Re: [PATCH net v2 1/1] net/sched: fix pedit partial COW leading to page cache corruption

From: Davide Caratti

Date: Tue May 26 2026 - 17:31:21 EST

On Tue, May 26, 2026 at 11:59:13AM -0400, Jamal Hadi Salim wrote:
> From: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
>
> tcf_pedit_act() computes the COW range for skb_ensure_writable()
> once before the key loop using tcfp_off_max_hint, but the hint does
> not account for the runtime header offset added by typed keys. This
> can leave part of the write region un-COW'd.
>
> Fix by moving skb_ensure_writable() inside the per-key loop where
> the actual write offset is known, and add overflow checking on the
> offset arithmetic. For negative offsets (e.g. Ethernet header edits
> at ingress), use skb_cow() to COW the headroom instead. Guard
> offset_valid() against INT_MIN, where negation is undefined.
>
> Additionally, linearize skbs with shared frags upfront to prevent
> silent data corruption when pedit operates on zero-copy pages
> (e.g. from sendfile).
>
> Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")
> Reported-by: Yiming Qian <yimingqian591@xxxxxxxxx>
> Reported-by: Keenan Dong <keenanat2000@xxxxxxxxx>
> Reported-by: Han Guidong <2045gemini@xxxxxxxxx>
> Reported-by: Zhang Cen <rollkingzzc@xxxxxxxxx>
> Tested-by: Victor Nogueira <victor@xxxxxxxxxxxx>
> Acked-by: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
> Signed-off-by: Rajat Gupta <rajat.gupta@xxxxxxxxxxxxxxxx>
> ---
> Changes v1->v2:
> 1. Do better boundary analysis to cover cloned skbs with frags. Pointed
> out by sashiko-nipa:
> https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260519033950.2037-1-rajat.gupta%40oss.qualcomm.com
> 2. As a result of fix #1 remove the skb_has_shared_frag() check, unnecessary.
> Also Jakub has plans where the shared frags is not going to be a "thing"
> 3. Make small adjustments everywhere for integer checks, suggested by D. Laight
> 4. Remove all reviewers and testers since this is a large enough change.
> Please retest and re-review.
> 5. Remove Rajat as reporter since he is the author (which implies he is a reporter)

re-ran mp_join + pedit_l4port + pedit_ip kselftests on patch v2, no issues found.

Reviewed-and-tested-by: Davide Caratti <dcaratti@xxxxxxxxxx>

Thanks!
--
davide