On Thu, 7 Mar 2019 01:53:44 -0800 Ira Weiny <ira.weiny@xxxxxxxxx> wrote: > Doesn't aliasguid_query_handler() get called from send_handler()? > Which means that this kfree() will delete the query before > send_handler is done with it? Thanks for catching this, Ira! My bad. It is worse than you indicate above, unfortunately. The query-response mad protocol requires that the (response) receive callback be invoked before the (query) send callback. See function ib_mad_complete_recv() in file core/mad.c. This means that aliasguid_query_handler has already been invoked by recv_handler -- and the query context already has been deleted. Thus, since query has been deleted, in function send_handler() in file sa_query.c we need to avoid the initial "if" with success: if (query->callback) <== CANNOT DO THIS WITH SUCCESS STATUS switch (mad_send_wc->status) { case IB_WC_SUCCESS: /* No callback -- already got recv */ break; Jason has some suggestions which I am looking at. -Jack