git.ipfire.org Git - thirdparty/linux.git/commit

author	Jason Xing <kernelxing@tencent.com>
	Sat, 30 May 2026 04:26:30 +0000 (12:26 +0800)
committer	Jakub Kicinski <kuba@kernel.org>
	Thu, 4 Jun 2026 00:45:42 +0000 (17:45 -0700)
commit	22ba97ea9cc1f63a0d0244fae38057ed452b6ac7
tree	c7d445b0846859b18775661600e1ef193e2440a1	tree \| snapshot
parent	f723ccaff2fb72b71ae8a9fd283f0dee4d9ae7a3	commit \| diff

xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()

The TX metadata area resides in the UMEM buffer which is memory-mapped
and concurrently writable by userspace. In xsk_skb_metadata(),
csum_start and csum_offset are read from shared memory for bounds
validation, then read again for skb assignment. A malicious userspace
application can race to overwrite these values between the two reads,
bypassing the bounds check and causing out-of-bounds memory access
during checksum computation in the transmit path.

Fix this by reading csum_start and csum_offset into local variables
once, then using the local copies for both validation and assignment.

Note that other metadata fields (flags, launch_time) and the cached
csum fields may be mutually inconsistent due to concurrent userspace
writes, but this is benign: the only security-critical invariant is
that each field's validated value is the same one used, which local
caching guarantees.

Closes: https://lore.kernel.org/all/20260503200927.73EA1C2BCB4@smtp.kernel.org/
Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: Jason Xing <kernelxing@tencent.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Fixes: 48eb03dd2630 ("xsk: Add TX timestamp and TX checksum offload support")
Link: https://patch.msgid.link/20260530042630.80626-1-kerneljasonxing@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>