From owner-svn-src-head@FreeBSD.ORG Sat Jul 3 14:03:32 2010 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20677106566C; Sat, 3 Jul 2010 14:03:32 +0000 (UTC) (envelope-from rrs@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 104248FC08; Sat, 3 Jul 2010 14:03:32 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o63E3VIe032636; Sat, 3 Jul 2010 14:03:31 GMT (envelope-from rrs@svn.freebsd.org) Received: (from rrs@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o63E3VvY032634; Sat, 3 Jul 2010 14:03:31 GMT (envelope-from rrs@svn.freebsd.org) Message-Id: <201007031403.o63E3VvY032634@svn.freebsd.org> From: Randall Stewart Date: Sat, 3 Jul 2010 14:03:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r209663 - head/sys/netinet X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Jul 2010 14:03:32 -0000 Author: rrs Date: Sat Jul 3 14:03:31 2010 New Revision: 209663 URL: http://svn.freebsd.org/changeset/base/209663 Log: This fixes a crash in SCTP. It was possible to have a large number of packets queued to a crashing process. In a specific case you may get 2 ABORT's back (from say two packets in flight). If the aborts happened to be processed at the same time its possible to have one free the association while the other is trying to report all the outbound packets. When this occured it could lead to a crash. MFC after: 3 days Modified: head/sys/netinet/sctputil.c Modified: head/sys/netinet/sctputil.c ============================================================================== --- head/sys/netinet/sctputil.c Sat Jul 3 13:32:39 2010 (r209662) +++ head/sys/netinet/sctputil.c Sat Jul 3 14:03:31 2010 (r209663) @@ -3694,6 +3694,10 @@ sctp_report_all_outbound(struct sctp_tcb if (stcb == NULL) { return; } + if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) { + /* already being freed */ + return; + } if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) || (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) || (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) { @@ -3753,11 +3757,13 @@ sctp_report_all_outbound(struct sctp_tcb stcb->asoc.stream_queue_cnt--; TAILQ_REMOVE(&outs->outqueue, sp, next); sctp_free_spbufspace(stcb, asoc, sp); - sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, stcb, - SCTP_NOTIFY_DATAGRAM_UNSENT, (void *)sp, so_locked); if (sp->data) { - sctp_m_freem(sp->data); - sp->data = NULL; + sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, stcb, + SCTP_NOTIFY_DATAGRAM_UNSENT, (void *)sp, so_locked); + if (sp->data) { + sctp_m_freem(sp->data); + sp->data = NULL; + } } if (sp->net) sctp_free_remote_addr(sp->net);