[SCTP]: Fix local_addr deletions during list traversals.

Since the lists are circular, we need to explicitely tag
the address to be deleted since we might end up freeing
the list head instead.  This fixes some interesting SCTP
crashes.

Signed-off-by: Chidambar 'ilLogict' Zinnoury <illogict@online.fr>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 3 insertions, 1 deletions

diff --git a/net/sctp/protocol.c b/net/sctp/protocol.c
index 688546dccd82..ad0a4069b95b 100644
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -628,6 +628,7 @@ static int sctp_inetaddr_event(struct notifier_block *this, unsigned long ev,
         struct in_ifaddr *ifa = (struct in_ifaddr *)ptr;
         struct sctp_sockaddr_entry *addr = NULL;
         struct sctp_sockaddr_entry *temp;
+        int found = 0;
 
         switch (ev) {
         case NETDEV_UP:
@@ -647,13 +648,14 @@ static int sctp_inetaddr_event(struct notifier_block *this, unsigned long ev,
                 list_for_each_entry_safe(addr, temp,
                                         &sctp_local_addr_list, list) {
                         if (addr->a.v4.sin_addr.s_addr == ifa->ifa_local) {
+                                found = 1;
                                 addr->valid = 0;
                                 list_del_rcu(&addr->list);
                                 break;
                         }
                 }
                 spin_unlock_bh(&sctp_local_addr_lock);
-                if (addr && !addr->valid)
+                if (found)
                         call_rcu(&addr->rcu, sctp_local_addr_free);
                 break;
         }