sctp: fix panic when T4-rto timer expire on removed transport

If T4-rto timer is expired on a removed transport, kernel panic
will occur when we do failure management on that transport.
You can reproduce this use the following sequence:

Endpoint A                           Endpoint B
(ESTABLISHED)                        (ESTABLISHED)

            <-----------------      ASCONF
                                    (SRC=X)
ASCONF        ----------------->
(Delete IP Address = X)
            <-----------------      ASCONF-ACK
                                    (Success Indication)
            <-----------------      ASCONF
                                    (T4-rto timer expire)

This patch fixed the problem.
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

net/sctp/associola.c

@@ -575,6 +575,13 @@ void sctp_assoc_rm_peer(struct sctp_association *asoc,
 	if (asoc->shutdown_last_sent_to == peer)
 		asoc->shutdown_last_sent_to = NULL;
 
+	/* If we remove the transport an ASCONF was last sent to, set it to
+	 * NULL.
+	 */
+	if (asoc->addip_last_asconf &&
+	    asoc->addip_last_asconf->transport == peer)
+		asoc->addip_last_asconf->transport = NULL;
+
 	asoc->peer.transport_count--;
 
 	sctp_transport_free(peer);

net/sctp/sm_statefuns.c

@@ -5475,7 +5475,9 @@ sctp_disposition_t sctp_sf_t4_timer_expire(
 	 * detection on the appropriate destination address as defined in
 	 * RFC2960 [5] section 8.1 and 8.2.
 	 */
-	sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE, SCTP_TRANSPORT(transport));
+	if (transport)
+		sctp_add_cmd_sf(commands, SCTP_CMD_STRIKE,
+				SCTP_TRANSPORT(transport));
 
 	/* Reconfig T4 timer and transport. */
 	sctp_add_cmd_sf(commands, SCTP_CMD_SETUP_T4, SCTP_CHUNK(chunk));