[SCTP]: Fix kernel panic while received ASCONF chunk with bad serial number

While recevied ASCONF chunk with serial number less then needed, kernel
will treat this chunk as a retransmitted ASCONF chunk and find cached
ASCONF-ACK chunk used sctp_assoc_lookup_asconf_ack(). But this function
will always return NO-NULL. So response with cached ASCONF-ACKs chunk
will cause kernel panic.
In function sctp_assoc_lookup_asconf_ack(), if the cached ASCONF-ACKs
list asconf_ack_list is empty, or if the serial being requested does not
exists, the function as it currectly stands returns the actuall
list_head asoc->asconf_ack_list, this is not a cache ASCONF-ACK chunk
but a bogus pointer.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

net/sctp/associola.c

@@ -1525,7 +1525,7 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack(
 					const struct sctp_association *asoc,
 					__be32 serial)
 {
-	struct sctp_chunk *ack = NULL;
+	struct sctp_chunk *ack;
 
 	/* Walk through the list of cached ASCONF-ACKs and find the
 	 * ack chunk whose serial number matches that of the request.
@@ -1533,9 +1533,9 @@ struct sctp_chunk *sctp_assoc_lookup_asconf_ack(
 	list_for_each_entry(ack, &asoc->asconf_ack_list, transmitted_list) {
 		if (ack->subh.addip_hdr->serial == serial) {
 			sctp_chunk_hold(ack);
-			break;
+			return ack;
 		}
 	}
 
-	return ack;
+	return NULL;
 }