@gmail.com>
> Reported-by: Han Guidong <2045gemini@gmail.com>
> Reported-by: Zhang Cen <rollkingzzc@gmail.com>
> Reviewed-by: Han Guidong <2045gemini@gmail.com>
> Tested-by: Han Guidong <2045gemini@gmail.com>
> Reviewed-by: Davide Caratti <dcaratti@redhat.com>
> Tested-by: Davide Caratti <dcaratti@redhat.com>
> Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
> Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
> Reviewed-by: Victor Nogueira <victor@mojatatu.com>
> Tested-by: Victor Nogueira <victor@mojatatu.com>
> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
> Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> ---
> Changes v2->v3:
> 1) Fixup commit log not to talk about linearize
> 2) Add more optimal boundary checks (Toke & David L.)
> 3) Fixup if statement for readability (Toke)

Retested this with various debug options enabled, and everything still
looks good here.

Thanks.

> ---
>  net/sched/act_pedit.c | 45 +++++++++++++++++++++++++++----------------
>  1 file changed, 28 insertions(+), 17 deletions(-)
>
> diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
> index bc20f08a2789..e01865af8ca0 100644
> --- a/net/sched/act_pedit.c
> +++ b/net/sched/act_pedit.c
> @@ -16,6 +16,7 @@
>  #include <linux/ip.h>
>  #include <linux/ipv6.h>
>  #include <linux/slab.h>
> +#include <linux/overflow.h>
>  #include <net/ipv6.h>
>  #include <net/netlink.h>
>  #include <net/pkt_sched.h>
> @@ -323,7 +324,7 @@ static bool offset_valid(struct sk_buff *skb, int offset)
>         if (offset > 0 && offset > skb->len)
>                 return false;
>
> -       if  (offset < 0 && -offset > skb_headroom(skb))
> +       if (offset < 0 && offset < -(int)skb_headroom(skb))
>                 return false;
>
>         return true;
> @@ -393,18 +394,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
>         struct tcf_pedit_key_ex *tkey_ex;
>         struct tcf_pedit_parms *parms;
>         struct tc_pedit_key *tkey;
> -       u32 max_offset;
>         int i;
>
>         parms = rcu_dereference_bh(p->parms);
>
> -       max_offset = (skb_transport_header_was_set(skb) ?
> -                     skb_transport_offset(skb) :
> -                     skb_network_offset(skb)) +
> -                    parms->tcfp_off_max_hint;
> -       if (skb_ensure_writable(skb, min(skb->len, max_offset)))
> -               goto done;
> -
>         tcf_lastuse_update(&p->tcf_tm);
>         tcf_action_update_bstats(&p->common, skb);
>
> @@ -412,9 +405,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
>         tkey_ex = parms->tcfp_keys_ex;
>
>         for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
> +               int write_offset, write_len;
>                 int offset = tkey->off;
>                 int hoffset = 0;
> -               u32 *ptr, hdata;
> +               u32 *ptr;
>                 u32 val;
>                 int rc;
>
> @@ -451,15 +445,34 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
>                         }
>                 }
>
> -               if (!offset_valid(skb, hoffset + offset)) {
> -                       pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
> +               if (check_add_overflow(hoffset, offset, &write_offset)) {
> +                       pr_info_ratelimited("tc action pedit offset overflow\n");
>                         goto bad;
>                 }
>
> -               ptr = skb_header_pointer(skb, hoffset + offset,
> -                                        sizeof(hdata), &hdata);
> -               if (!ptr)
> +               if (!offset_valid(skb, write_offset)) {
> +                       pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
> +                                           write_offset);
>                         goto bad;
> +               }
> +
> +               if (write_offset < 0) {
> +                       if (skb_cow(skb, -write_offset))
> +                               goto bad;
> +                       if (write_offset + (int)sizeof(*ptr) > 0 &&
> +                           skb_ensure_writable(skb, min(skb->len,
> +                                                        write_offset + sizeof(*ptr))))
> +                               goto bad;
> +               } else {
> +                       if (check_add_overflow(write_offset, (int)sizeof(*ptr),
> +                                              &write_len))
> +                               goto bad;
> +                       if (skb_ensure_writable(skb, min_t(int, skb->len,
> +                                                          write_len)))
> +                               goto bad;
> +               }
> +
> +               ptr = (u32 *)(skb->data + write_offset);
>                 /* just do it, baby */
>                 switch (cmd) {
>                 case TCA_PEDIT_KEY_EX_CMD_SET:
> @@ -474,8 +487,6 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
>                 }
>
>                 *ptr = ((*ptr & tkey->mask) ^ val);
> -               if (ptr == &hdata)
> -                       skb_store_bits(skb, hoffset + offset, ptr, 4);
>         }
>
>         goto done;
> --
> 2.34.1
>

Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[Toke Høiland-Jørgensen]

Jamal Hadi Salim <jhs@mojatatu.com> writes:

> From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
>
> tcf_pedit_act() computes the COW range for skb_ensure_writable()
> once before the key loop using tcfp_off_max_hint, but the hint does
> not account for the runtime header offset added by typed keys. This
> can leave part of the write region un-COW'd.
>
> Fix by moving skb_ensure_writable() inside the per-key loop where
> the actual write offset is known, and add overflow checking on the
> offset arithmetic. For negative offsets (e.g. Ethernet header edits
> at ingress), use skb_cow() to COW the headroom instead. Guard
> offset_valid() against INT_MIN, where negation is undefined.

So you did tell us not to nitpick, but...

> 2) Add more optimal boundary checks (Toke & David L.)

[..]

> -	if  (offset < 0 && -offset > skb_headroom(skb))
> +	if (offset < 0 && offset < -(int)skb_headroom(skb))

Seems that bit of the changelog isn't actually accurate.

However, I don't think this matters, this version is not actually buggy;
so let's just get this merged, and we can code-golf the offset check on
top :)

I did re-run the tests on this version, and they look fine, so
re-affirming my tags.

-Toke

Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[Jamal Hadi Salim]

On Thu, May 28, 2026 at 6:03 AM Toke Høiland-Jørgensen <toke@redhat.com> wrote:
>
> Jamal Hadi Salim <jhs@mojatatu.com> writes:
>
> > From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> >
> > tcf_pedit_act() computes the COW range for skb_ensure_writable()
> > once before the key loop using tcfp_off_max_hint, but the hint does
> > not account for the runtime header offset added by typed keys. This
> > can leave part of the write region un-COW'd.
> >
> > Fix by moving skb_ensure_writable() inside the per-key loop where
> > the actual write offset is known, and add overflow checking on the
> > offset arithmetic. For negative offsets (e.g. Ethernet header edits
> > at ingress), use skb_cow() to COW the headroom instead. Guard
> > offset_valid() against INT_MIN, where negation is undefined.
>
> So you did tell us not to nitpick, but...
>

Actually, an opportunity to nitpick has opened up;-> I have to resend.
In my rush to send the patch out i accidentally deleted the "Fixes"
while adding names and removing obsolete commit log. Probably missed
something else.

cheers,
jamal

> > 2) Add more optimal boundary checks (Toke & David L.)
>
> [..]
>
> > -     if  (offset < 0 && -offset > skb_headroom(skb))
> > +     if (offset < 0 && offset < -(int)skb_headroom(skb))
>
> Seems that bit of the changelog isn't actually accurate.
>
> However, I don't think this matters, this version is not actually buggy;
> so let's just get this merged, and we can code-golf the offset check on
> top :)
>
> I did re-run the tests on this version, and they look fine, so
> re-affirming my tags.
>
> -Toke
>

Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[David Laight]

On Thu, 28 May 2026 12:03:04 +0200
Toke Høiland-Jørgensen <toke@redhat.com> wrote:

...
> > 2) Add more optimal boundary checks (Toke & David L.)  
> 
> [..]
> 
> > -	if  (offset < 0 && -offset > skb_headroom(skb))
> > +	if (offset < 0 && offset < -(int)skb_headroom(skb))  
> 
...
> 
> However, I don't think this matters, this version is not actually buggy;
> so let's just get this merged, and we can code-golf the offset check on
> top :)

I prefer it in pink :-)

Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[Jamal Hadi Salim]

On Thu, May 28, 2026 at 6:26 AM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>
> On Thu, May 28, 2026 at 6:03 AM Toke Høiland-Jørgensen <toke@redhat.com> wrote:
> >
> > Jamal Hadi Salim <jhs@mojatatu.com> writes:
> >
> > > From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> > >
> > > tcf_pedit_act() computes the COW range for skb_ensure_writable()
> > > once before the key loop using tcfp_off_max_hint, but the hint does
> > > not account for the runtime header offset added by typed keys. This
> > > can leave part of the write region un-COW'd.
> > >
> > > Fix by moving skb_ensure_writable() inside the per-key loop where
> > > the actual write offset is known, and add overflow checking on the
> > > offset arithmetic. For negative offsets (e.g. Ethernet header edits
> > > at ingress), use skb_cow() to COW the headroom instead. Guard
> > > offset_valid() against INT_MIN, where negation is undefined.
> >
> > So you did tell us not to nitpick, but...
> >
>
> Actually, an opportunity to nitpick has opened up;-> I have to resend.
> In my rush to send the patch out i accidentally deleted the "Fixes"
> while adding names and removing obsolete commit log. Probably missed
> something else.
>

Sigh. There's another issue that both sashikos pointed out in v2 but i
wasnt paying attention.
https://sashiko.dev/#/patchset/20260526155913.1060694-1-jhs%40mojatatu.com
https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260526155913.1060694-1-jhs%40mojatatu.com

I believe this is because we removed
skb_header_pointer/skb_store_bits() (which ensures you get an error if
you try to write beyond skb->len)

Toke/David - Would this be ok? It passes the tests - but i am afraid
it will require another round of reviews/tests

static bool offset_valid(struct sk_buff *skb, int offset, int len)
{
        if (offset < -(int)skb_headroom(skb))
                return false;

        return offset + len <= (int)skb->len;
}

If this is agreable can people test? then i will send the patch

cheers,
jamal


> > > 2) Add more optimal boundary checks (Toke & David L.)
> >
> > [..]
> >
> > > -     if  (offset < 0 && -offset > skb_headroom(skb))
> > > +     if (offset < 0 && offset < -(int)skb_headroom(skb))
> >
> > Seems that bit of the changelog isn't actually accurate.
> >
> > However, I don't think this matters, this version is not actually buggy;
> > so let's just get this merged, and we can code-golf the offset check on
> > top :)
> >
> > I did re-run the tests on this version, and they look fine, so
> > re-affirming my tags.
> >
> > -Toke
> >

Re: [PATCH net v3 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[David Laight]

On Thu, 28 May 2026 13:53:14 -0400
Jamal Hadi Salim <jhs@mojatatu.com> wrote:

> On Thu, May 28, 2026 at 6:26 AM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
> >
> > On Thu, May 28, 2026 at 6:03 AM Toke Høiland-Jørgensen <toke@redhat.com> wrote:  
> > >
> > > Jamal Hadi Salim <jhs@mojatatu.com> writes:
> > >  
> > > > From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> > > >
> > > > tcf_pedit_act() computes the COW range for skb_ensure_writable()
> > > > once before the key loop using tcfp_off_max_hint, but the hint does
> > > > not account for the runtime header offset added by typed keys. This
> > > > can leave part of the write region un-COW'd.
> > > >
> > > > Fix by moving skb_ensure_writable() inside the per-key loop where
> > > > the actual write offset is known, and add overflow checking on the
> > > > offset arithmetic. For negative offsets (e.g. Ethernet header edits
> > > > at ingress), use skb_cow() to COW the headroom instead. Guard
> > > > offset_valid() against INT_MIN, where negation is undefined.  
> > >
> > > So you did tell us not to nitpick, but...
> > >  
> >
> > Actually, an opportunity to nitpick has opened up;-> I have to resend.
> > In my rush to send the patch out i accidentally deleted the "Fixes"
> > while adding names and removing obsolete commit log. Probably missed
> > something else.
> >  
> 
> Sigh. There's another issue that both sashikos pointed out in v2 but i
> wasnt paying attention.
> https://sashiko.dev/#/patchset/20260526155913.1060694-1-jhs%40mojatatu.com
> https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260526155913.1060694-1-jhs%40mojatatu.com
> 
> I believe this is because we removed
> skb_header_pointer/skb_store_bits() (which ensures you get an error if
> you try to write beyond skb->len)
> 
> Toke/David - Would this be ok? It passes the tests - but i am afraid
> it will require another round of reviews/tests

The length of the bytes being written got lost somewhere.

> 
> static bool offset_valid(struct sk_buff *skb, int offset, int len)
> {
>         if (offset < -(int)skb_headroom(skb))
>                 return false;
> 
>         return offset + len <= (int)skb->len;
> }
> 
> If this is agreable can people test? then i will send the patch

If 'offset' isn't a controlled value you don't want to add 4 to it.
OTOH skb->len is nice and safe.
So the original(ish) comparison:
	return offset <= (int)skb->len - len;
avoids the '+' overflowing.

-- David

> 
> cheers,
> jamal
> 
> 
> > > > 2) Add more optimal boundary checks (Toke & David L.)  
> > >
> > > [..]
> > >  
> > > > -     if  (offset < 0 && -offset > skb_headroom(skb))
> > > > +     if (offset < 0 && offset < -(int)skb_headroom(skb))  
> > >
> > > Seems that bit of the changelog isn't actually accurate.
> > >
> > > However, I don't think this matters, this version is not actually buggy;
> > > so let's just get this merged, and we can code-golf the offset check on
> > > top :)
> > >
> > > I did re-run the tests on this version, and they look fine, so
> > > re-affirming my tags.
> > >
> > > -Toke
> > >