On 28/12/2021 10:03, Dust Li wrote: > A crash occurs when smc_cdc_tx_handler() tries to access smc_sock > but smc_release() has already freed it. I am not sure about what happened here. Your patch removes the whole dismisser concept that was introduced to solve exactly the problem you describe. And you implemented a different approach. In theory, when smc_cdc_tx_handler() is called but the connection is already freed than the connection should have gone through smc_cdc_tx_dismiss_slots(), called by smc_conn_kill() or smc_conn_free(). If that happened there would be no access to an already freed address in smc_cdc_tx_handler(). Can you explain why the code reached smc_cdc_tx_handler() with cdcpend->conn pointing to a connection that is already freed? I think if there is a bug it should be fixed instead of replacing the code by a new construct. Thoughts?
