Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6345b199 authored by Wei Yongjun's avatar Wei Yongjun Committed by Vlad Yasevich
Browse files

sctp: fix panic when T2-shutdown timer expire on removed transport 



If T2-shutdown timer is expired on a removed transport, kernel
panic will occur when we do failure management on that transport.
You can reproduce this use the following sequence:

  Endpoint A                           Endpoint B
  (ESTABLISHED)                        (ESTABLISHED)

                <-----------------      SHUTDOWN
                                        (SRC=X)
  ASCONF        ----------------->
  (Delete IP Address = X)
                <-----------------      ASCONF-ACK
                                        (Success Indication)
                <-----------------      SHUTDOWN
                                        (T2-shutdown timer expire)
This patch fixed the problem.

Signed-off-by: default avatarWei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: default avatarVlad Yasevich <vladislav.yasevich@hp.com>
parent a2c39584

net/sctp/associola.c

+8 −0
Original line number Original line Diff line number Diff line
@@ -567,6 +567,14 @@ void sctp_assoc_rm_peer(struct sctp_association *asoc, 
	if (asoc->init_last_sent_to == peer)

	if (asoc->init_last_sent_to == peer)

		asoc->init_last_sent_to = NULL;

		asoc->init_last_sent_to = NULL;





	/* If we remove the transport an SHUTDOWN was last sent to, set it

	 * to NULL. Combined with the update of the retran path above, this

	 * will cause the next SHUTDOWN to be sent to the next available

	 * transport, maintaining the cycle.

	 */

	if (asoc->shutdown_last_sent_to == peer)

		asoc->shutdown_last_sent_to = NULL;



	asoc->peer.transport_count--;

	asoc->peer.transport_count--;





	sctp_transport_free(peer);

	sctp_transport_free(peer);

net/sctp/sm_statefuns.c

+7 −3
Original line number Original line Diff line number Diff line
@@ -5432,7 +5432,11 @@ sctp_disposition_t sctp_sf_t2_timer_expire(const struct sctp_endpoint *ep, 
	if (!reply)

	if (!reply)

		goto nomem;

		goto nomem;





	/* Do some failure management (Section 8.2). */

	/* Do some failure management (Section 8.2).

	 * If we remove the transport an SHUTDOWN was last sent to, don't

	 * do failure management.

	 */

	if (asoc->shutdown_last_sent_to)

		sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,

		sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,

				SCTP_TRANSPORT(asoc->shutdown_last_sent_to));

				SCTP_TRANSPORT(asoc->shutdown_last_sent_to));