[PATCH net v5 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[PATCH net v5 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[Jamal Hadi Salim]

From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>

tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.

Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.

Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
Reported-by: Yiming Qian <yimingqian591@gmail.com>
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Reported-by: Han Guidong <2045gemini@gmail.com>
Reported-by: Zhang Cen <rollkingzzc@gmail.com>
Reviewed-by: Han Guidong <2045gemini@gmail.com>
Tested-by: Han Guidong <2045gemini@gmail.com>
Reviewed-by: Davide Caratti <dcaratti@redhat.com>
Tested-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
---
v4->v5:
 1) Dead code removal obsoleted after removing tcfp_off_max_hint as identified
    by sashiko-claude[1]. Remove dead code updating "cur".
 2) Addition of hoffset at tkey->at promotes hoffset to unsigned int,
    wraps on overflow. Claim made by both sashiko-claude[1] and sashiko-gemini[2]
    I think this is far fetched but possible. Cast tkey->at to int.
 3) Signedness mismatch in min() macro may potentially cause build issues.
    Claim made by both sashiko-claude[1] and sashiko-gemini[2].
    Go back to min_t() for now. David L. can make a better proposal later..

[1]https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
[2]https://sashiko.dev/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
---
 include/net/tc_act/tc_pedit.h |  1 -
 net/sched/act_pedit.c         | 77 +++++++++++++++++++----------------
 2 files changed, 41 insertions(+), 37 deletions(-)

diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h
index f58ee15cd858..cb7b82f2cbc7 100644
--- a/include/net/tc_act/tc_pedit.h
+++ b/include/net/tc_act/tc_pedit.h
@@ -15,7 +15,6 @@ struct tcf_pedit_parms {
 	struct tc_pedit_key	*tcfp_keys;
 	struct tcf_pedit_key_ex	*tcfp_keys_ex;
 	int action;
-	u32 tcfp_off_max_hint;
 	unsigned char tcfp_nkeys;
 	unsigned char tcfp_flags;
 	struct rcu_head rcu;
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index bc20f08a2789..bd3b1da3cd63 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -16,6 +16,8 @@
 #include <linux/ip.h>
 #include <linux/ipv6.h>
 #include <linux/slab.h>
+#include <linux/overflow.h>
+#include <linux/unaligned.h>
 #include <net/ipv6.h>
 #include <net/netlink.h>
 #include <net/pkt_sched.h>
@@ -242,7 +244,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
 		goto out_free_ex;
 	}
 
-	nparms->tcfp_off_max_hint = 0;
 	nparms->tcfp_flags = parm->flags;
 	nparms->tcfp_nkeys = parm->nkeys;
 
@@ -268,14 +269,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
 						   BITS_PER_TYPE(int) - 1,
 						   nparms->tcfp_keys[i].shift);
 
-		/* The AT option can read a single byte, we can bound the actual
-		 * value with uchar max.
-		 */
-		cur += (0xff & offmask) >> nparms->tcfp_keys[i].shift;
-
-		/* Each key touches 4 bytes starting from the computed offset */
-		nparms->tcfp_off_max_hint =
-			max(nparms->tcfp_off_max_hint, cur + 4);
 	}
 
 	p = to_pedit(*a);
@@ -318,15 +311,12 @@ static void tcf_pedit_cleanup(struct tc_action *a)
 		call_rcu(&parms->rcu, tcf_pedit_cleanup_rcu);
 }
 
-static bool offset_valid(struct sk_buff *skb, int offset)
+static bool offset_valid(struct sk_buff *skb, int offset, int len)
 {
-	if (offset > 0 && offset > skb->len)
-		return false;
-
-	if  (offset < 0 && -offset > skb_headroom(skb))
+	if (offset < -(int)skb_headroom(skb))
 		return false;
 
-	return true;
+	return offset <= (int)skb->len - len;
 }
 
 static int pedit_l4_skb_offset(struct sk_buff *skb, int *hoffset, const int header_type)
@@ -393,18 +383,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
 	struct tcf_pedit_key_ex *tkey_ex;
 	struct tcf_pedit_parms *parms;
 	struct tc_pedit_key *tkey;
-	u32 max_offset;
 	int i;
 
 	parms = rcu_dereference_bh(p->parms);
 
-	max_offset = (skb_transport_header_was_set(skb) ?
-		      skb_transport_offset(skb) :
-		      skb_network_offset(skb)) +
-		     parms->tcfp_off_max_hint;
-	if (skb_ensure_writable(skb, min(skb->len, max_offset)))
-		goto done;
-
 	tcf_lastuse_update(&p->tcf_tm);
 	tcf_action_update_bstats(&p->common, skb);
 
@@ -412,10 +394,11 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
 	tkey_ex = parms->tcfp_keys_ex;
 
 	for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
+		int write_offset, write_len;
 		int offset = tkey->off;
 		int hoffset = 0;
-		u32 *ptr, hdata;
-		u32 val;
+		u32 cur_val, val;
+		u32 *ptr;
 		int rc;
 
 		if (tkey_ex) {
@@ -433,13 +416,15 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
 
 		if (tkey->offmask) {
 			u8 *d, _d;
+			int at_offset;
 
-			if (!offset_valid(skb, hoffset + tkey->at)) {
+			if (check_add_overflow(hoffset, (int)tkey->at, &at_offset) ||
+			    !offset_valid(skb, at_offset, sizeof(_d))) {
 				pr_info_ratelimited("tc action pedit 'at' offset %d out of bounds\n",
 						    hoffset + tkey->at);
 				goto bad;
 			}
-			d = skb_header_pointer(skb, hoffset + tkey->at,
+			d = skb_header_pointer(skb, at_offset,
 					       sizeof(_d), &_d);
 			if (!d)
 				goto bad;
@@ -451,31 +436,51 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
 			}
 		}
 
-		if (!offset_valid(skb, hoffset + offset)) {
-			pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
+		if (check_add_overflow(hoffset, offset, &write_offset)) {
+			pr_info_ratelimited("tc action pedit offset overflow\n");
 			goto bad;
 		}
 
-		ptr = skb_header_pointer(skb, hoffset + offset,
-					 sizeof(hdata), &hdata);
-		if (!ptr)
+		if (!offset_valid(skb, write_offset, sizeof(*ptr))) {
+			pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
+					    write_offset);
 			goto bad;
+		}
+
+		if (write_offset < 0) {
+			if (skb_cow(skb, -write_offset))
+				goto bad;
+			if (write_offset + (int)sizeof(*ptr) > 0) {
+				if (skb_ensure_writable(skb,
+							min_t(int, skb->len,
+							      write_offset + (int)sizeof(*ptr))))
+					goto bad;
+			}
+		} else {
+			if (check_add_overflow(write_offset, (int)sizeof(*ptr),
+					       &write_len))
+				goto bad;
+			if (skb_ensure_writable(skb, min_t(int, skb->len,
+							   write_len)))
+				goto bad;
+		}
+
+		ptr = (u32 *)(skb->data + write_offset);
+		cur_val = get_unaligned(ptr);
 		/* just do it, baby */
 		switch (cmd) {
 		case TCA_PEDIT_KEY_EX_CMD_SET:
 			val = tkey->val;
 			break;
 		case TCA_PEDIT_KEY_EX_CMD_ADD:
-			val = (*ptr + tkey->val) & ~tkey->mask;
+			val = (cur_val + tkey->val) & ~tkey->mask;
 			break;
 		default:
 			pr_info_ratelimited("tc action pedit bad command (%d)\n", cmd);
 			goto bad;
 		}
 
-		*ptr = ((*ptr & tkey->mask) ^ val);
-		if (ptr == &hdata)
-			skb_store_bits(skb, hoffset + offset, ptr, 4);
+		put_unaligned((cur_val & tkey->mask) ^ val, ptr);
 	}
 
 	goto done;
-- 
2.34.1

Re: [PATCH net v5 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[David Laight]

On Sun, 31 May 2026 08:32:21 -0400
Jamal Hadi Salim <jhs@mojatatu.com> wrote:

> From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> 
> tcf_pedit_act() computes the COW range for skb_ensure_writable()
> once before the key loop using tcfp_off_max_hint, but the hint does
> not account for the runtime header offset added by typed keys. This
> can leave part of the write region un-COW'd.
> 
> Fix by moving skb_ensure_writable() inside the per-key loop where
> the actual write offset is known, and add overflow checking on the
> offset arithmetic. For negative offsets (e.g. Ethernet header edits
> at ingress), use skb_cow() to COW the headroom instead. Guard
> offset_valid() against INT_MIN, where negation is undefined.

This code has all got out of hand somewhere.
I've only been looking at offset_valid() code.

> Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
> Reported-by: Yiming Qian <yimingqian591@gmail.com>
> Reported-by: Keenan Dong <keenanat2000@gmail.com>
> Reported-by: Han Guidong <2045gemini@gmail.com>
> Reported-by: Zhang Cen <rollkingzzc@gmail.com>
> Reviewed-by: Han Guidong <2045gemini@gmail.com>
> Tested-by: Han Guidong <2045gemini@gmail.com>
> Reviewed-by: Davide Caratti <dcaratti@redhat.com>
> Tested-by: Davide Caratti <dcaratti@redhat.com>
> Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
> Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
> Reviewed-by: Victor Nogueira <victor@mojatatu.com>
> Tested-by: Victor Nogueira <victor@mojatatu.com>
> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
> Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> ---
> v4->v5:
>  1) Dead code removal obsoleted after removing tcfp_off_max_hint as identified
>     by sashiko-claude[1]. Remove dead code updating "cur".
>  2) Addition of hoffset at tkey->at promotes hoffset to unsigned int,
>     wraps on overflow. Claim made by both sashiko-claude[1] and sashiko-gemini[2]
>     I think this is far fetched but possible. Cast tkey->at to int.
>  3) Signedness mismatch in min() macro may potentially cause build issues.
>     Claim made by both sashiko-claude[1] and sashiko-gemini[2].
>     Go back to min_t() for now. David L. can make a better proposal later..
> 
> [1]https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
> [2]https://sashiko.dev/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
> ---
>  include/net/tc_act/tc_pedit.h |  1 -
>  net/sched/act_pedit.c         | 77 +++++++++++++++++++----------------
>  2 files changed, 41 insertions(+), 37 deletions(-)
> 
> diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h
> index f58ee15cd858..cb7b82f2cbc7 100644
> --- a/include/net/tc_act/tc_pedit.h
> +++ b/include/net/tc_act/tc_pedit.h
> @@ -15,7 +15,6 @@ struct tcf_pedit_parms {
>  	struct tc_pedit_key	*tcfp_keys;
>  	struct tcf_pedit_key_ex	*tcfp_keys_ex;
>  	int action;
> -	u32 tcfp_off_max_hint;
>  	unsigned char tcfp_nkeys;
>  	unsigned char tcfp_flags;
>  	struct rcu_head rcu;
> diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
> index bc20f08a2789..bd3b1da3cd63 100644
> --- a/net/sched/act_pedit.c
> +++ b/net/sched/act_pedit.c
> @@ -16,6 +16,8 @@
>  #include <linux/ip.h>
>  #include <linux/ipv6.h>
>  #include <linux/slab.h>
> +#include <linux/overflow.h>
> +#include <linux/unaligned.h>
>  #include <net/ipv6.h>
>  #include <net/netlink.h>
>  #include <net/pkt_sched.h>
> @@ -242,7 +244,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
>  		goto out_free_ex;
>  	}
>  
> -	nparms->tcfp_off_max_hint = 0;
>  	nparms->tcfp_flags = parm->flags;
>  	nparms->tcfp_nkeys = parm->nkeys;
>  
> @@ -268,14 +269,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
>  						   BITS_PER_TYPE(int) - 1,
>  						   nparms->tcfp_keys[i].shift);
>  
> -		/* The AT option can read a single byte, we can bound the actual
> -		 * value with uchar max.
> -		 */
> -		cur += (0xff & offmask) >> nparms->tcfp_keys[i].shift;
> -
> -		/* Each key touches 4 bytes starting from the computed offset */
> -		nparms->tcfp_off_max_hint =
> -			max(nparms->tcfp_off_max_hint, cur + 4);
>  	}
>  
>  	p = to_pedit(*a);
> @@ -318,15 +311,12 @@ static void tcf_pedit_cleanup(struct tc_action *a)
>  		call_rcu(&parms->rcu, tcf_pedit_cleanup_rcu);
>  }
>  
> -static bool offset_valid(struct sk_buff *skb, int offset)
> +static bool offset_valid(struct sk_buff *skb, int offset, int len)
>  {
> -	if (offset > 0 && offset > skb->len)
> -		return false;
> -
> -	if  (offset < 0 && -offset > skb_headroom(skb))
> +	if (offset < -(int)skb_headroom(skb))
>  		return false;
>  
> -	return true;
> +	return offset <= (int)skb->len - len;
>  }
>  
>  static int pedit_l4_skb_offset(struct sk_buff *skb, int *hoffset, const int header_type)
> @@ -393,18 +383,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
>  	struct tcf_pedit_key_ex *tkey_ex;
>  	struct tcf_pedit_parms *parms;
>  	struct tc_pedit_key *tkey;
> -	u32 max_offset;
>  	int i;
>  
>  	parms = rcu_dereference_bh(p->parms);
>  
> -	max_offset = (skb_transport_header_was_set(skb) ?
> -		      skb_transport_offset(skb) :
> -		      skb_network_offset(skb)) +
> -		     parms->tcfp_off_max_hint;
> -	if (skb_ensure_writable(skb, min(skb->len, max_offset)))
> -		goto done;
> -
>  	tcf_lastuse_update(&p->tcf_tm);
>  	tcf_action_update_bstats(&p->common, skb);
>  
> @@ -412,10 +394,11 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
>  	tkey_ex = parms->tcfp_keys_ex;
>  
>  	for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
> +		int write_offset, write_len;
>  		int offset = tkey->off;
>  		int hoffset = 0;
> -		u32 *ptr, hdata;
> -		u32 val;
> +		u32 cur_val, val;
> +		u32 *ptr;
>  		int rc;
>  
>  		if (tkey_ex) {
> @@ -433,13 +416,15 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
>  
>  		if (tkey->offmask) {
>  			u8 *d, _d;
> +			int at_offset;
>  
> -			if (!offset_valid(skb, hoffset + tkey->at)) {
> +			if (check_add_overflow(hoffset, (int)tkey->at, &at_offset) ||

There is no real reason for checking the add.
All that matters is that offset_valid() and skb_header_pointer() are
passed the same offset.
Assigning it to a local would make that clearer.

> +			    !offset_valid(skb, at_offset, sizeof(_d))) {
>  				pr_info_ratelimited("tc action pedit 'at' offset %d out of bounds\n",
>  						    hoffset + tkey->at);
>  				goto bad;
>  			}
> -			d = skb_header_pointer(skb, hoffset + tkey->at,
> +			d = skb_header_pointer(skb, at_offset,
>  					       sizeof(_d), &_d);
>  			if (!d)
>  				goto bad;
> @@ -451,31 +436,51 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
>  			}
>  		}
>  
> -		if (!offset_valid(skb, hoffset + offset)) {
> -			pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
> +		if (check_add_overflow(hoffset, offset, &write_offset)) {
> +			pr_info_ratelimited("tc action pedit offset overflow\n");
>  			goto bad;
>  		}
>  
> -		ptr = skb_header_pointer(skb, hoffset + offset,
> -					 sizeof(hdata), &hdata);
> -		if (!ptr)
> +		if (!offset_valid(skb, write_offset, sizeof(*ptr))) {
> +			pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
> +					    write_offset);
>  			goto bad;
> +		}

Again all that matters is that the same value is passed to offset_valid()
and skb_header_pointer().

> +
> +		if (write_offset < 0) {
> +			if (skb_cow(skb, -write_offset))
> +				goto bad;
> +			if (write_offset + (int)sizeof(*ptr) > 0) {
> +				if (skb_ensure_writable(skb,
> +							min_t(int, skb->len,
> +							      write_offset + (int)sizeof(*ptr))))

That min isn't needed (same as below).

> +					goto bad;
> +			}
> +		} else {
> +			if (check_add_overflow(write_offset, (int)sizeof(*ptr),
> +					       &write_len))

That can't fail because of the 'return offset <= (int)skb->len - len;' check.

> +				goto bad;
> +			if (skb_ensure_writable(skb, min_t(int, skb->len,
> +							   write_len)))

Similarly that min_t() will return 'write_len'.
But is that even correct?
The code wants to write 4 bytes at skb->data + write_offset.
I can't see where the offset is used.
All the overflow tests have made the logic far too hard to follow.

I think that whole lot can just be:
	hoffset += offset;
	if (offset_valid(skb, hoffset, sizeof(hdata)))
		goto bad;
	
	/* Ensure any needed headroom is writeable */
	if (hoffset < 0 && skb_cow(skb, -hoffset)
		goto bad;
	/* Ensure the skb is writeable to the end of the area to be written.
	 * The data is pulled into the skb header. */
	if ((hoffset >= 0 || hoffset + (int)sizeof(hdata) > 0) &&
	    skb_ensure_writable(skb, hoffset + (int)sizeof(hdata))
		goto bad;
The call to offset_valid() does all the other checks.
(The hoffset >= 0 check is the inverse of the earlier check and will
be optimised away - skipping the second second test which is then
always true.)

If you really want a warning message, put a generic one on 'bad;'.

> +				goto bad;
> +		}
> +
> +		ptr = (u32 *)(skb->data + write_offset);
> +		cur_val = get_unaligned(ptr);

Given you are doing an unaligned read you could remove the check in the
'offmask' path that the final offset is a multiple of 4.
Nothing checked that tkey->off is a multiple of 4, and I suspect that
is user-specifiable?
I'm also not entirely that the mac_header is aligned.

-- David

>  		/* just do it, baby */
>  		switch (cmd) {
>  		case TCA_PEDIT_KEY_EX_CMD_SET:
>  			val = tkey->val;
>  			break;
>  		case TCA_PEDIT_KEY_EX_CMD_ADD:
> -			val = (*ptr + tkey->val) & ~tkey->mask;
> +			val = (cur_val + tkey->val) & ~tkey->mask;
>  			break;
>  		default:
>  			pr_info_ratelimited("tc action pedit bad command (%d)\n", cmd);
>  			goto bad;
>  		}
>  
> -		*ptr = ((*ptr & tkey->mask) ^ val);
> -		if (ptr == &hdata)
> -			skb_store_bits(skb, hoffset + offset, ptr, 4);
> +		put_unaligned((cur_val & tkey->mask) ^ val, ptr);
>  	}
>  
>  	goto done;

Re: [PATCH net v5 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[Jamal Hadi Salim]

On Sun, May 31, 2026 at 12:15 PM David Laight
<david.laight.linux@gmail.com> wrote:
>
> On Sun, 31 May 2026 08:32:21 -0400
> Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>
> > From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> >
> > tcf_pedit_act() computes the COW range for skb_ensure_writable()
> > once before the key loop using tcfp_off_max_hint, but the hint does
> > not account for the runtime header offset added by typed keys. This
> > can leave part of the write region un-COW'd.
> >
> > Fix by moving skb_ensure_writable() inside the per-key loop where
> > the actual write offset is known, and add overflow checking on the
> > offset arithmetic. For negative offsets (e.g. Ethernet header edits
> > at ingress), use skb_cow() to COW the headroom instead. Guard
> > offset_valid() against INT_MIN, where negation is undefined.
>
> This code has all got out of hand somewhere.
> I've only been looking at offset_valid() code.
>
> > Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
> > Reported-by: Yiming Qian <yimingqian591@gmail.com>
> > Reported-by: Keenan Dong <keenanat2000@gmail.com>
> > Reported-by: Han Guidong <2045gemini@gmail.com>
> > Reported-by: Zhang Cen <rollkingzzc@gmail.com>
> > Reviewed-by: Han Guidong <2045gemini@gmail.com>
> > Tested-by: Han Guidong <2045gemini@gmail.com>
> > Reviewed-by: Davide Caratti <dcaratti@redhat.com>
> > Tested-by: Davide Caratti <dcaratti@redhat.com>
> > Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
> > Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
> > Reviewed-by: Victor Nogueira <victor@mojatatu.com>
> > Tested-by: Victor Nogueira <victor@mojatatu.com>
> > Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
> > Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> > ---
> > v4->v5:
> >  1) Dead code removal obsoleted after removing tcfp_off_max_hint as identified
> >     by sashiko-claude[1]. Remove dead code updating "cur".
> >  2) Addition of hoffset at tkey->at promotes hoffset to unsigned int,
> >     wraps on overflow. Claim made by both sashiko-claude[1] and sashiko-gemini[2]
> >     I think this is far fetched but possible. Cast tkey->at to int.
> >  3) Signedness mismatch in min() macro may potentially cause build issues.
> >     Claim made by both sashiko-claude[1] and sashiko-gemini[2].
> >     Go back to min_t() for now. David L. can make a better proposal later..
> >
> > [1]https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
> > [2]https://sashiko.dev/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
> > ---
> >  include/net/tc_act/tc_pedit.h |  1 -
> >  net/sched/act_pedit.c         | 77 +++++++++++++++++++----------------
> >  2 files changed, 41 insertions(+), 37 deletions(-)
> >
> > diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h
> > index f58ee15cd858..cb7b82f2cbc7 100644
> > --- a/include/net/tc_act/tc_pedit.h
> > +++ b/include/net/tc_act/tc_pedit.h
> > @@ -15,7 +15,6 @@ struct tcf_pedit_parms {
> >       struct tc_pedit_key     *tcfp_keys;
> >       struct tcf_pedit_key_ex *tcfp_keys_ex;
> >       int action;
> > -     u32 tcfp_off_max_hint;
> >       unsigned char tcfp_nkeys;
> >       unsigned char tcfp_flags;
> >       struct rcu_head rcu;
> > diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
> > index bc20f08a2789..bd3b1da3cd63 100644
> > --- a/net/sched/act_pedit.c
> > +++ b/net/sched/act_pedit.c
> > @@ -16,6 +16,8 @@
> >  #include <linux/ip.h>
> >  #include <linux/ipv6.h>
> >  #include <linux/slab.h>
> > +#include <linux/overflow.h>
> > +#include <linux/unaligned.h>
> >  #include <net/ipv6.h>
> >  #include <net/netlink.h>
> >  #include <net/pkt_sched.h>
> > @@ -242,7 +244,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
> >               goto out_free_ex;
> >       }
> >
> > -     nparms->tcfp_off_max_hint = 0;
> >       nparms->tcfp_flags = parm->flags;
> >       nparms->tcfp_nkeys = parm->nkeys;
> >
> > @@ -268,14 +269,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
> >                                                  BITS_PER_TYPE(int) - 1,
> >                                                  nparms->tcfp_keys[i].shift);
> >
> > -             /* The AT option can read a single byte, we can bound the actual
> > -              * value with uchar max.
> > -              */
> > -             cur += (0xff & offmask) >> nparms->tcfp_keys[i].shift;
> > -
> > -             /* Each key touches 4 bytes starting from the computed offset */
> > -             nparms->tcfp_off_max_hint =
> > -                     max(nparms->tcfp_off_max_hint, cur + 4);
> >       }
> >
> >       p = to_pedit(*a);
> > @@ -318,15 +311,12 @@ static void tcf_pedit_cleanup(struct tc_action *a)
> >               call_rcu(&parms->rcu, tcf_pedit_cleanup_rcu);
> >  }
> >
> > -static bool offset_valid(struct sk_buff *skb, int offset)
> > +static bool offset_valid(struct sk_buff *skb, int offset, int len)
> >  {
> > -     if (offset > 0 && offset > skb->len)
> > -             return false;
> > -
> > -     if  (offset < 0 && -offset > skb_headroom(skb))
> > +     if (offset < -(int)skb_headroom(skb))
> >               return false;
> >
> > -     return true;
> > +     return offset <= (int)skb->len - len;
> >  }
> >
> >  static int pedit_l4_skb_offset(struct sk_buff *skb, int *hoffset, const int header_type)
> > @@ -393,18 +383,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> >       struct tcf_pedit_key_ex *tkey_ex;
> >       struct tcf_pedit_parms *parms;
> >       struct tc_pedit_key *tkey;
> > -     u32 max_offset;
> >       int i;
> >
> >       parms = rcu_dereference_bh(p->parms);
> >
> > -     max_offset = (skb_transport_header_was_set(skb) ?
> > -                   skb_transport_offset(skb) :
> > -                   skb_network_offset(skb)) +
> > -                  parms->tcfp_off_max_hint;
> > -     if (skb_ensure_writable(skb, min(skb->len, max_offset)))
> > -             goto done;
> > -
> >       tcf_lastuse_update(&p->tcf_tm);
> >       tcf_action_update_bstats(&p->common, skb);
> >
> > @@ -412,10 +394,11 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> >       tkey_ex = parms->tcfp_keys_ex;
> >
> >       for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
> > +             int write_offset, write_len;
> >               int offset = tkey->off;
> >               int hoffset = 0;
> > -             u32 *ptr, hdata;
> > -             u32 val;
> > +             u32 cur_val, val;
> > +             u32 *ptr;
> >               int rc;
> >
> >               if (tkey_ex) {
> > @@ -433,13 +416,15 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> >
> >               if (tkey->offmask) {
> >                       u8 *d, _d;
> > +                     int at_offset;
> >
> > -                     if (!offset_valid(skb, hoffset + tkey->at)) {
> > +                     if (check_add_overflow(hoffset, (int)tkey->at, &at_offset) ||
>
> There is no real reason for checking the add.
> All that matters is that offset_valid() and skb_header_pointer() are
> passed the same offset.
> Assigning it to a local would make that clearer.

You are technically correct - but earlier discussion was I believe
that signed integer overflow as undefined behavior and those checks
are there to avoid that and logic bypasses.

>
> > +                         !offset_valid(skb, at_offset, sizeof(_d))) {
> >                               pr_info_ratelimited("tc action pedit 'at' offset %d out of bounds\n",
> >                                                   hoffset + tkey->at);
> >                               goto bad;
> >                       }
> > -                     d = skb_header_pointer(skb, hoffset + tkey->at,
> > +                     d = skb_header_pointer(skb, at_offset,
> >                                              sizeof(_d), &_d);
> >                       if (!d)
> >                               goto bad;
> > @@ -451,31 +436,51 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> >                       }
> >               }
> >
> > -             if (!offset_valid(skb, hoffset + offset)) {
> > -                     pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
> > +             if (check_add_overflow(hoffset, offset, &write_offset)) {
> > +                     pr_info_ratelimited("tc action pedit offset overflow\n");
> >                       goto bad;
> >               }
> >
> > -             ptr = skb_header_pointer(skb, hoffset + offset,
> > -                                      sizeof(hdata), &hdata);
> > -             if (!ptr)
> > +             if (!offset_valid(skb, write_offset, sizeof(*ptr))) {
> > +                     pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
> > +                                         write_offset);
> >                       goto bad;
> > +             }
>
> Again all that matters is that the same value is passed to offset_valid()
> and skb_header_pointer().

Same comment as earlier.
Note: we replaced skb_header_pointer() with direct memory access "ptr
= (u32 *)(skb->data + write_offset)" further down.
so extra validation of write_offset is justifiable, no?


> > +
> > +             if (write_offset < 0) {
> > +                     if (skb_cow(skb, -write_offset))
> > +                             goto bad;
> > +                     if (write_offset + (int)sizeof(*ptr) > 0) {
> > +                             if (skb_ensure_writable(skb,
> > +                                                     min_t(int, skb->len,
> > +                                                           write_offset + (int)sizeof(*ptr))))
>
> That min isn't needed (same as below).

Ok - yes, i see that. Same with the min(). Why did we think we needed
min/min_t() before?

> > +                                     goto bad;
> > +                     }
> > +             } else {
> > +                     if (check_add_overflow(write_offset, (int)sizeof(*ptr),
> > +                                            &write_len))
>
> That can't fail because of the 'return offset <= (int)skb->len - len;' check.

True.

>
> > +                             goto bad;
> > +                     if (skb_ensure_writable(skb, min_t(int, skb->len,
> > +                                                        write_len)))
>
> Similarly that min_t() will return 'write_len'.
> But is that even correct?
> The code wants to write 4 bytes at skb->data + write_offset.
> I can't see where the offset is used.
> All the overflow tests have made the logic far too hard to follow.
>
> I think that whole lot can just be:
>         hoffset += offset;
>         if (offset_valid(skb, hoffset, sizeof(hdata)))
>                 goto bad;
>
>         /* Ensure any needed headroom is writeable */
>         if (hoffset < 0 && skb_cow(skb, -hoffset)
>                 goto bad;
>         /* Ensure the skb is writeable to the end of the area to be written.
>          * The data is pulled into the skb header. */
>         if ((hoffset >= 0 || hoffset + (int)sizeof(hdata) > 0) &&
>             skb_ensure_writable(skb, hoffset + (int)sizeof(hdata))
>                 goto bad;
> The call to offset_valid() does all the other checks.
> (The hoffset >= 0 check is the inverse of the earlier check and will
> be optimised away - skipping the second second test which is then
> always true.)

Yes, that code is more readable.

> If you really want a warning message, put a generic one on 'bad;'.
>
> > +                             goto bad;
> > +             }
> > +
> > +             ptr = (u32 *)(skb->data + write_offset);
> > +             cur_val = get_unaligned(ptr);
>
> Given you are doing an unaligned read you could remove the check in the
> 'offmask' path that the final offset is a multiple of 4.
> Nothing checked that tkey->off is a multiple of 4, and I suspect that
> is user-specifiable?

The only reason i will keep that check is because we have always
checked for the 32b alignment from an API perspective. I am less
worried about than potentially breaking something in the hardware
offload path when a user passes unaligned offsets down given that
these code paths (towards hardware) have been well vetted.

I am trying to get this security fix in. Do you see anything in what
you stated as a show stopper? IOW introducing regression or plain
wrong?
If not, I will wait for the AI review or if someone finds an issue
which breaks something - and if it is worth going back then i will
consider your suggestions as part of the next update.
Does that sound reasonable?

cheers,
jamal

> I'm also not entirely that the mac_header is aligned.
>
> -- David
>
> >               /* just do it, baby */
> >               switch (cmd) {
> >               case TCA_PEDIT_KEY_EX_CMD_SET:
> >                       val = tkey->val;
> >                       break;
> >               case TCA_PEDIT_KEY_EX_CMD_ADD:
> > -                     val = (*ptr + tkey->val) & ~tkey->mask;
> > +                     val = (cur_val + tkey->val) & ~tkey->mask;
> >                       break;
> >               default:
> >                       pr_info_ratelimited("tc action pedit bad command (%d)\n", cmd);
> >                       goto bad;
> >               }
> >
> > -             *ptr = ((*ptr & tkey->mask) ^ val);
> > -             if (ptr == &hdata)
> > -                     skb_store_bits(skb, hoffset + offset, ptr, 4);
> > +             put_unaligned((cur_val & tkey->mask) ^ val, ptr);
> >       }
> >
> >       goto done;
>

Re: [PATCH net v5 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[Jamal Hadi Salim]

[-- Attachment #1: Type: text/plain, Size: 14754 bytes --]

On Sun, May 31, 2026 at 1:25 PM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>
> On Sun, May 31, 2026 at 12:15 PM David Laight
> <david.laight.linux@gmail.com> wrote:
> >
> > On Sun, 31 May 2026 08:32:21 -0400
> > Jamal Hadi Salim <jhs@mojatatu.com> wrote:
> >
> > > From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> > >
> > > tcf_pedit_act() computes the COW range for skb_ensure_writable()
> > > once before the key loop using tcfp_off_max_hint, but the hint does
> > > not account for the runtime header offset added by typed keys. This
> > > can leave part of the write region un-COW'd.
> > >
> > > Fix by moving skb_ensure_writable() inside the per-key loop where
> > > the actual write offset is known, and add overflow checking on the
> > > offset arithmetic. For negative offsets (e.g. Ethernet header edits
> > > at ingress), use skb_cow() to COW the headroom instead. Guard
> > > offset_valid() against INT_MIN, where negation is undefined.
> >
> > This code has all got out of hand somewhere.
> > I've only been looking at offset_valid() code.
> >
> > > Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
> > > Reported-by: Yiming Qian <yimingqian591@gmail.com>
> > > Reported-by: Keenan Dong <keenanat2000@gmail.com>
> > > Reported-by: Han Guidong <2045gemini@gmail.com>
> > > Reported-by: Zhang Cen <rollkingzzc@gmail.com>
> > > Reviewed-by: Han Guidong <2045gemini@gmail.com>
> > > Tested-by: Han Guidong <2045gemini@gmail.com>
> > > Reviewed-by: Davide Caratti <dcaratti@redhat.com>
> > > Tested-by: Davide Caratti <dcaratti@redhat.com>
> > > Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
> > > Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
> > > Reviewed-by: Victor Nogueira <victor@mojatatu.com>
> > > Tested-by: Victor Nogueira <victor@mojatatu.com>
> > > Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
> > > Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> > > ---
> > > v4->v5:
> > >  1) Dead code removal obsoleted after removing tcfp_off_max_hint as identified
> > >     by sashiko-claude[1]. Remove dead code updating "cur".
> > >  2) Addition of hoffset at tkey->at promotes hoffset to unsigned int,
> > >     wraps on overflow. Claim made by both sashiko-claude[1] and sashiko-gemini[2]
> > >     I think this is far fetched but possible. Cast tkey->at to int.
> > >  3) Signedness mismatch in min() macro may potentially cause build issues.
> > >     Claim made by both sashiko-claude[1] and sashiko-gemini[2].
> > >     Go back to min_t() for now. David L. can make a better proposal later..
> > >
> > > [1]https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
> > > [2]https://sashiko.dev/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
> > > ---
> > >  include/net/tc_act/tc_pedit.h |  1 -
> > >  net/sched/act_pedit.c         | 77 +++++++++++++++++++----------------
> > >  2 files changed, 41 insertions(+), 37 deletions(-)
> > >
> > > diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h
> > > index f58ee15cd858..cb7b82f2cbc7 100644
> > > --- a/include/net/tc_act/tc_pedit.h
> > > +++ b/include/net/tc_act/tc_pedit.h
> > > @@ -15,7 +15,6 @@ struct tcf_pedit_parms {
> > >       struct tc_pedit_key     *tcfp_keys;
> > >       struct tcf_pedit_key_ex *tcfp_keys_ex;
> > >       int action;
> > > -     u32 tcfp_off_max_hint;
> > >       unsigned char tcfp_nkeys;
> > >       unsigned char tcfp_flags;
> > >       struct rcu_head rcu;
> > > diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
> > > index bc20f08a2789..bd3b1da3cd63 100644
> > > --- a/net/sched/act_pedit.c
> > > +++ b/net/sched/act_pedit.c
> > > @@ -16,6 +16,8 @@
> > >  #include <linux/ip.h>
> > >  #include <linux/ipv6.h>
> > >  #include <linux/slab.h>
> > > +#include <linux/overflow.h>
> > > +#include <linux/unaligned.h>
> > >  #include <net/ipv6.h>
> > >  #include <net/netlink.h>
> > >  #include <net/pkt_sched.h>
> > > @@ -242,7 +244,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
> > >               goto out_free_ex;
> > >       }
> > >
> > > -     nparms->tcfp_off_max_hint = 0;
> > >       nparms->tcfp_flags = parm->flags;
> > >       nparms->tcfp_nkeys = parm->nkeys;
> > >
> > > @@ -268,14 +269,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
> > >                                                  BITS_PER_TYPE(int) - 1,
> > >                                                  nparms->tcfp_keys[i].shift);
> > >
> > > -             /* The AT option can read a single byte, we can bound the actual
> > > -              * value with uchar max.
> > > -              */
> > > -             cur += (0xff & offmask) >> nparms->tcfp_keys[i].shift;
> > > -
> > > -             /* Each key touches 4 bytes starting from the computed offset */
> > > -             nparms->tcfp_off_max_hint =
> > > -                     max(nparms->tcfp_off_max_hint, cur + 4);
> > >       }
> > >
> > >       p = to_pedit(*a);
> > > @@ -318,15 +311,12 @@ static void tcf_pedit_cleanup(struct tc_action *a)
> > >               call_rcu(&parms->rcu, tcf_pedit_cleanup_rcu);
> > >  }
> > >
> > > -static bool offset_valid(struct sk_buff *skb, int offset)
> > > +static bool offset_valid(struct sk_buff *skb, int offset, int len)
> > >  {
> > > -     if (offset > 0 && offset > skb->len)
> > > -             return false;
> > > -
> > > -     if  (offset < 0 && -offset > skb_headroom(skb))
> > > +     if (offset < -(int)skb_headroom(skb))
> > >               return false;
> > >
> > > -     return true;
> > > +     return offset <= (int)skb->len - len;
> > >  }
> > >
> > >  static int pedit_l4_skb_offset(struct sk_buff *skb, int *hoffset, const int header_type)
> > > @@ -393,18 +383,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> > >       struct tcf_pedit_key_ex *tkey_ex;
> > >       struct tcf_pedit_parms *parms;
> > >       struct tc_pedit_key *tkey;
> > > -     u32 max_offset;
> > >       int i;
> > >
> > >       parms = rcu_dereference_bh(p->parms);
> > >
> > > -     max_offset = (skb_transport_header_was_set(skb) ?
> > > -                   skb_transport_offset(skb) :
> > > -                   skb_network_offset(skb)) +
> > > -                  parms->tcfp_off_max_hint;
> > > -     if (skb_ensure_writable(skb, min(skb->len, max_offset)))
> > > -             goto done;
> > > -
> > >       tcf_lastuse_update(&p->tcf_tm);
> > >       tcf_action_update_bstats(&p->common, skb);
> > >
> > > @@ -412,10 +394,11 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> > >       tkey_ex = parms->tcfp_keys_ex;
> > >
> > >       for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
> > > +             int write_offset, write_len;
> > >               int offset = tkey->off;
> > >               int hoffset = 0;
> > > -             u32 *ptr, hdata;
> > > -             u32 val;
> > > +             u32 cur_val, val;
> > > +             u32 *ptr;
> > >               int rc;
> > >
> > >               if (tkey_ex) {
> > > @@ -433,13 +416,15 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> > >
> > >               if (tkey->offmask) {
> > >                       u8 *d, _d;
> > > +                     int at_offset;
> > >
> > > -                     if (!offset_valid(skb, hoffset + tkey->at)) {
> > > +                     if (check_add_overflow(hoffset, (int)tkey->at, &at_offset) ||
> >
> > There is no real reason for checking the add.
> > All that matters is that offset_valid() and skb_header_pointer() are
> > passed the same offset.
> > Assigning it to a local would make that clearer.
>
> You are technically correct - but earlier discussion was I believe
> that signed integer overflow as undefined behavior and those checks
> are there to avoid that and logic bypasses.
>
> >
> > > +                         !offset_valid(skb, at_offset, sizeof(_d))) {
> > >                               pr_info_ratelimited("tc action pedit 'at' offset %d out of bounds\n",
> > >                                                   hoffset + tkey->at);
> > >                               goto bad;
> > >                       }
> > > -                     d = skb_header_pointer(skb, hoffset + tkey->at,
> > > +                     d = skb_header_pointer(skb, at_offset,
> > >                                              sizeof(_d), &_d);
> > >                       if (!d)
> > >                               goto bad;
> > > @@ -451,31 +436,51 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> > >                       }
> > >               }
> > >
> > > -             if (!offset_valid(skb, hoffset + offset)) {
> > > -                     pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
> > > +             if (check_add_overflow(hoffset, offset, &write_offset)) {
> > > +                     pr_info_ratelimited("tc action pedit offset overflow\n");
> > >                       goto bad;
> > >               }
> > >
> > > -             ptr = skb_header_pointer(skb, hoffset + offset,
> > > -                                      sizeof(hdata), &hdata);
> > > -             if (!ptr)
> > > +             if (!offset_valid(skb, write_offset, sizeof(*ptr))) {
> > > +                     pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
> > > +                                         write_offset);
> > >                       goto bad;
> > > +             }
> >
> > Again all that matters is that the same value is passed to offset_valid()
> > and skb_header_pointer().
>
> Same comment as earlier.
> Note: we replaced skb_header_pointer() with direct memory access "ptr
> = (u32 *)(skb->data + write_offset)" further down.
> so extra validation of write_offset is justifiable, no?
>
>
> > > +
> > > +             if (write_offset < 0) {
> > > +                     if (skb_cow(skb, -write_offset))
> > > +                             goto bad;
> > > +                     if (write_offset + (int)sizeof(*ptr) > 0) {
> > > +                             if (skb_ensure_writable(skb,
> > > +                                                     min_t(int, skb->len,
> > > +                                                           write_offset + (int)sizeof(*ptr))))
> >
> > That min isn't needed (same as below).
>
> Ok - yes, i see that. Same with the min(). Why did we think we needed
> min/min_t() before?
>
> > > +                                     goto bad;
> > > +                     }
> > > +             } else {
> > > +                     if (check_add_overflow(write_offset, (int)sizeof(*ptr),
> > > +                                            &write_len))
> >
> > That can't fail because of the 'return offset <= (int)skb->len - len;' check.
>
> True.
>
> >
> > > +                             goto bad;
> > > +                     if (skb_ensure_writable(skb, min_t(int, skb->len,
> > > +                                                        write_len)))
> >
> > Similarly that min_t() will return 'write_len'.
> > But is that even correct?
> > The code wants to write 4 bytes at skb->data + write_offset.
> > I can't see where the offset is used.
> > All the overflow tests have made the logic far too hard to follow.
> >
> > I think that whole lot can just be:
> >         hoffset += offset;
> >         if (offset_valid(skb, hoffset, sizeof(hdata)))
> >                 goto bad;
> >
> >         /* Ensure any needed headroom is writeable */
> >         if (hoffset < 0 && skb_cow(skb, -hoffset)
> >                 goto bad;
> >         /* Ensure the skb is writeable to the end of the area to be written.
> >          * The data is pulled into the skb header. */
> >         if ((hoffset >= 0 || hoffset + (int)sizeof(hdata) > 0) &&
> >             skb_ensure_writable(skb, hoffset + (int)sizeof(hdata))
> >                 goto bad;
> > The call to offset_valid() does all the other checks.
> > (The hoffset >= 0 check is the inverse of the earlier check and will
> > be optimised away - skipping the second second test which is then
> > always true.)
>
> Yes, that code is more readable.
>
> > If you really want a warning message, put a generic one on 'bad;'.
> >
> > > +                             goto bad;
> > > +             }
> > > +
> > > +             ptr = (u32 *)(skb->data + write_offset);
> > > +             cur_val = get_unaligned(ptr);
> >
> > Given you are doing an unaligned read you could remove the check in the
> > 'offmask' path that the final offset is a multiple of 4.
> > Nothing checked that tkey->off is a multiple of 4, and I suspect that
> > is user-specifiable?
>
> The only reason i will keep that check is because we have always
> checked for the 32b alignment from an API perspective. I am less
> worried about than potentially breaking something in the hardware
> offload path when a user passes unaligned offsets down given that
> these code paths (towards hardware) have been well vetted.
>
> I am trying to get this security fix in. Do you see anything in what
> you stated as a show stopper? IOW introducing regression or plain
> wrong?
> If not, I will wait for the AI review or if someone finds an issue
> which breaks something - and if it is worth going back then i will
> consider your suggestions as part of the next update.
> Does that sound reasonable?
>

Something like attached (not compile tested) basically if i didnt miss
what else you suggested.

cheers,
jamal

> cheers,
> jamal
>
> > I'm also not entirely that the mac_header is aligned.
> >
> > -- David
> >
> > >               /* just do it, baby */
> > >               switch (cmd) {
> > >               case TCA_PEDIT_KEY_EX_CMD_SET:
> > >                       val = tkey->val;
> > >                       break;
> > >               case TCA_PEDIT_KEY_EX_CMD_ADD:
> > > -                     val = (*ptr + tkey->val) & ~tkey->mask;
> > > +                     val = (cur_val + tkey->val) & ~tkey->mask;
> > >                       break;
> > >               default:
> > >                       pr_info_ratelimited("tc action pedit bad command (%d)\n", cmd);
> > >                       goto bad;
> > >               }
> > >
> > > -             *ptr = ((*ptr & tkey->mask) ^ val);
> > > -             if (ptr == &hdata)
> > > -                     skb_store_bits(skb, hoffset + offset, ptr, 4);
> > > +             put_unaligned((cur_val & tkey->mask) ^ val, ptr);
> > >       }
> > >
> > >       goto done;
> >

[-- Attachment #2: patchlet-david.laight --]
[-- Type: application/octet-stream, Size: 1315 bytes --]

diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index bd3b1da3cd63..e7da01804891 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -394,7 +394,7 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
 	tkey_ex = parms->tcfp_keys_ex;
 
 	for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
-		int write_offset, write_len;
+		int write_offset;
 		int offset = tkey->off;
 		int hoffset = 0;
 		u32 cur_val, val;
@@ -447,23 +447,12 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
 			goto bad;
 		}
 
-		if (write_offset < 0) {
-			if (skb_cow(skb, -write_offset))
-				goto bad;
-			if (write_offset + (int)sizeof(*ptr) > 0) {
-				if (skb_ensure_writable(skb,
-							min_t(int, skb->len,
-							      write_offset + (int)sizeof(*ptr))))
-					goto bad;
-			}
-		} else {
-			if (check_add_overflow(write_offset, (int)sizeof(*ptr),
-					       &write_len))
-				goto bad;
-			if (skb_ensure_writable(skb, min_t(int, skb->len,
-							   write_len)))
-				goto bad;
-		}
+		if (write_offset < 0 && skb_cow(skb, -write_offset))
+			goto bad;
+
+		if ((write_offset >= 0 || write_offset + (int)sizeof(*ptr) > 0) &&
+		    skb_ensure_writable(skb, write_offset + (int)sizeof(*ptr)))
+			goto bad;
 
 		ptr = (u32 *)(skb->data + write_offset);
 		cur_val = get_unaligned(ptr);

Re: [PATCH net v5 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[David Laight]

On Sun, 31 May 2026 13:25:36 -0400
Jamal Hadi Salim <jhs@mojatatu.com> wrote:

> On Sun, May 31, 2026 at 12:15 PM David Laight
> <david.laight.linux@gmail.com> wrote:
> >
> > On Sun, 31 May 2026 08:32:21 -0400
> > Jamal Hadi Salim <jhs@mojatatu.com> wrote:
> >  
> > > From: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> > >
> > > tcf_pedit_act() computes the COW range for skb_ensure_writable()
> > > once before the key loop using tcfp_off_max_hint, but the hint does
> > > not account for the runtime header offset added by typed keys. This
> > > can leave part of the write region un-COW'd.
> > >
> > > Fix by moving skb_ensure_writable() inside the per-key loop where
> > > the actual write offset is known, and add overflow checking on the
> > > offset arithmetic. For negative offsets (e.g. Ethernet header edits
> > > at ingress), use skb_cow() to COW the headroom instead. Guard
> > > offset_valid() against INT_MIN, where negation is undefined.  
> >
> > This code has all got out of hand somewhere.
> > I've only been looking at offset_valid() code.
> >  
> > > Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
> > > Reported-by: Yiming Qian <yimingqian591@gmail.com>
> > > Reported-by: Keenan Dong <keenanat2000@gmail.com>
> > > Reported-by: Han Guidong <2045gemini@gmail.com>
> > > Reported-by: Zhang Cen <rollkingzzc@gmail.com>
> > > Reviewed-by: Han Guidong <2045gemini@gmail.com>
> > > Tested-by: Han Guidong <2045gemini@gmail.com>
> > > Reviewed-by: Davide Caratti <dcaratti@redhat.com>
> > > Tested-by: Davide Caratti <dcaratti@redhat.com>
> > > Reviewed-by: Toke Høiland-Jørgensen <toke@redhat.com>
> > > Tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
> > > Reviewed-by: Victor Nogueira <victor@mojatatu.com>
> > > Tested-by: Victor Nogueira <victor@mojatatu.com>
> > > Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
> > > Signed-off-by: Rajat Gupta <rajat.gupta@oss.qualcomm.com>
> > > ---
> > > v4->v5:
> > >  1) Dead code removal obsoleted after removing tcfp_off_max_hint as identified
> > >     by sashiko-claude[1]. Remove dead code updating "cur".
> > >  2) Addition of hoffset at tkey->at promotes hoffset to unsigned int,
> > >     wraps on overflow. Claim made by both sashiko-claude[1] and sashiko-gemini[2]
> > >     I think this is far fetched but possible. Cast tkey->at to int.
> > >  3) Signedness mismatch in min() macro may potentially cause build issues.
> > >     Claim made by both sashiko-claude[1] and sashiko-gemini[2].
> > >     Go back to min_t() for now. David L. can make a better proposal later..
> > >
> > > [1]https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
> > > [2]https://sashiko.dev/#/patchset/20260530080643.1345521-1-jhs%40mojatatu.com
> > > ---
> > >  include/net/tc_act/tc_pedit.h |  1 -
> > >  net/sched/act_pedit.c         | 77 +++++++++++++++++++----------------
> > >  2 files changed, 41 insertions(+), 37 deletions(-)
> > >
> > > diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h
> > > index f58ee15cd858..cb7b82f2cbc7 100644
> > > --- a/include/net/tc_act/tc_pedit.h
> > > +++ b/include/net/tc_act/tc_pedit.h
> > > @@ -15,7 +15,6 @@ struct tcf_pedit_parms {
> > >       struct tc_pedit_key     *tcfp_keys;
> > >       struct tcf_pedit_key_ex *tcfp_keys_ex;
> > >       int action;
> > > -     u32 tcfp_off_max_hint;
> > >       unsigned char tcfp_nkeys;
> > >       unsigned char tcfp_flags;
> > >       struct rcu_head rcu;
> > > diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
> > > index bc20f08a2789..bd3b1da3cd63 100644
> > > --- a/net/sched/act_pedit.c
> > > +++ b/net/sched/act_pedit.c
> > > @@ -16,6 +16,8 @@
> > >  #include <linux/ip.h>
> > >  #include <linux/ipv6.h>
> > >  #include <linux/slab.h>
> > > +#include <linux/overflow.h>
> > > +#include <linux/unaligned.h>
> > >  #include <net/ipv6.h>
> > >  #include <net/netlink.h>
> > >  #include <net/pkt_sched.h>
> > > @@ -242,7 +244,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
> > >               goto out_free_ex;
> > >       }
> > >
> > > -     nparms->tcfp_off_max_hint = 0;
> > >       nparms->tcfp_flags = parm->flags;
> > >       nparms->tcfp_nkeys = parm->nkeys;
> > >
> > > @@ -268,14 +269,6 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla,
> > >                                                  BITS_PER_TYPE(int) - 1,
> > >                                                  nparms->tcfp_keys[i].shift);
> > >
> > > -             /* The AT option can read a single byte, we can bound the actual
> > > -              * value with uchar max.
> > > -              */
> > > -             cur += (0xff & offmask) >> nparms->tcfp_keys[i].shift;
> > > -
> > > -             /* Each key touches 4 bytes starting from the computed offset */
> > > -             nparms->tcfp_off_max_hint =
> > > -                     max(nparms->tcfp_off_max_hint, cur + 4);
> > >       }
> > >
> > >       p = to_pedit(*a);
> > > @@ -318,15 +311,12 @@ static void tcf_pedit_cleanup(struct tc_action *a)
> > >               call_rcu(&parms->rcu, tcf_pedit_cleanup_rcu);
> > >  }
> > >
> > > -static bool offset_valid(struct sk_buff *skb, int offset)
> > > +static bool offset_valid(struct sk_buff *skb, int offset, int len)
> > >  {
> > > -     if (offset > 0 && offset > skb->len)
> > > -             return false;
> > > -
> > > -     if  (offset < 0 && -offset > skb_headroom(skb))
> > > +     if (offset < -(int)skb_headroom(skb))
> > >               return false;
> > >
> > > -     return true;
> > > +     return offset <= (int)skb->len - len;
> > >  }
> > >
> > >  static int pedit_l4_skb_offset(struct sk_buff *skb, int *hoffset, const int header_type)
> > > @@ -393,18 +383,10 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> > >       struct tcf_pedit_key_ex *tkey_ex;
> > >       struct tcf_pedit_parms *parms;
> > >       struct tc_pedit_key *tkey;
> > > -     u32 max_offset;
> > >       int i;
> > >
> > >       parms = rcu_dereference_bh(p->parms);
> > >
> > > -     max_offset = (skb_transport_header_was_set(skb) ?
> > > -                   skb_transport_offset(skb) :
> > > -                   skb_network_offset(skb)) +
> > > -                  parms->tcfp_off_max_hint;
> > > -     if (skb_ensure_writable(skb, min(skb->len, max_offset)))
> > > -             goto done;
> > > -
> > >       tcf_lastuse_update(&p->tcf_tm);
> > >       tcf_action_update_bstats(&p->common, skb);
> > >
> > > @@ -412,10 +394,11 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> > >       tkey_ex = parms->tcfp_keys_ex;
> > >
> > >       for (i = parms->tcfp_nkeys; i > 0; i--, tkey++) {
> > > +             int write_offset, write_len;
> > >               int offset = tkey->off;
> > >               int hoffset = 0;
> > > -             u32 *ptr, hdata;
> > > -             u32 val;
> > > +             u32 cur_val, val;
> > > +             u32 *ptr;
> > >               int rc;
> > >
> > >               if (tkey_ex) {
> > > @@ -433,13 +416,15 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> > >
> > >               if (tkey->offmask) {
> > >                       u8 *d, _d;
> > > +                     int at_offset;
> > >
> > > -                     if (!offset_valid(skb, hoffset + tkey->at)) {
> > > +                     if (check_add_overflow(hoffset, (int)tkey->at, &at_offset) ||  
> >
> > There is no real reason for checking the add.
> > All that matters is that offset_valid() and skb_header_pointer() are
> > passed the same offset.
> > Assigning it to a local would make that clearer.  
> 
> You are technically correct - but earlier discussion was I believe
> that signed integer overflow as undefined behavior and those checks
> are there to avoid that and logic bypasses.

The kernel is compiled with -Wno-strict-overflow so that integers wrap
the way you might expect (and hope).
A lot of code relies on that.
So not only is signed integer overflow going to wrap (rather than saturate,
fault, add 0 (a cobol interpreter I once used did that - annoying to debug),
return a random value) the compiler is also not allowed to assume it doesn't
wrap.

If you are feeling really pedantic:
	at_offset = hoffeset + key->at; OPTIMZER_HIDE_VAR(at_offset);
will ensure that the value that is tested is the value that is used.

> 
> >  
> > > +                         !offset_valid(skb, at_offset, sizeof(_d))) {
> > >                               pr_info_ratelimited("tc action pedit 'at' offset %d out of bounds\n",
> > >                                                   hoffset + tkey->at);
> > >                               goto bad;
> > >                       }
> > > -                     d = skb_header_pointer(skb, hoffset + tkey->at,
> > > +                     d = skb_header_pointer(skb, at_offset,
> > >                                              sizeof(_d), &_d);
> > >                       if (!d)
> > >                               goto bad;
> > > @@ -451,31 +436,51 @@ TC_INDIRECT_SCOPE int tcf_pedit_act(struct sk_buff *skb,
> > >                       }
> > >               }
> > >
> > > -             if (!offset_valid(skb, hoffset + offset)) {
> > > -                     pr_info_ratelimited("tc action pedit offset %d out of bounds\n", hoffset + offset);
> > > +             if (check_add_overflow(hoffset, offset, &write_offset)) {
> > > +                     pr_info_ratelimited("tc action pedit offset overflow\n");
> > >                       goto bad;
> > >               }
> > >
> > > -             ptr = skb_header_pointer(skb, hoffset + offset,
> > > -                                      sizeof(hdata), &hdata);
> > > -             if (!ptr)
> > > +             if (!offset_valid(skb, write_offset, sizeof(*ptr))) {
> > > +                     pr_info_ratelimited("tc action pedit offset %d out of bounds\n",
> > > +                                         write_offset);
> > >                       goto bad;
> > > +             }  
> >
> > Again all that matters is that the same value is passed to offset_valid()
> > and skb_header_pointer().  
> 
> Same comment as earlier.
> Note: we replaced skb_header_pointer() with direct memory access "ptr
> = (u32 *)(skb->data + write_offset)" further down.
> so extra validation of write_offset is justifiable, no?

AFACT offset_valid() does all the required checks.
I did initially miss that skb_ensure_writable() has a side effect of pulling
all the data into the header.
I don't 100% know all the forms an skb can have, I have used (and designed)
too many buffer schemes for my brain to just know the answers.
I don't see an obvious reason why it shouldn't be valid to write
into data that isn't in the header.

> 
> 
> > > +
> > > +             if (write_offset < 0) {
> > > +                     if (skb_cow(skb, -write_offset))
> > > +                             goto bad;
> > > +                     if (write_offset + (int)sizeof(*ptr) > 0) {
> > > +                             if (skb_ensure_writable(skb,
> > > +                                                     min_t(int, skb->len,
> > > +                                                           write_offset + (int)sizeof(*ptr))))  
> >
> > That min isn't needed (same as below).  
> 
> Ok - yes, i see that. Same with the min(). Why did we think we needed
> min/min_t() before?
> 
> > > +                                     goto bad;
> > > +                     }
> > > +             } else {
> > > +                     if (check_add_overflow(write_offset, (int)sizeof(*ptr),
> > > +                                            &write_len))  
> >
> > That can't fail because of the 'return offset <= (int)skb->len - len;' check.  
> 
> True.
> 
> >  
> > > +                             goto bad;
> > > +                     if (skb_ensure_writable(skb, min_t(int, skb->len,
> > > +                                                        write_len)))  

You've completely missed that the above has to include the write_offset.

> >
> > Similarly that min_t() will return 'write_len'.
> > But is that even correct?
> > The code wants to write 4 bytes at skb->data + write_offset.
> > I can't see where the offset is used.
> > All the overflow tests have made the logic far too hard to follow.
> >
> > I think that whole lot can just be:
> >         hoffset += offset;
> >         if (offset_valid(skb, hoffset, sizeof(hdata)))
> >                 goto bad;
> >
> >         /* Ensure any needed headroom is writeable */
> >         if (hoffset < 0 && skb_cow(skb, -hoffset)
> >                 goto bad;
> >         /* Ensure the skb is writeable to the end of the area to be written.
> >          * The data is pulled into the skb header. */
> >         if ((hoffset >= 0 || hoffset + (int)sizeof(hdata) > 0) &&
> >             skb_ensure_writable(skb, hoffset + (int)sizeof(hdata))
> >                 goto bad;
> > The call to offset_valid() does all the other checks.
> > (The hoffset >= 0 check is the inverse of the earlier check and will
> > be optimised away - skipping the second second test which is then
> > always true.)  
> 
> Yes, that code is more readable.
> 
> > If you really want a warning message, put a generic one on 'bad;'.
> >  
> > > +                             goto bad;
> > > +             }
> > > +
> > > +             ptr = (u32 *)(skb->data + write_offset);
> > > +             cur_val = get_unaligned(ptr);  
> >
> > Given you are doing an unaligned read you could remove the check in the
> > 'offmask' path that the final offset is a multiple of 4.
> > Nothing checked that tkey->off is a multiple of 4, and I suspect that
> > is user-specifiable?  
> 
> The only reason i will keep that check is because we have always
> checked for the 32b alignment from an API perspective. I am less
> worried about than potentially breaking something in the hardware
> offload path when a user passes unaligned offsets down given that
> these code paths (towards hardware) have been well vetted.
> 
> I am trying to get this security fix in. Do you see anything in what
> you stated as a show stopper? IOW introducing regression or plain
> wrong?

One thing I'm not sure about is whether applications might be setting
a mask in order to update a single byte.
If that byte is one of the last three of the skb data then the RMW
will read/write bytes beyond the end.
That used to be ok, but will now be rejected.

-- David

> If not, I will wait for the AI review or if someone finds an issue
> which breaks something - and if it is worth going back then i will
> consider your suggestions as part of the next update.
> Does that sound reasonable?
> 
> cheers,
> jamal
> 
> > I'm also not entirely that the mac_header is aligned.
> >
> > -- David
> >  
> > >               /* just do it, baby */
> > >               switch (cmd) {
> > >               case TCA_PEDIT_KEY_EX_CMD_SET:
> > >                       val = tkey->val;
> > >                       break;
> > >               case TCA_PEDIT_KEY_EX_CMD_ADD:
> > > -                     val = (*ptr + tkey->val) & ~tkey->mask;
> > > +                     val = (cur_val + tkey->val) & ~tkey->mask;
> > >                       break;
> > >               default:
> > >                       pr_info_ratelimited("tc action pedit bad command (%d)\n", cmd);
> > >                       goto bad;
> > >               }
> > >
> > > -             *ptr = ((*ptr & tkey->mask) ^ val);
> > > -             if (ptr == &hdata)
> > > -                     skb_store_bits(skb, hoffset + offset, ptr, 4);
> > > +             put_unaligned((cur_val & tkey->mask) ^ val, ptr);
> > >       }
> > >
> > >       goto done;  
> >  

Re: [PATCH net v5 1/1] net/sched: fix pedit partial COW leading to page cache corruption

[David Laight]

On Sun, 31 May 2026 19:42:41 +0100
David Laight <david.laight.linux@gmail.com> wrote:

> On Sun, 31 May 2026 13:25:36 -0400
> Jamal Hadi Salim <jhs@mojatatu.com> wrote:
....
> > >    
> > > > +                             goto bad;
> > > > +                     if (skb_ensure_writable(skb, min_t(int, skb->len,
> > > > +                                                        write_len)))    
> 
> You've completely missed that the above has to include the write_offset.

And I've missed that write_len isn't the length you are going to write :-(

This version is unreadable....

A few one line comments can make all the difference.
I put these two in for a reason.
It took some effort to find out exactly what they did.

> >         /* Ensure any needed headroom is writeable */
> >         if (hoffset < 0 && skb_cow(skb, -hoffset)
> >                 goto bad;
> >         /* Ensure the skb is writeable to the end of the area to be written.
> >          * The data is pulled into the skb header. */

-- David