From nobody Thu Sep 18 06:45:52 2025
Delivered-To: wpasupplicant.patchew@gmail.com
Received: by 2002:a05:6a06:869:b0:4b8:7781:bd2f with SMTP id d41csp2449891pis;
        Fri, 29 Apr 2022 10:29:30 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJwktLD6Z6aeZAxJMtbO8zxyxlxSs2i3cwHU3/PFk+fpVafEKtdaXBp8pa/kn/sTx6R/gHCS
X-Received: by 2002:a63:f743:0:b0:3a6:6786:30b1 with SMTP id
 f3-20020a63f743000000b003a6678630b1mr339900pgk.243.1651253370782;
        Fri, 29 Apr 2022 10:29:30 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1651253370; cv=none;
        d=google.com; s=arc-20160816;
        b=o9UmoSZn6E+Lv+OB4Tso2/HvMVky00ivd6dL6o/8YN+/yIn4UQmcoiZRrN5zyMpdWx
         4dGB3LdDn+jekNv2uDlF/qRLVgQG8A2BULMFpw5dGcDqw3pOfUEgr+wWQjnwT2nRfq7i
         35pdoWt0A4k8sfdBPAbL6c3/wIAkIa9gQVF3iqgND/L95AflOf75W8lmbt/LUG2TGOQm
         LFFEiEIj0fiD9s6WZ1x8hlnI/mVfu8xdNoKVHBCk6vhgoaxuM1NFW7KUxhzM6JXVRYb5
         YF/sSDcPj7mpK/kmBmLod5Sw1fljcCcDpEqfTiNACKS+dUPuhJtnkZ/aS2TZEr2jPkAi
         oYCQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:message-id:date:subject:to:from
         :dkim-signature;
        bh=rHlAIXgOVd6JVjWy2VFL+bJzksNqdi2UGvbZy9mkgwM=;
        b=P0fm/2ThkbJBQDykUvPYyJ/cUgetaX/pIVv3Hy4hvBtdRnDHcTx5BadFbKfD0OJ0+P
         Juw0IcRYhGJyq34xKggYwm8OUugNpg7ltEPiwLKjLlms9i02p0ec3jh6P9Yk5uNLbfdd
         C0o39sTHlC0Szvy3DQfai8qKeTmSX/6owN9gLIeJgFUfnJ5j8fPwZK0tBKA/c00v3C+z
         Jwa3b9qn5Y7smHCUk8HbpE6/qCVRbl3gvnUIJo+yE1UEx6geY2gbNKWLwI8dVe+ltbRO
         oQbKGcQXU9GFit00Ema2UErK++g4wOxInG7E5EyDHr07P0wb9q6Qefy1KFRdZW4mahP7
         s9Eg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719
 header.b=aN5NZiaB;
       spf=pass (google.com: domain of
 mptcp+bounces-4970-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="mptcp+bounces-4970-wpasupplicant.patchew=gmail.com@lists.linux.dev";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: 
 <mptcp+bounces-4970-wpasupplicant.patchew=gmail.com@lists.linux.dev>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org.
 [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id
 ko20-20020a17090b171400b001cb7072b860si4468039pjb.89.2022.04.29.10.29.30
        for <wpasupplicant.patchew@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 29 Apr 2022 10:29:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 mptcp+bounces-4970-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719
 header.b=aN5NZiaB;
       spf=pass (google.com: domain of
 mptcp+bounces-4970-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 2604:1380:45e3:2400::1 as permitted sender)
 smtp.mailfrom="mptcp+bounces-4970-wpasupplicant.patchew=gmail.com@lists.linux.dev";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id D7DB5280BD1
	for <wpasupplicant.patchew@gmail.com>; Fri, 29 Apr 2022 17:29:29 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id AB74F1862;
	Fri, 29 Apr 2022 17:29:28 +0000 (UTC)
X-Original-To: mptcp@lists.linux.dev
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C91C1851
	for <mptcp@lists.linux.dev>; Fri, 29 Apr 2022 17:29:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1651253365;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=rHlAIXgOVd6JVjWy2VFL+bJzksNqdi2UGvbZy9mkgwM=;
	b=aN5NZiaB/ERcopBvd7VxGX6cUV0jAWZSgjSAq5b+RyOgDMeIw37aGtNTraflNtcwqfv7r6
	XHfH9yOnpVbXFcOcIW9MpvRtg8zjkgXCI3tEWHUSEDx2KmIl6IYjArgmgFqQKV5LKghted
	3qjFOiBhgCYDP+/KUiVdCWrSAIA9nRg=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-511-heooFJjmM3iqJuVdAYjRtw-1; Fri, 29 Apr 2022 13:29:24 -0400
X-MC-Unique: heooFJjmM3iqJuVdAYjRtw-1
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com
 [10.11.54.2])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1CAA318E0043
	for <mptcp@lists.linux.dev>; Fri, 29 Apr 2022 17:29:24 +0000 (UTC)
Received: from gerbillo.redhat.com (unknown [10.39.193.69])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 99012414A7E7
	for <mptcp@lists.linux.dev>; Fri, 29 Apr 2022 17:29:23 +0000 (UTC)
From: Paolo Abeni <pabeni@redhat.com>
To: mptcp@lists.linux.dev
Subject: [PATCH mptcp-net v2] net/sched: act_pedit: really ensure the skb is
 writable
Date: Fri, 29 Apr 2022 19:29:17 +0200
Message-Id: 
 <26445210b10b18b39129c4ede9d7fde0e37fe21f.1651253087.git.pabeni@redhat.com>
Precedence: bulk
X-Mailing-List: mptcp@lists.linux.dev
List-Id: <mptcp.lists.linux.dev>
List-Subscribe: <mailto:mptcp+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:mptcp+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=pabeni@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"; x-default="true"

Currently pedit tries to ensure that the accessed skb offset
is writeble via skb_unclone(). The action potentially allows
touching any skb bytes, so it may end-up modifying shared data.

The above causes some sporadic MPTCP self-test failures.

Address the issue keeping track of a rough over-estimate highest skb
offset accessed by the action and ensure such offset is really
writable.

Note that this may cause performance regressions in some scenario,
but hopefully pedit is not critical path.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Tested-by: Geliang Tang <geliang.tang@suse.com>
---
v1 -> v2:
 - fix build issue
 - account for the skb hdr offset, too

this almost solves issues/265 here. I'm still getting some rare
failure with MPTcpExtMPFailTx=3D=3D0: sometimes the transfer completes
before we are able to use the 2nd/failing link. The relevant fix
is a purely seft-test one

Note that a much simpler alternatives would be simply replacing
skb_unshare() with skb_ensure_writable(skb, skb->len), but that
really could causes more visible regressions
---
 include/net/tc_act/tc_pedit.h |  1 +
 net/sched/act_pedit.c         | 23 +++++++++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/include/net/tc_act/tc_pedit.h b/include/net/tc_act/tc_pedit.h
index 748cf87a4d7e..3e02709a1df6 100644
--- a/include/net/tc_act/tc_pedit.h
+++ b/include/net/tc_act/tc_pedit.h
@@ -14,6 +14,7 @@ struct tcf_pedit {
 	struct tc_action	common;
 	unsigned char		tcfp_nkeys;
 	unsigned char		tcfp_flags;
+	u32			tcfp_off_max_hint;
 	struct tc_pedit_key	*tcfp_keys;
 	struct tcf_pedit_key_ex	*tcfp_keys_ex;
 };
diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c
index e01ef7f109f4..301ad7f19da9 100644
--- a/net/sched/act_pedit.c
+++ b/net/sched/act_pedit.c
@@ -149,7 +149,7 @@ static int tcf_pedit_init(struct net *net, struct nlatt=
r *nla,
 	struct nlattr *pattr;
 	struct tcf_pedit *p;
 	int ret =3D 0, err;
-	int ksize;
+	int i, ksize;
 	u32 index;
=20
 	if (!nla) {
@@ -228,6 +228,20 @@ static int tcf_pedit_init(struct net *net, struct nlat=
tr *nla,
 		p->tcfp_nkeys =3D parm->nkeys;
 	}
 	memcpy(p->tcfp_keys, parm->keys, ksize);
+	p->tcfp_off_max_hint =3D 0;
+	for (i =3D 0; i < p->tcfp_nkeys; ++i) {
+		u32 cur =3D p->tcfp_keys[i].off;
+
+		/* The AT option can read a single byte, we can bound the actual
+		 * value with uchar max. Each key touches 4 bytes starting from
+		 * the computed offset
+		 */
+		if (p->tcfp_keys[i].offmask) {
+			cur +=3D 255 >> p->tcfp_keys[i].shift;
+			cur =3D max(p->tcfp_keys[i].at, cur);
+		}
+		p->tcfp_off_max_hint =3D max(p->tcfp_off_max_hint, cur + 4);
+	}
=20
 	p->tcfp_flags =3D parm->flags;
 	goto_ch =3D tcf_action_set_ctrlact(*a, parm->action, goto_ch);
@@ -308,9 +322,14 @@ static int tcf_pedit_act(struct sk_buff *skb, const st=
ruct tc_action *a,
 			 struct tcf_result *res)
 {
 	struct tcf_pedit *p =3D to_pedit(a);
+	u32 max_offset;
 	int i;
=20
-	if (skb_unclone(skb, GFP_ATOMIC))
+	max_offset =3D (skb_transport_header_was_set(skb) ?
+		      skb_transport_offset(skb) :
+		      skb_network_offset(skb)) +
+		     p->tcfp_off_max_hint;
+	if (skb_ensure_writable(skb, min(skb->len, max_offset)))
 		return p->tcf_action;
=20
 	spin_lock(&p->tcf_lock);
--=20
2.35.1