aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWei Yongjun <yjwei@cn.fujitsu.com>2009-04-26 11:13:35 -0400
committerVlad Yasevich <vladislav.yasevich@hp.com>2009-06-03 09:14:46 -0400
commit6345b19985e9f3ec31b61720de01806e3ef680fe (patch)
treebb34bf4a7c0bc539e405a68c6835bb40d6b91147
parenta2c395846cf6abfdda3c04a19a0982adbb6469c2 (diff)
sctp: fix panic when T2-shutdown timer expire on removed transport
If T2-shutdown timer is expired on a removed transport, kernel panic will occur when we do failure management on that transport. You can reproduce this use the following sequence: Endpoint A Endpoint B (ESTABLISHED) (ESTABLISHED) <----------------- SHUTDOWN (SRC=X) ASCONF -----------------> (Delete IP Address = X) <----------------- ASCONF-ACK (Success Indication) <----------------- SHUTDOWN (T2-shutdown timer expire) This patch fixed the problem. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
-rw-r--r--net/sctp/associola.c8
-rw-r--r--net/sctp/sm_statefuns.c10
2 files changed, 15 insertions, 3 deletions
diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index e7b69a7360e2..3be28fed5915 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -567,6 +567,14 @@ void sctp_assoc_rm_peer(struct sctp_association *asoc,
567 if (asoc->init_last_sent_to == peer) 567 if (asoc->init_last_sent_to == peer)
568 asoc->init_last_sent_to = NULL; 568 asoc->init_last_sent_to = NULL;
569 569
570 /* If we remove the transport an SHUTDOWN was last sent to, set it
571 * to NULL. Combined with the update of the retran path above, this
572 * will cause the next SHUTDOWN to be sent to the next available
573 * transport, maintaining the cycle.
574 */
575 if (asoc->shutdown_last_sent_to == peer)
576 asoc->shutdown_last_sent_to = NULL;
577
570 asoc->peer.transport_count--; 578 asoc->peer.transport_count--;
571 579
572 sctp_transport_free(peer); 580 sctp_transport_free(peer);
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 55a61aa69662..10abc07d42cb 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -5432,9 +5432,13 @@ sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep,
5432 if (!reply) 5432 if (!reply)
5433 goto nomem; 5433 goto nomem;
5434 5434
5435 /* Do some failure management (Section 8.2). */ 5435 /* Do some failure management (Section 8.2).
5436 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, 5436 * If we remove the transport an SHUTDOWN was last sent to, don't
5437 SCTP_TRANSPORT(asoc->shutdown_last_sent_to)); 5437 * do failure management.
5438 */
5439 if (asoc->shutdown_last_sent_to)
5440 sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
5441 SCTP_TRANSPORT(asoc->shutdown_last_sent_to));
5438 5442
5439 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for 5443 /* Set the transport for the SHUTDOWN/ACK chunk and the timeout for
5440 * the T2-shutdown timer. 5444 * the T2-shutdown timer.