Check local address directly through NIC

Network endpoints that wish to check addresses on another NIC-local
network endpoint may now do so through the NetworkInterface.

This fixes a lock ordering issue between NIC removal and link
resolution. Before this change:

  NIC Removal takes the stack lock, neighbor cache lock then neighbor
  entries' locks.

  When performing IPv4 link resolution, we take the entry lock then ARP
  would try check IPv4 local addresses through the stack which tries to
  obtain the stack's lock.

Now that ARP can check IPv4 addreses through the NIC, we avoid the lock
ordering issue, while also removing the need for stack to lookup the
NIC.

PiperOrigin-RevId: 356034245

3 files changed, 36 insertions, 8 deletions

diff --git a/pkg/tcpip/stack/nic.go b/pkg/tcpip/stack/nic.go
index 6f2a0e487..a90d027f2 100644
--- a/pkg/tcpip/stack/nic.go
+++ b/pkg/tcpip/stack/nic.go
@@ -441,6 +441,13 @@ func (n *NIC) setSpoofing(enable bool) {
 	n.mu.Unlock()
 }
 
+// Spoofing implements NetworkInterface.
+func (n *NIC) Spoofing() bool {
+	n.mu.RLock()
+	defer n.mu.RUnlock()
+	return n.mu.spoofing
+}
+
 // primaryAddress returns an address that can be used to communicate with
 // remoteAddr.
 func (n *NIC) primaryEndpoint(protocol tcpip.NetworkProtocolNumber, remoteAddr tcpip.Address) AssignableAddressEndpoint {
@@ -994,3 +1001,17 @@ func (n *NIC) HandleNeighborConfirmation(protocol tcpip.NetworkProtocolNumber, a
 
 	return &tcpip.ErrNotSupported{}
 }
+
+// CheckLocalAddress implements NetworkInterface.
+func (n *NIC) CheckLocalAddress(protocol tcpip.NetworkProtocolNumber, addr tcpip.Address) bool {
+	if n.Spoofing() {
+		return true
+	}
+
+	if addressEndpoint := n.getAddressOrCreateTempInner(protocol, addr, false /* createTemp */, NeverPrimaryEndpoint); addressEndpoint != nil {
+		addressEndpoint.DecRef()
+		return true
+	}
+
+	return false
+}
diff --git a/pkg/tcpip/stack/registration.go b/pkg/tcpip/stack/registration.go
index d589f798d..2bc1c4270 100644
--- a/pkg/tcpip/stack/registration.go
+++ b/pkg/tcpip/stack/registration.go
@@ -514,8 +514,19 @@ type NetworkInterface interface {
 	Enabled() bool
 
 	// Promiscuous returns true if the interface is in promiscuous mode.
+	//
+	// When in promiscuous mode, the interface should accept all packets.
 	Promiscuous() bool
 
+	// Spoofing returns true if the interface is in spoofing mode.
+	//
+	// When in spoofing mode, the interface should consider all addresses as
+	// assigned to it.
+	Spoofing() bool
+
+	// CheckLocalAddress returns true if the address exists on the interface.
+	CheckLocalAddress(tcpip.NetworkProtocolNumber, tcpip.Address) bool
+
 	// WritePacketToRemote writes the packet to the given remote link address.
 	WritePacketToRemote(tcpip.LinkAddress, *GSO, tcpip.NetworkProtocolNumber, *PacketBuffer) tcpip.Error
 
diff --git a/pkg/tcpip/stack/stack.go b/pkg/tcpip/stack/stack.go
index 035ab33ca..198e59c77 100644
--- a/pkg/tcpip/stack/stack.go
+++ b/pkg/tcpip/stack/stack.go
@@ -1498,20 +1498,16 @@ func (s *Stack) CheckLocalAddress(nicID tcpip.NICID, protocol tcpip.NetworkProto
 			return 0
 		}
 
-		addressEndpoint := nic.findEndpoint(protocol, addr, CanBePrimaryEndpoint)
-		if addressEndpoint == nil {
-			return 0
+		if nic.CheckLocalAddress(protocol, addr) {
+			return nic.id
 		}
 
-		addressEndpoint.DecRef()
-
-		return nic.id
+		return 0
 	}
 
 	// Go through all the NICs.
 	for _, nic := range s.nics {
-		if addressEndpoint := nic.findEndpoint(protocol, addr, CanBePrimaryEndpoint); addressEndpoint != nil {
-			addressEndpoint.DecRef()
+		if nic.CheckLocalAddress(protocol, addr) {
 			return nic.id
 		}
 	}