svn commit: r209663 - head/sys/netinet

[Randall Stewart]

Author: rrs
Date: Sat Jul  3 14:03:31 2010
New Revision: 209663
URL: http://svn.freebsd.org/changeset/base/209663

Log:
  This fixes a crash in SCTP. It was possible to have a
  large number of packets queued to a crashing process.
  In a specific case you may get 2 ABORT's back (from
  say two packets in flight). If the aborts happened to
  be processed at the same time its possible to have
  one free the association while the other is trying
  to report all the outbound packets. When this occured
  it could lead to a crash.
  
  MFC after:	3 days

Modified:
  head/sys/netinet/sctputil.c

Modified: head/sys/netinet/sctputil.c
==============================================================================
--- head/sys/netinet/sctputil.c	Sat Jul  3 13:32:39 2010	(r209662)
+++ head/sys/netinet/sctputil.c	Sat Jul  3 14:03:31 2010	(r209663)
@@ -3694,6 +3694,10 @@ sctp_report_all_outbound(struct sctp_tcb
 	if (stcb == NULL) {
 		return;
 	}
+	if (stcb->asoc.state & SCTP_STATE_ABOUT_TO_BE_FREED) {
+		/* already being freed */
+		return;
+	}
 	if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
 	    (stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||
 	    (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET)) {
@@ -3753,11 +3757,13 @@ sctp_report_all_outbound(struct sctp_tcb
 			stcb->asoc.stream_queue_cnt--;
 			TAILQ_REMOVE(&outs->outqueue, sp, next);
 			sctp_free_spbufspace(stcb, asoc, sp);
-			sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, stcb,
-			    SCTP_NOTIFY_DATAGRAM_UNSENT, (void *)sp, so_locked);
 			if (sp->data) {
-				sctp_m_freem(sp->data);
-				sp->data = NULL;
+				sctp_ulp_notify(SCTP_NOTIFY_SPECIAL_SP_FAIL, stcb,
+				    SCTP_NOTIFY_DATAGRAM_UNSENT, (void *)sp, so_locked);
+				if (sp->data) {
+					sctp_m_freem(sp->data);
+					sp->data = NULL;
+				}
 			}
 			if (sp->net)
 				sctp_free_remote_addr(sp->net);