On Sunday 29 May 2016 22:33:39 Sven Eckelmann wrote:
The tt_req_node is added and removed from a list inside a spinlock. But the locking is sometimes removed even when the object is still referenced and will be used later via this reference. For example batadv_send_tt_request can create a new tt_req_node (including add to a list) and later re-acquires the lock to remove it from the list and to free it. But at this time another context could have already removed this tt_req_node from the list and freed it.
This can only be solved via reference counting to allow multiple contexts to handle the list manipulation while making sure that only the last context frees the list.
Marek please replace the "frees the list" with "frees the object". I can also resent the patch if you want to.
I will not resent it today because maybe Antonio or someone else still has some problems with the current version.
Kind regards, Sven