From owner-svn-src-all@FreeBSD.ORG  Fri Feb 10 19:57:58 2012
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E19821065675;
	Fri, 10 Feb 2012 19:57:58 +0000 (UTC)
	(envelope-from tuexen@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id B0D428FC16;
	Fri, 10 Feb 2012 19:57:58 +0000 (UTC)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q1AJvwFX091312;
	Fri, 10 Feb 2012 19:57:58 GMT (envelope-from tuexen@svn.freebsd.org)
Received: (from tuexen@localhost)
	by svn.freebsd.org (8.14.4/8.14.4/Submit) id q1AJvwdp091310;
	Fri, 10 Feb 2012 19:57:58 GMT (envelope-from tuexen@svn.freebsd.org)
Message-Id: <201202101957.q1AJvwdp091310@svn.freebsd.org>
From: Michael Tuexen <tuexen@FreeBSD.org>
Date: Fri, 10 Feb 2012 19:57:58 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
X-SVN-Group: stable-8
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r231418 - stable/8/sys/netinet
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2012 19:57:59 -0000

Author: tuexen
Date: Fri Feb 10 19:57:58 2012
New Revision: 231418
URL: http://svn.freebsd.org/changeset/base/231418

Log:
  MFC r218641:
  Fix a bug reported by Jonathan Leighton in his web-sctp testing
  at the Univ-of-Del. Basically when a 1-to-1 socket did a
  socket/bind/send(data)/close. If the timing was right
  we would dereference a socket that is NULL.
  From rrs@.

Modified:
  stable/8/sys/netinet/sctp_input.c
Directory Properties:
  stable/8/sys/   (props changed)
  stable/8/sys/amd64/include/xen/   (props changed)
  stable/8/sys/boot/   (props changed)
  stable/8/sys/cddl/contrib/opensolaris/   (props changed)
  stable/8/sys/contrib/dev/acpica/   (props changed)
  stable/8/sys/contrib/pf/   (props changed)
  stable/8/sys/dev/e1000/   (props changed)

Modified: stable/8/sys/netinet/sctp_input.c
==============================================================================
--- stable/8/sys/netinet/sctp_input.c	Fri Feb 10 19:56:02 2012	(r231417)
+++ stable/8/sys/netinet/sctp_input.c	Fri Feb 10 19:57:58 2012	(r231418)
@@ -2867,24 +2867,31 @@ sctp_handle_cookie_ack(struct sctp_cooki
 			SCTP_SOCKET_LOCK(so, 1);
 			SCTP_TCB_LOCK(stcb);
 			atomic_subtract_int(&stcb->asoc.refcnt, 1);
-			if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
-				SCTP_SOCKET_UNLOCK(so, 1);
-				return;
-			}
 #endif
-			soisconnected(stcb->sctp_socket);
+			if ((stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) == 0) {
+				soisconnected(stcb->sctp_socket);
+			}
 #if defined (__APPLE__) || defined(SCTP_SO_LOCK_TESTING)
 			SCTP_SOCKET_UNLOCK(so, 1);
 #endif
 		}
-		sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
-		    stcb, net);
 		/*
 		 * since we did not send a HB make sure we don't double
 		 * things
 		 */
 		net->hb_responded = 1;
 
+		if (stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) {
+			/*
+			 * We don't need to do the asconf thing, nor hb or
+			 * autoclose if the socket is closed.
+			 */
+			goto closed_socket;
+		}
+		sctp_timer_start(SCTP_TIMER_TYPE_HEARTBEAT, stcb->sctp_ep,
+		    stcb, net);
+
+
 		if (stcb->asoc.sctp_autoclose_ticks &&
 		    sctp_is_feature_on(stcb->sctp_ep, SCTP_PCB_FLAGS_AUTOCLOSE)) {
 			sctp_timer_start(SCTP_TIMER_TYPE_AUTOCLOSE,
@@ -2908,6 +2915,7 @@ sctp_handle_cookie_ack(struct sctp_cooki
 #endif
 		}
 	}
+closed_socket:
 	/* Toss the cookie if I can */
 	sctp_toss_old_cookies(stcb, asoc);
 	if (!TAILQ_EMPTY(&asoc->sent_queue)) {