diff options
author | Wei Yongjun <yjwei@cn.fujitsu.com> | 2009-04-26 23:14:42 +0800 |
---|---|---|
committer | Vlad Yasevich <vladislav.yasevich@hp.com> | 2009-06-03 09:14:46 -0400 |
commit | 10a43cea7da841cf85a778a1a4d367fb2de7cbce (patch) | |
tree | 9a2accb2150d3bfa7f2efc1a824b43ca654fb7ba | |
parent | 6345b19985e9f3ec31b61720de01806e3ef680fe (diff) | |
download | linux-10a43cea7da841cf85a778a1a4d367fb2de7cbce.tar.gz linux-10a43cea7da841cf85a778a1a4d367fb2de7cbce.tar.bz2 linux-10a43cea7da841cf85a778a1a4d367fb2de7cbce.zip |
sctp: fix panic when T4-rto timer expire on removed transport
If T4-rto timer is expired on a removed transport, kernel panic
will occur when we do failure management on that transport.
You can reproduce this use the following sequence:
Endpoint A Endpoint B
(ESTABLISHED) (ESTABLISHED)
<----------------- ASCONF
(SRC=X)
ASCONF ----------------->
(Delete IP Address = X)
<----------------- ASCONF-ACK
(Success Indication)
<----------------- ASCONF
(T4-rto timer expire)
This patch fixed the problem.
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
-rw-r--r-- | net/sctp/associola.c | 7 | ||||
-rw-r--r-- | net/sctp/sm_statefuns.c | 4 |
2 files changed, 10 insertions, 1 deletions
diff --git a/net/sctp/associola.c b/net/sctp/associola.c index 3be28fed5915..8d3aef9d0615 100644 --- a/net/sctp/associola.c +++ b/net/sctp/associola.c @@ -575,6 +575,13 @@ void sctp_assoc_rm_peer(struct sctp_association *asoc, if (asoc->shutdown_last_sent_to == peer) asoc->shutdown_last_sent_to = NULL; + /* If we remove the transport an ASCONF was last sent to, set it to + * NULL. + */ + if (asoc->addip_last_asconf && + asoc->addip_last_asconf->transport == peer) + asoc->addip_last_asconf->transport = NULL; + asoc->peer.transport_count--; sctp_transport_free(peer); diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 10abc07d42cb..7288192f7df5 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -5475,7 +5475,9 @@ sctp_disposition_t sctp_sf_t4_timer_expire( * detection on the appropriate destination address as defined in * RFC2960 [5] section 8.1 and 8.2. */ - sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); + if (transport) + sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, + SCTP_TRANSPORT(transport)); /* Reconfig T4 timer and transport. */ sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); |