Re: [PATCH net] net/sched: fix pedit partial COW leading to page cache corruption
From: Jamal Hadi Salim <jhs@mojatatu.com>
Date: 2026-05-20 20:00:59
On Wed, May 20, 2026 at 5:23 AM Jamal Hadi Salim [off-list ref] wrote:
On Mon, May 18, 2026 at 11:42 PM Rajat Gupta [off-list ref] wrote:quoted
tcf_pedit_act() computes the COW range for skb_ensure_writable() once before the key loop using tcfp_off_max_hint, but the hint does not account for the runtime header offset added by typed keys. This can leave part of the write region un-COW'd. Fix by moving skb_ensure_writable() inside the per-key loop where the actual write offset is known, and add overflow checking on the offset arithmetic. For negative offsets (e.g. Ethernet header edits at ingress), use skb_cow() to COW the headroom instead. Guard offset_valid() against INT_MIN, where negation is undefined. Additionally, linearize skbs with shared frags upfront to prevent silent data corruption when pedit operates on zero-copy pages (e.g. from sendfile).Sashiko makes the claim that: " .... ..... If the payload part extending past offset 0 resides in a shared fragment for a cloned skb, wouldn't skb_store_bits() write the positive offset portion directly into the shared page, causing a data corruption regression? " It missed the earlier code (before the quoted code is hit) which is very well documented! /* * If the skb has shared frags the user is likely using zero-copy * (e.g. sendfile). Those page frags may point to page-cache pages; * writing into them would silently corrupt the page cache. * Linearize so pedit operates on a private copy. * TL;DR: if you want zero-copy, don't use pedit. */ if (skb_has_shared_frag(skb)) { if (__skb_linearize(skb)) goto bad; } TLDR: If the skb has shared frags, it is linearized upfront using __skb_linearize() which means any risk of modifying a shared fragment is non-existent.
It seems there's a second sashiko ive been made aware of - these things are just multiplying ;-> https://netdev-ai.bots.linux.dev/sashiko/#/patchset/20260519033950.2037-1-rajat.gupta%40oss.qualcomm.com Both points it makes are valid. Dont have time right now. And infact looking at the second point sashiko 2 made I realize I was only paying attention to externally shared fragments which the poc used. So probably the sashiko1 had a point as well. Anyways i dont have time - will respond by am tommorow. cheers, jamal