From 6345b19985e9f3ec31b61720de01806e3ef680fe Mon Sep 17 00:00:00 2001
From: Wei Yongjun <yjwei@cn.fujitsu.com>
Date: Sun, 26 Apr 2009 23:13:35 +0800
Subject: sctp: fix panic when T2-shutdown timer expire on removed transport

If T2-shutdown timer is expired on a removed transport, kernel
panic will occur when we do failure management on that transport.
You can reproduce this use the following sequence:

  Endpoint A                           Endpoint B
  (ESTABLISHED)                        (ESTABLISHED)

                <-----------------      SHUTDOWN
                                        (SRC=X)
  ASCONF        ----------------->
  (Delete IP Address = X)
                <-----------------      ASCONF-ACK
                                        (Success Indication)
                <-----------------      SHUTDOWN
                                        (T2-shutdown timer expire)
This patch fixed the problem.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
---
 net/sctp/associola.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'net/sctp/associola.c')

diff --git a/net/sctp/associola.c b/net/sctp/associola.c
index e7b69a7..3be28fe 100644
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -567,6 +567,14 @@ void sctp_assoc_rm_peer(struct sctp_association *asoc,
 	if (asoc->init_last_sent_to == peer)
 		asoc->init_last_sent_to = NULL;
 
+	/* If we remove the transport an SHUTDOWN was last sent to, set it
+	 * to NULL. Combined with the update of the retran path above, this
+	 * will cause the next SHUTDOWN to be sent to the next available
+	 * transport, maintaining the cycle.
+	 */
+	if (asoc->shutdown_last_sent_to == peer)
+		asoc->shutdown_last_sent_to = NULL;
+
 	asoc->peer.transport_count--;
 
 	sctp_transport_free(peer);
-- 
cgit v1.1