> We've seen a few instances of a crash in ipoib_neigh_cleanup() due to > the use of a stale pointer: > > > 848 neigh = *to_ipoib_neigh(n); <- read neigh (no locking) > ..... > 858 spin_lock_irqsave(&priv->lock, flags); > 859 > 860 if (neigh->ah) <--- at this point neigh may be stale > 861 ah = neigh->ah; > 862 list_del(&neigh->list); > 863 ipoib_neigh_free(n->dev, neigh); > 864 > 865 spin_unlock_irqrestore(&priv->lock, flags);
I'd like to understand the bug first -- how is the neighbour being destroyed out from under us in ipoib_neigh_cleanup()? I would have thought the cleanup function would run when no references to the struct remain but before it's freed. - R. _______________________________________________ general mailing list [email protected] http://lists.openfabrics.org/cgi-bin/mailman/listinfo/general To unsubscribe, please visit http://openib.org/mailman/listinfo/openib-general
