From 10a43cea7da841cf85a778a1a4d367fb2de7cbce Mon Sep 17 00:00:00 2001
From: Wei Yongjun <yjwei@cn.fujitsu.com>
Date: Sun, 26 Apr 2009 23:14:42 +0800
Subject: sctp: fix panic when T4-rto timer expire on removed transport

If T4-rto timer is expired on a removed transport, kernel panic
will occur when we do failure management on that transport.
You can reproduce this use the following sequence:

Endpoint A                           Endpoint B
(ESTABLISHED)                        (ESTABLISHED)

            <-----------------      ASCONF
                                    (SRC=X)
ASCONF        ----------------->
(Delete IP Address = X)
            <-----------------      ASCONF-ACK
                                    (Success Indication)
            <-----------------      ASCONF
                                    (T4-rto timer expire)

This patch fixed the problem.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
---
 net/sctp/associola.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'net/sctp/associola.c')

diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index 3be28fe..8d3aef9 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -575,6 +575,13 @@ void sctp_assoc_rm_peer(struct sctp_association *asoc,
 	if (asoc->shutdown_last_sent_to == peer)
 		asoc->shutdown_last_sent_to = NULL;
 
+	/* If we remove the transport an ASCONF was last sent to, set it to
+	 * NULL.
+	 */
+	if (asoc->addip_last_asconf &&
+	    asoc->addip_last_asconf->transport == peer)
+		asoc->addip_last_asconf->transport = NULL;
+
 	asoc->peer.transport_count--;
 
 	sctp_transport_free(peer);
-- 
cgit v1.1