sctp: Enforce retransmission limit during shutdown

When initiating a graceful shutdown while having data chunks
on the retransmission queue with a peer which is in zero
window mode the shutdown is never completed because the
retransmission error count is reset periodically by the
following two rules:

 - Do not timeout association while doing zero window probe.
 - Reset overall error count when a heartbeat request has
   been acknowledged.

The graceful shutdown will wait for all outstanding TSN to
be acknowledged before sending the SHUTDOWN request. This
never happens due to the peer's zero window not acknowledging
the continuously retransmitted data chunks. Although the
error counter is incremented for each failed retransmission,
the receiving of the SACK announcing the zero window clears
the error count again immediately. Also heartbeat requests
continue to be sent periodically. The peer acknowledges these
requests causing the error counter to be reset as well.

This patch changes behaviour to only reset the overall error
counter for the above rules while not in shutdown. After
reaching the maximum number of retransmission attempts, the
T5 shutdown guard timer is scheduled to give the receiver
some additional time to recover. The timer is stopped as soon
as the receiver acknowledges any data.

The issue can be easily reproduced by establishing a sctp
association over the loopback device, constantly queueing
data at the sender while not reading any at the receiver.
Wait for the window to reach zero, then initiate a shutdown
by killing both processes simultaneously. The association
will never be freed and the chunks on the retransmission
queue will be retransmitted indefinitely.

Signed-off-by: Thomas Graf <tgraf@infradead.org>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 18 insertions, 2 deletions

diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 534c2e5feb05..6e0f88295aaf 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -670,10 +670,19 @@ static void sctp_cmd_transport_on(sctp_cmd_seq_t *cmds,
         /* 8.3 Upon the receipt of the HEARTBEAT ACK, the sender of the
          * HEARTBEAT should clear the error counter of the destination
          * transport address to which the HEARTBEAT was sent.
-         * The association's overall error count is also cleared.
          */
         t->error_count = 0;
-        t->asoc->overall_error_count = 0;
+
+        /*
+         * Although RFC4960 specifies that the overall error count must
+         * be cleared when a HEARTBEAT ACK is received, we make an
+         * exception while in SHUTDOWN PENDING. If the peer keeps its
+         * window shut forever, we may never be able to transmit our
+         * outstanding data and rely on the retransmission limit be reached
+         * to shutdown the association.
+         */
+        if (t->asoc->state != SCTP_STATE_SHUTDOWN_PENDING)
+                t->asoc->overall_error_count = 0;
 
         /* Clear the hb_sent flag to signal that we had a good
          * acknowledgement.
@@ -1437,6 +1446,13 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
                         sctp_cmd_setup_t2(commands, asoc, cmd->obj.ptr);
                         break;
 
+                case SCTP_CMD_TIMER_START_ONCE:
+                        timer = &asoc->timers[cmd->obj.to];
+
+                        if (timer_pending(timer))
+                                break;
+                        /* fall through */
+
                 case SCTP_CMD_TIMER_START:
                         timer = &asoc->timers[cmd->obj.to];
                         timeout = asoc->timeouts[cmd->obj.to];