Am Samstag, 10. Juni 2017, 05:13:16 CEST schrieb Herbert Xu: Hi Herbert, > On Tue, May 23, 2017 at 04:31:59PM +0200, Stephan Müller wrote: > > static void skcipher_sock_destruct(struct sock *sk) > > { > > > > struct alg_sock *ask = alg_sk(sk); > > struct skcipher_ctx *ctx = ask->private; > > > > - struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(&ctx->req); > > + struct sock *psk = ask->parent; > > + struct alg_sock *pask = alg_sk(psk); > > + struct skcipher_tfm *skc = pask->private; > > + struct crypto_skcipher *tfm = skc->skcipher; > > > > - if (atomic_read(&ctx->inflight)) > > - skcipher_wait(sk); > > + /* Suspend caller if AIO operations are in flight. */ > > + wait_event_interruptible(skcipher_aio_finish_wait, > > + (ctx->inflight == 0)); > > This doesn't look right. If a signal comes in wouldn't you end > up freeing live memory? Right. Shouldn't we drop the ctx->inflight completely? The code in the current patch set contains: when an async operation is queued: sock_hold(sk); ctx->inflight++; upon completion of the callback: __sock_put(sk); ctx->inflight--; Thus, the socket is grabbed already. Hence, when dropping the inflight code including the wait queue entirely, I would think we are still save as we hold the socket. Ciao Stephan