Patchwork [1/4,v2] sctp: fix association hangs due to off-by-one errors in sctp_tsnmap_grow()

mail settings
Submitter Roberts, Lee A.
Date Feb. 21, 2013, 5:57 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/222387/
State Changes Requested
Delegated to: David Miller
Headers show


Roberts, Lee A. - Feb. 21, 2013, 5:57 p.m.
From: Lee A. Roberts <>

Resolve SCTP association hangs observed during SCTP stress
testing.  Observable symptoms include communications hangs
with data being held in the association lobby (ordering)
queue.  Close examination of reassembly/ordering queues shows
duplicated packets.

In sctp_tsnmap_mark(), correct off-by-one error when calculating
gap value for tsnmap.

In sctp_tsnmap_grow(), correct off-by-one error when copying
and resizing the tsnmap.  If max_tsn_seen is in the LSB of the
word, this bit can be lost, causing the corresponding packet
to be transmitted again and to be entered as a duplicate into
the SCTP reassembly/ordering queues.

Patch applies to linux-3.8 kernel.

Signed-off-by: Lee A. Roberts <>
 net/sctp/tsnmap.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at
David Miller - Feb. 21, 2013, 6:02 p.m.
From: "Roberts, Lee A." <>
Date: Thu, 21 Feb 2013 17:57:46 +0000

When you are given feedback on patches you submit, you should wait
some time for all the feedback to settle, then resubmit your entire
series (not just the patches that needed changes).

> Patch applies to linux-3.8 kernel.

This is not appropriate to mention in a commit message, your patches
might get ported to -stable trees and elsewhere, and such a comment
looks awkward at best in such scenerios.
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at


diff -uprN -X linux-3.8-vanilla/Documentation/dontdiff linux-3.8-vanilla/net/sctp/tsnmap.c linux-3.8-SCTP+1/net/sctp/tsnmap.c
--- linux-3.8-vanilla/net/sctp/tsnmap.c	2013-02-18 16:58:34.000000000 -0700
+++ linux-3.8-SCTP+1/net/sctp/tsnmap.c	2013-02-21 10:44:15.985075048 -0700
@@ -122,7 +122,7 @@  int sctp_tsnmap_mark(struct sctp_tsnmap
 	if (TSN_lt(tsn, map->base_tsn))
 		return 0;
-	gap = tsn - map->base_tsn;
+	gap = tsn - map->cumulative_tsn_ack_point;
 	if (gap >= map->len && !sctp_tsnmap_grow(map, gap))
 		return -ENOMEM;
@@ -369,14 +369,15 @@  static int sctp_tsnmap_grow(struct sctp_
 	if (gap >= SCTP_TSN_MAP_SIZE)
 		return 0;
-	inc = ALIGN((gap - map->len),BITS_PER_LONG) + SCTP_TSN_MAP_INCREMENT;
+	inc = ALIGN((gap - map->len), BITS_PER_LONG) + SCTP_TSN_MAP_INCREMENT;
 	len = min_t(u16, map->len + inc, SCTP_TSN_MAP_SIZE);
 	new = kzalloc(len>>3, GFP_ATOMIC);
 	if (!new)
 		return 0;
-	bitmap_copy(new, map->tsn_map, map->max_tsn_seen - map->base_tsn);
+	bitmap_copy(new, map->tsn_map,
+		map->max_tsn_seen - map->cumulative_tsn_ack_point);
 	map->tsn_map = new;
 	map->len = len;