Netdev List
 help / color / mirror / Atom feed
* [PATCH net 1/2] net/sched: act_skbmod: require an Ethernet header for MAC rewrites
       [not found] <cover.1782548651.git.bronzed_45_vested@icloud.com>
@ 2026-06-29  2:46 ` Ren Wei
  2026-07-01  0:10   ` Jakub Kicinski
  2026-06-29  2:46 ` [PATCH net 2/2] net/sched: act_vlan: skip pop_eth on non-Ethernet devices Ren Wei
  1 sibling, 1 reply; 5+ messages in thread
From: Ren Wei @ 2026-06-29  2:46 UTC (permalink / raw)
  To: netdev
  Cc: jhs, jiri, davem, edumazet, pabeni, horms, peilin.ye, cong.wang,
	gnault, yuantan098, yifanwucs, tomapufckgml, zcliangcn, bird,
	bronzed_45_vested, n05ec

From: Wyatt Feng <bronzed_45_vested@icloud.com>

tcf_skbmod_act() derives its writable length from
skb_mac_header_len(skb), but the DMAC, SMAC, ETYPE and SWAPMAC modes
always write through eth_hdr(skb).

After a prior action strips the L2 header, skb_mac_header_len(skb) can
drop below ETH_HLEN while skbmod still attempts to rewrite a full
Ethernet header. This is a buffer-size length miscalculation and can
corrupt packet data on short or non-linear skbs.

Reject Ethernet rewrite requests unless a full MAC header is still
present, and use ETH_HLEN as the writable length for those rewrites.
That matches the bytes skbmod actually modifies and leaves the ECN path
unchanged.

Fixes: 56af5e749f20 ("net/sched: act_skbmod: Add SKBMOD_F_ECN option support")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 net/sched/act_skbmod.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/sched/act_skbmod.c b/net/sched/act_skbmod.c
index a464b0a3c1b8..30c2eac17aff 100644
--- a/net/sched/act_skbmod.c
+++ b/net/sched/act_skbmod.c
@@ -38,7 +38,6 @@ TC_INDIRECT_SCOPE int tcf_skbmod_act(struct sk_buff *skb,
 	if (unlikely(p->action == TC_ACT_SHOT))
 		goto drop;
 
-	max_edit_len = skb_mac_header_len(skb);
 	flags = p->flags;
 
 	/* tcf_skbmod_init() guarantees "flags" to be one of the following:
@@ -49,6 +48,8 @@ TC_INDIRECT_SCOPE int tcf_skbmod_act(struct sk_buff *skb,
 	 * packets.
 	 */
 	if (flags == SKBMOD_F_ECN) {
+		max_edit_len = skb_mac_header_len(skb);
+
 		switch (skb_protocol(skb, true)) {
 		case cpu_to_be16(ETH_P_IP):
 		case cpu_to_be16(ETH_P_IPV6):
@@ -57,8 +58,12 @@ TC_INDIRECT_SCOPE int tcf_skbmod_act(struct sk_buff *skb,
 		default:
 			goto out;
 		}
-	} else if (!skb->dev || skb->dev->type != ARPHRD_ETHER) {
+	} else if (!skb->dev || skb->dev->type != ARPHRD_ETHER ||
+		   !skb_mac_header_was_set(skb) ||
+		   skb_mac_header_len(skb) < ETH_HLEN) {
 		goto out;
+	} else {
+		max_edit_len = ETH_HLEN;
 	}
 
 	err = skb_ensure_writable(skb, max_edit_len);
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH net 2/2] net/sched: act_vlan: skip pop_eth on non-Ethernet devices
       [not found] <cover.1782548651.git.bronzed_45_vested@icloud.com>
  2026-06-29  2:46 ` [PATCH net 1/2] net/sched: act_skbmod: require an Ethernet header for MAC rewrites Ren Wei
@ 2026-06-29  2:46 ` Ren Wei
  1 sibling, 0 replies; 5+ messages in thread
From: Ren Wei @ 2026-06-29  2:46 UTC (permalink / raw)
  To: netdev
  Cc: jhs, jiri, davem, edumazet, pabeni, horms, cong.wang, peilin.ye,
	gnault, yuantan098, yifanwucs, tomapufckgml, zcliangcn, bird,
	bronzed_45_vested, n05ec

From: Wyatt Feng <bronzed_45_vested@icloud.com>

TCA_VLAN_ACT_POP_ETH removes a base Ethernet header, but tcf_vlan_act()
currently runs it on any device type.

On non-Ethernet devices such as loopback, this can strip the linear
ETH_HLEN bytes from an skb that later reaches code paths which still
expect an Ethernet header, leading to a BUG in __skb_pull(). This is a
short-packet handling bug caused by applying an Ethernet-only transform
to a non-Ethernet skb.

Treat POP_ETH as an Ethernet-only action and leave non-Ethernet packets
unchanged.

Fixes: 19fbcb36a39e ("net/sched: act_vlan: Add {POP,PUSH}_ETH actions")
Cc: stable@vger.kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 net/sched/act_vlan.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/sched/act_vlan.c b/net/sched/act_vlan.c
index 6a375fdc63dd..b77f649ae204 100644
--- a/net/sched/act_vlan.c
+++ b/net/sched/act_vlan.c
@@ -4,6 +4,7 @@
  */
 
 #include <linux/module.h>
+#include <linux/if_arp.h>
 #include <linux/init.h>
 #include <linux/kernel.h>
 #include <linux/skbuff.h>
@@ -76,6 +77,9 @@ TC_INDIRECT_SCOPE int tcf_vlan_act(struct sk_buff *skb,
 		__vlan_hwaccel_put_tag(skb, p->tcfv_push_proto, tci);
 		break;
 	case TCA_VLAN_ACT_POP_ETH:
+		if (!skb->dev || skb->dev->type != ARPHRD_ETHER)
+			goto out;
+
 		err = skb_eth_pop(skb);
 		if (err)
 			goto drop;
-- 
2.47.3


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH net 1/2] net/sched: act_skbmod: require an Ethernet header for MAC rewrites
  2026-06-29  2:46 ` [PATCH net 1/2] net/sched: act_skbmod: require an Ethernet header for MAC rewrites Ren Wei
@ 2026-07-01  0:10   ` Jakub Kicinski
  2026-07-01  0:20     ` Jakub Kicinski
  0 siblings, 1 reply; 5+ messages in thread
From: Jakub Kicinski @ 2026-07-01  0:10 UTC (permalink / raw)
  To: Ren Wei
  Cc: netdev, jhs, jiri, davem, edumazet, pabeni, horms, peilin.ye,
	cong.wang, gnault, yuantan098, yifanwucs, tomapufckgml, zcliangcn,
	bird, bronzed_45_vested

On Mon, 29 Jun 2026 10:46:03 +0800 Ren Wei wrote:
> Cc: stable@vger.kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Assisted-by: Codex:GPT-5.4
> Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>

Let's do away with the 5 reported-by tags? You can use a tag for your
tool or your team, it doesn't have to be a person. Look at sashiko or
syzbot reported-by tags.
-- 
pw-bot: cr

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH net 1/2] net/sched: act_skbmod: require an Ethernet header for MAC rewrites
  2026-07-01  0:10   ` Jakub Kicinski
@ 2026-07-01  0:20     ` Jakub Kicinski
  2026-07-01  6:46       ` Yuan Tan
  0 siblings, 1 reply; 5+ messages in thread
From: Jakub Kicinski @ 2026-07-01  0:20 UTC (permalink / raw)
  To: Ren Wei
  Cc: netdev, jhs, jiri, davem, edumazet, pabeni, horms, peilin.ye,
	cong.wang, gnault, yuantan098, yifanwucs, tomapufckgml, zcliangcn,
	bird, bronzed_45_vested

On Tue, 30 Jun 2026 17:10:16 -0700 Jakub Kicinski wrote:
> On Mon, 29 Jun 2026 10:46:03 +0800 Ren Wei wrote:
> > Cc: stable@vger.kernel.org
> > Reported-by: Yuan Tan <yuantan098@gmail.com>
> > Reported-by: Yifan Wu <yifanwucs@gmail.com>
> > Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> > Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
> > Reported-by: Xin Liu <bird@lzu.edu.cn>
> > Assisted-by: Codex:GPT-5.4
> > Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
> > Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>  
> 
> Let's do away with the 5 reported-by tags? You can use a tag for your
> tool or your team, it doesn't have to be a person. Look at sashiko or
> syzbot reported-by tags.

On second thought, if y'all work together maybe there should be no
reported-by tag at all? Can you explain the situation?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH net 1/2] net/sched: act_skbmod: require an Ethernet header for MAC rewrites
  2026-07-01  0:20     ` Jakub Kicinski
@ 2026-07-01  6:46       ` Yuan Tan
  0 siblings, 0 replies; 5+ messages in thread
From: Yuan Tan @ 2026-07-01  6:46 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Ren Wei, netdev, jhs, jiri, davem, edumazet, pabeni, horms,
	peilin.ye, cong.wang, gnault, yifanwucs, tomapufckgml, zcliangcn,
	bird, bronzed_45_vested

On Tue, Jun 30, 2026 at 5:20 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Tue, 30 Jun 2026 17:10:16 -0700 Jakub Kicinski wrote:
> > On Mon, 29 Jun 2026 10:46:03 +0800 Ren Wei wrote:
> > > Cc: stable@vger.kernel.org
> > > Reported-by: Yuan Tan <yuantan098@gmail.com>
> > > Reported-by: Yifan Wu <yifanwucs@gmail.com>
> > > Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> > > Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
> > > Reported-by: Xin Liu <bird@lzu.edu.cn>
> > > Assisted-by: Codex:GPT-5.4
> > > Signed-off-by: Wyatt Feng <bronzed_45_vested@icloud.com>
> > > Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> >
> > Let's do away with the 5 reported-by tags? You can use a tag for your
> > tool or your team, it doesn't have to be a person. Look at sashiko or
> > syzbot reported-by tags.
>
> On second thought, if y'all work together maybe there should be no
> reported-by tag at all? Can you explain the situation?

Hi Jakub,

Since February, our team's bug-finding tool has found hundreds of bugs
and vulnerabilities. Several people have helped improve the tool to
discover more bugs, and verify that they are real. I did not want
their credit to be lost, so I added Reported-by tags based on whether
they contributed to finding a particular bug.

I agree, though, that having five Reported-by tags may not look ideal.
Maybe using the tool name instead would be better. I will discuss this
with the others.

We also found many external volunteers to submit patches, instead of
simply dumping bug reports on the community and leaving it at that. We
were worried that too many reports might annoy maintainers. That said,
it may be easier in some cases for maintainers to fix the issues
themselves rather than review our patches, since we are not experts in
every subsystem.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-01  6:46 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <cover.1782548651.git.bronzed_45_vested@icloud.com>
2026-06-29  2:46 ` [PATCH net 1/2] net/sched: act_skbmod: require an Ethernet header for MAC rewrites Ren Wei
2026-07-01  0:10   ` Jakub Kicinski
2026-07-01  0:20     ` Jakub Kicinski
2026-07-01  6:46       ` Yuan Tan
2026-06-29  2:46 ` [PATCH net 2/2] net/sched: act_vlan: skip pop_eth on non-Ethernet devices Ren Wei

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox