summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVlad Yasevich <vladislav.yasevich@hp.com>2007-11-07 17:39:27 +0100
committerVlad Yasevich <vladislav.yasevich@hp.com>2007-11-07 17:39:27 +0100
commit027f6e1ad32de32f9fe1c61d0f744e329e8acfd9 (patch)
tree328152564025009264e768c2bc5c1d54ed44c27c
parentSCTP: Allow ADD_IP to work with AUTH for backward compatibility. (diff)
downloadlinux-027f6e1ad32de32f9fe1c61d0f744e329e8acfd9.tar.xz
linux-027f6e1ad32de32f9fe1c61d0f744e329e8acfd9.zip
SCTP: Fix a potential race between timers and receive path.
There is a possible race condition where the timer code will free the association and the next packet in the queue will also attempt to free the same association. The example is, when we receive an ABORT at about the same time as the retransmission timer fires. If the timer wins the race, it will free the association. Once it releases the lock, the queue processing will recieve the ABORT and will try to free the association again. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
-rw-r--r--net/sctp/inqueue.c4
1 files changed, 4 insertions, 0 deletions
diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c
index f10fe7fbf24c..cf4b7eb023b3 100644
--- a/net/sctp/inqueue.c
+++ b/net/sctp/inqueue.c
@@ -90,6 +90,10 @@ void sctp_inq_free(struct sctp_inq *queue)
void sctp_inq_push(struct sctp_inq *q, struct sctp_chunk *chunk)
{
/* Directly call the packet handling routine. */
+ if (chunk->rcvr->dead) {
+ sctp_chunk_free(chunk);
+ return;
+ }
/* We are now calling this either from the soft interrupt
* or from the backlog processing.