On Wed, Oct 28, 2015 at 09:44:27AM -0400, kaike.wan@xxxxxxxxx wrote: > ret = ib_nl_send_msg(query); > + spin_lock_irqsave(&ib_nl_request_lock, flags); Looks like query could be kfree'd before ib_nl_send_msg returns, eg by send_handler? > if (ret <= 0) { > ret = -EIO; > - goto request_out; > + /* Remove the request */ > + list_del(&query->list); This one is probably OK iff nl_send_msg cannot call send_handler if it returns error, which looks true. > } else { > ret = 0; > + /* Start the timeout if this is the only request */ > + if (ib_nl_request_list.next == &query->list) This one looks sketchy. Maybe move this to the first locking block? A extra timer on send error is not important enough to worry about.. Jason -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html