xsk: cache csum_start/csum_offset to fix TOCTOU in xsk_skb_metadata()

The TX metadata area resides in the UMEM buffer which is memory-mapped
and concurrently writable by userspace. In xsk_skb_metadata(),
csum_start and csum_offset are read from shared memory for bounds
validation, then read again for skb assignment. A malicious userspace
application can race to overwrite these values between the two reads,
bypassing the bounds check and causing out-of-bounds memory access
during checksum computation in the transmit path.

Fix this by reading csum_start and csum_offset into local variables
once, then using the local copies for both validation and assignment.

Note that other metadata fields (flags, launch_time) and the cached
csum fields may be mutually inconsistent due to concurrent userspace
writes, but this is benign: the only security-critical invariant is
that each field's validated value is the same one used, which local
caching guarantees.

Closes: https://lore.kernel.org/all/20260503200927.73EA1C2BCB4@smtp.kernel.org/
Reviewed-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Signed-off-by: Jason Xing <kernelxing@tencent.com>
Acked-by: Stanislav Fomichev <sdf@fomichev.me>
Fixes: 48eb03dd2630 ("xsk: Add TX timestamp and TX checksum offload support")
Link: https://patch.msgid.link/20260530042630.80626-1-kerneljasonxing@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index 5e5786cd9af55afe400479bd37515d548b06aa76..f8c8a8c9dfba5a5e410d7be3486c0a9ccb7bde31 100644 (file)
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -802,6 +802,7 @@ static int xsk_skb_metadata(struct sk_buff *skb, void *buffer,
                            u32 hr)
 {
        struct xsk_tx_metadata *meta = NULL;
+       u16 csum_start, csum_offset;
 
        if (unlikely(pool->tx_metadata_len == 0))
                return -EINVAL;
@@ -811,13 +812,15 @@ static int xsk_skb_metadata(struct sk_buff *skb, void *buffer,
                return -EINVAL;
 
        if (meta->flags & XDP_TXMD_FLAGS_CHECKSUM) {
-               if (unlikely(meta->request.csum_start +
-                            meta->request.csum_offset +
+               csum_start = READ_ONCE(meta->request.csum_start);
+               csum_offset = READ_ONCE(meta->request.csum_offset);
+
+               if (unlikely(csum_start + csum_offset +
                             sizeof(__sum16) > desc->len))
                        return -EINVAL;
 
-               skb->csum_start = hr + meta->request.csum_start;
-               skb->csum_offset = meta->request.csum_offset;
+               skb->csum_start = hr + csum_start;
+               skb->csum_offset = csum_offset;
                skb->ip_summed = CHECKSUM_PARTIAL;
 
                if (unlikely(pool->tx_sw_csum)) {