I am resending this message as apparently it wasn't delivered to some people as it was an HTML message. I apologize for the double email, but I forgot to tell Gmail to use plain text only. Arend, > A commit message would have been nice... > If there would be a commit message with some error report that proofs there is a use-after-free I apologize for not including a longer commit message. I thought that my stack trace in my first email would be sufficient, but looking back I see how I should have clarified what was going wrong. What occurs is that line 360 of core.c > ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb); may be entirely completed (as in not only scheduled, but also the entire transaction may have completed) by the time that `skb->len` is invoked which means that skb will have been freed by the corresponding later function (in this case brcmu_pkt_buf_free_skb if you see the trace from my first email). > We only get here when ret is zero. Therefore this error only occurs when ret is zero, but skb may have been freed after line 360, and before that line (369) if how the kernel schedules tasks is very unfavorable. > ndev->stats.tx_bytes += skb->len; Please let me know if you need any further information. Sorry, Alexander Coffin
