aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWei Yongjun <yjwei@cn.fujitsu.com>2009-04-26 11:14:42 -0400
committerVlad Yasevich <vladislav.yasevich@hp.com>2009-06-03 09:14:46 -0400
commit10a43cea7da841cf85a778a1a4d367fb2de7cbce (patch)
tree9a2accb2150d3bfa7f2efc1a824b43ca654fb7ba
parent6345b19985e9f3ec31b61720de01806e3ef680fe (diff)
sctp: fix panic when T4-rto timer expire on removed transport
If T4-rto timer is expired on a removed transport, kernel panic will occur when we do failure management on that transport. You can reproduce this use the following sequence: Endpoint A Endpoint B (ESTABLISHED) (ESTABLISHED) <----------------- ASCONF (SRC=X) ASCONF -----------------> (Delete IP Address = X) <----------------- ASCONF-ACK (Success Indication) <----------------- ASCONF (T4-rto timer expire) This patch fixed the problem. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
-rw-r--r--net/sctp/associola.c7
-rw-r--r--net/sctp/sm_statefuns.c4
2 files changed, 10 insertions, 1 deletions
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 3be28fed5915..8d3aef9d0615 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -575,6 +575,13 @@ void sctp_assoc_rm_peer(struct sctp_association *asoc,
575 if (asoc->shutdown_last_sent_to == peer) 575 if (asoc->shutdown_last_sent_to == peer)
576 asoc->shutdown_last_sent_to = NULL; 576 asoc->shutdown_last_sent_to = NULL;
577 577
578 /* If we remove the transport an ASCONF was last sent to, set it to
579 * NULL.
580 */
581 if (asoc->addip_last_asconf &&
582 asoc->addip_last_asconf->transport == peer)
583 asoc->addip_last_asconf->transport = NULL;
584
578 asoc->peer.transport_count--; 585 asoc->peer.transport_count--;
579 586
580 sctp_transport_free(peer); 587 sctp_transport_free(peer);
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 10abc07d42cb..7288192f7df5 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -5475,7 +5475,9 @@ sctp_disposition_t sctp_sf_t4_timer_expire(
5475 * detection on the appropriate destination address as defined in 5475 * detection on the appropriate destination address as defined in
5476 * RFC2960 [5] section 8.1 and 8.2. 5476 * RFC2960 [5] section 8.1 and 8.2.
5477 */ 5477 */
5478 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport)); 5478 if (transport)
5479 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5480 SCTP_TRANSPORT(transport));
5479 5481
5480 /* Reconfig T4 timer and transport. */ 5482 /* Reconfig T4 timer and transport. */
5481 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk)); 5483 sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));