| Message ID | 1562673026-31996-1-git-send-email-dag.moxnes@oracle.com (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | d8d9ec7dc5abbb3f11d866e983c4984f5c2de9d6 |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | [v4] RDMA/core: Fix race when resolving IP address | expand |
On Tue, Jul 09, 2019 at 01:50:26PM +0200, Dag Moxnes wrote: > Use the neighbour lock when copying the MAC address from the neighbour > data struct in dst_fetch_ha. > > When not using the lock, it is possible for the function to race with > neigh_update(), causing it to copy an torn MAC address: > > rdma_resolve_addr() > rdma_resolve_ip() > addr_resolve() > addr_resolve_neigh() > fetch_ha() > dst_fetch_ha() > memcpy(dev_addr->dst_dev_addr, n->ha, MAX_ADDR_LEN) > > and > > net_ioctl() > arp_ioctl() > arp_rec_delete() > arp_invalidate() > neigh_update() > __neigh_update() > memcpy(&neigh->ha, lladdr, dev->addr_len) > > It is possible to provoke this error by calling rdma_resolve_addr() in a > tight loop, while deleting the corresponding ARP entry in another tight > loop. > > Fixes: 51d45974515c ("infiniband: addr: Consolidate code to fetch neighbour hardware address from dst.") > Signed-off-by: Dag Moxnes <dag.moxnes@oracle.com> > Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com> > Reviewed-by: Parav Pandit <parav@mellanox.com> > Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> > --- > drivers/infiniband/core/addr.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Applied to for-next, thanks Jason
diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c index 2f7d141598..9b76a8fcdd 100644 --- a/drivers/infiniband/core/addr.c +++ b/drivers/infiniband/core/addr.c @@ -337,7 +337,7 @@ static int dst_fetch_ha(const struct dst_entry *dst, neigh_event_send(n, NULL); ret = -ENODATA; } else { - memcpy(dev_addr->dst_dev_addr, n->ha, MAX_ADDR_LEN); + neigh_ha_snapshot(dev_addr->dst_dev_addr, n, dst->dev); } neigh_release(n);
Use the neighbour lock when copying the MAC address from the neighbour data struct in dst_fetch_ha. When not using the lock, it is possible for the function to race with neigh_update(), causing it to copy an torn MAC address: rdma_resolve_addr() rdma_resolve_ip() addr_resolve() addr_resolve_neigh() fetch_ha() dst_fetch_ha() memcpy(dev_addr->dst_dev_addr, n->ha, MAX_ADDR_LEN) and net_ioctl() arp_ioctl() arp_rec_delete() arp_invalidate() neigh_update() __neigh_update() memcpy(&neigh->ha, lladdr, dev->addr_len) It is possible to provoke this error by calling rdma_resolve_addr() in a tight loop, while deleting the corresponding ARP entry in another tight loop. Fixes: 51d45974515c ("infiniband: addr: Consolidate code to fetch neighbour hardware address from dst.") Signed-off-by: Dag Moxnes <dag.moxnes@oracle.com> Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com> Reviewed-by: Parav Pandit <parav@mellanox.com> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> --- drivers/infiniband/core/addr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)