sctp: fix panic when T4-rto timer expire on removed transport
authorWei Yongjun <yjwei@cn.fujitsu.com>
Sun, 26 Apr 2009 15:14:42 +0000 (23:14 +0800)
committerVlad Yasevich <vladislav.yasevich@hp.com>
Wed, 3 Jun 2009 13:14:46 +0000 (09:14 -0400)
If T4-rto timer is expired on a removed transport, kernel panic
will occur when we do failure management on that transport.
You can reproduce this use the following sequence:

Endpoint A                           Endpoint B
(ESTABLISHED)                        (ESTABLISHED)

            <-----------------      ASCONF
                                    (SRC=X)
ASCONF        ----------------->
(Delete IP Address = X)
            <-----------------      ASCONF-ACK
                                    (Success Indication)
            <-----------------      ASCONF
                                    (T4-rto timer expire)

This patch fixed the problem.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
net/sctp/associola.c
net/sctp/sm_statefuns.c

index 3be28fed5915a681115db74e2bb8637c6a9cf31a..8d3aef9d0615d598b2667ef6fdee4657fa1503b8 100644 (file)
@@ -575,6 +575,13 @@ void sctp_assoc_rm_peer(struct sctp_association *asoc,
        if (asoc->shutdown_last_sent_to == peer)
                asoc->shutdown_last_sent_to = NULL;
 
+       /* If we remove the transport an ASCONF was last sent to, set it to
+        * NULL.
+        */
+       if (asoc->addip_last_asconf &&
+           asoc->addip_last_asconf->transport == peer)
+               asoc->addip_last_asconf->transport = NULL;
+
        asoc->peer.transport_count--;
 
        sctp_transport_free(peer);
index 10abc07d42cb6e744f4f0f8056b828a8dac9f310..7288192f7df5998d4da5ffcfa6dd7ed386693278 100644 (file)
@@ -5475,7 +5475,9 @@ sctp_disposition_t sctp_sf_t4_timer_expire(
         * detection on the appropriate destination address as defined in
         * RFC2960 [5] section 8.1 and 8.2.
         */
-       sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
+       if (transport)
+               sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
+                               SCTP_TRANSPORT(transport));
 
        /* Reconfig T4 timer and transport. */
        sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));