Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption

[PATCH net] net/sched: fix pedit partial COW leading to page cache · Rajat Gupta <hidden> · 2026-05-18
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache · Han Guidong <hidden> · 2026-05-18
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-18
[PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Rajat Gupta <hidden> · 2026-05-19
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Toke Høiland-Jørgensen <toke@kernel.org> · 2026-05-19
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Han Guidong <hidden> · 2026-05-19
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-20
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Han Guidong <hidden> · 2026-05-20
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Han Guidong <hidden> · 2026-05-20
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-20
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-20
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-20
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-21
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-21
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jakub Kicinski <kuba@kernel.org> · 2026-05-21
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-21
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jakub Kicinski <kuba@kernel.org> · 2026-05-21
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-22
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jakub Kicinski <kuba@kernel.org> · 2026-05-22
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-22
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-22
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jakub Kicinski <kuba@kernel.org> · 2026-05-23
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-23
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-23
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jakub Kicinski <kuba@kernel.org> · 2026-05-23
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-23
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jakub Kicinski <kuba@kernel.org> · 2026-05-25
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-25
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jakub Kicinski <kuba@kernel.org> · 2026-05-25
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-25
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Rajat Gupta <hidden> · 2026-05-26
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · David Laight <hidden> · 2026-05-26
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-26
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · David Laight <hidden> · 2026-05-26
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-26
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Han Guidong <hidden> · 2026-05-22
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · David Laight <hidden> · 2026-05-26
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-26
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · David Laight <hidden> · 2026-05-26
Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption · Jamal Hadi Salim <jhs@mojatatu.com> · 2026-05-26

From: Han Guidong <hidden>
Date: 2026-05-20 10:37:35

On Wed, May 20, 2026 at 5:12 PM Jamal Hadi Salim [off-list ref] wrote:

On Tue, May 19, 2026 at 11:11 AM Han Guidong [off-list ref] wrote:

quoted

On Tue, May 19, 2026 at 11:42 AM Rajat Gupta
[off-list ref] wrote:

quoted

tcf_pedit_act() computes the COW range for skb_ensure_writable()
once before the key loop using tcfp_off_max_hint, but the hint does
not account for the runtime header offset added by typed keys. This
can leave part of the write region un-COW'd.

Fix by moving skb_ensure_writable() inside the per-key loop where
the actual write offset is known, and add overflow checking on the
offset arithmetic. For negative offsets (e.g. Ethernet header edits
at ingress), use skb_cow() to COW the headroom instead. Guard
offset_valid() against INT_MIN, where negation is undefined.

Additionally, linearize skbs with shared frags upfront to prevent
silent data corruption when pedit operates on zero-copy pages
(e.g. from sendfile).

Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable")

Fixes: 6c02568fd1ae ("net/sched: act_pedit: Parse L3 Header for L4 offset")
Cc: stable@vger.kernel.org

I took a closer look at the code, and this patch is really addressing
two issues.

The negative-offset write into shared head/headroom appears to be from
8b796475fd78, while the shared-frag write, and thus possible
page-cache corruption, appears to be the later regression from
6c02568fd1ae. So it may be worth adding an additional Fixes tag for
6c02568fd1ae,

Pushing it a little - but sure we should also point to that commit.

quoted

and I think an explicit Cc: stable@vger.kernel.org would also make sense here.

Please study the rules.

Hi Jamal,

Apologies, I'm still a newbie learning the process. I checked the docs
and saw commit dbbe7c962c3a ("docs: networking: drop special stable
handling"), but I'm still a bit confused.

Did the rule change to allow explicit "Cc: stable@vger.kernel.org"
tags for netdev?

If I completely missed the correct documentation, I would be very
grateful if you could point me to it.

Thanks for your patience!

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help