• Dag Moxnes's avatar
    RDMA/core: Fix race when resolving IP address · d8d9ec7d
    Dag Moxnes authored
    Use the neighbour lock when copying the MAC address from the neighbour
    data struct in dst_fetch_ha.
    
    When not using the lock, it is possible for the function to race with
    neigh_update(), causing it to copy an torn MAC address:
    
    rdma_resolve_addr()
      rdma_resolve_ip()
        addr_resolve()
          addr_resolve_neigh()
            fetch_ha()
              dst_fetch_ha()
    	     memcpy(dev_addr->dst_dev_addr, n->ha, MAX_ADDR_LEN)
    
    and
    
    net_ioctl()
      arp_ioctl()
        arp_rec_delete()
          arp_invalidate()
            neigh_update()
              __neigh_update()
    	    memcpy(&neigh->ha, lladdr, dev->addr_len)
    
    It is possible to provoke this error by calling rdma_resolve_addr() in a
    tight loop, while deleting the corresponding ARP entry in another tight
    loop.
    
    Fixes: 51d45974 ("infiniband: addr: Consolidate code to fetch neighbour hardware address from dst.")
    Signed-off-by: default avatarDag Moxnes <dag.moxnes@oracle.com>
    Signed-off-by: default avatarHåkon Bugge <haakon.bugge@oracle.com>
    Reviewed-by: default avatarJason Gunthorpe <jgg@mellanox.com>
    Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
    d8d9ec7d
addr.c 21.7 KB