diff options
author | Wei Yongjun <yjwei@cn.fujitsu.com> | 2009-04-26 11:13:35 -0400 |
---|---|---|
committer | Vlad Yasevich <vladislav.yasevich@hp.com> | 2009-06-03 09:14:46 -0400 |
commit | 6345b19985e9f3ec31b61720de01806e3ef680fe (patch) | |
tree | bb34bf4a7c0bc539e405a68c6835bb40d6b91147 | |
parent | a2c395846cf6abfdda3c04a19a0982adbb6469c2 (diff) |
sctp: fix panic when T2-shutdown timer expire on removed transport
If T2-shutdown timer is expired on a removed transport, kernel
panic will occur when we do failure management on that transport.
You can reproduce this use the following sequence:
Endpoint A Endpoint B
(ESTABLISHED) (ESTABLISHED)
<----------------- SHUTDOWN
(SRC=X)
ASCONF ----------------->
(Delete IP Address = X)
<----------------- ASCONF-ACK
(Success Indication)
<----------------- SHUTDOWN
(T2-shutdown timer expire)
This patch fixed the problem.
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
-rw-r--r-- | net/sctp/associola.c | 8 | ||||
-rw-r--r-- | net/sctp/sm_statefuns.c | 10 |
2 files changed, 15 insertions, 3 deletions
diff --git a/net/sctp/associola.c b/net/sctp/associola.c index e7b69a7360e2..3be28fed5915 100644 --- a/net/sctp/associola.c +++ b/net/sctp/associola.c | |||
@@ -567,6 +567,14 @@ void sctp_assoc_rm_peer(struct sctp_association *asoc, | |||
567 | if (asoc->init_last_sent_to == peer) | 567 | if (asoc->init_last_sent_to == peer) |
568 | asoc->init_last_sent_to = NULL; | 568 | asoc->init_last_sent_to = NULL; |
569 | 569 | ||
570 | /* If we remove the transport an SHUTDOWN was last sent to, set it | ||
571 | * to NULL. Combined with the update of the retran path above, this | ||
572 | * will cause the next SHUTDOWN to be sent to the next available | ||
573 | * transport, maintaining the cycle. | ||
574 | */ | ||
575 | if (asoc->shutdown_last_sent_to == peer) | ||
576 | asoc->shutdown_last_sent_to = NULL; | ||
577 | |||
570 | asoc->peer.transport_count--; | 578 | asoc->peer.transport_count--; |
571 | 579 | ||
572 | sctp_transport_free(peer); | 580 | sctp_transport_free(peer); |
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 55a61aa69662..10abc07d42cb 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c | |||
@@ -5432,9 +5432,13 @@ sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, | |||
5432 | if (!reply) | 5432 | if (!reply) |
5433 | goto nomem; | 5433 | goto nomem; |
5434 | 5434 | ||
5435 | /* Do some failure management (Section 8.2). */ | 5435 | /* Do some failure management (Section 8.2). |
5436 | sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, | 5436 | * If we remove the transport an SHUTDOWN was last sent to, don't |
5437 | SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); | 5437 | * do failure management. |
5438 | */ | ||
5439 | if (asoc->shutdown_last_sent_to) | ||
5440 | sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, | ||
5441 | SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); | ||
5438 | 5442 | ||
5439 | /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for | 5443 | /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for |
5440 | * the T2-shutdown timer. | 5444 | * the T2-shutdown timer. |