From: Ursula Braun <ubraun@xxxxxxxxxxxxx> Date: Tue, 23 Oct 2018 15:48:05 +0200 > @@ -315,6 +314,8 @@ static void smc_buf_unuse(struct smc_connection *conn) > /* remove a finished connection from its link group */ > void smc_conn_free(struct smc_connection *conn) > { > + struct smc_link_group *lgr; > + > if (!conn->lgr) > return; > if (conn->lgr->is_smcd) { > @@ -323,8 +324,9 @@ void smc_conn_free(struct smc_connection *conn) > } else { > smc_cdc_tx_dismiss_slots(conn); > } > + lgr = conn->lgr; /* smc_lgr_unregister_conn() unsets lgr */ > smc_lgr_unregister_conn(conn); > - smc_buf_unuse(conn); > + smc_buf_unuse(conn, lgr); > } This doesn't make any sense. smc_lgr_unregister_conn() can free the memory and release the object, albeit sometimes asynchronously via a workqueue. It is not safe, therefore, to refrence the lgr object after that function call. I'm not applying this, sorry.