On Wed, May 16, 2018 at 10:20:49AM +0200, Martin Pieuchot wrote:
> That means that the TDB has already been freed.  This is possible
> because the timeout sleeps on the NET_LOCK().  Diff below should prevent
> that by introducing a tdb_reaper() function like we do in other parts of
> the stack.


> @@ -841,14 +838,6 @@ tdb_free(struct tdb *tdbp)
>               ipo->ipo_last_searched = 0; /* Force a re-search. */
>       }
>  
> -     /* Remove expiration timeouts. */
> -     tdbp->tdb_flags &= ~(TDBF_FIRSTUSE | TDBF_SOFT_FIRSTUSE | TDBF_TIMER |
> -         TDBF_SOFT_TIMER);
> -     timeout_del(&tdbp->tdb_timer_tmo);
> -     timeout_del(&tdbp->tdb_first_tmo);
> -     timeout_del(&tdbp->tdb_stimer_tmo);
> -     timeout_del(&tdbp->tdb_sfirst_tmo);
> -
>       if (tdbp->tdb_ids) {
>               ipsp_ids_free(tdbp->tdb_ids);
>               tdbp->tdb_ids = NULL;

Why do you move deleting the timeouts down?  Order does not matter
as everything is protected by netlock.  But the natural way would
be to cancel the timeouts before we start destroying the object.
And at the end, we activate the reaper.

anyway OK bluhm@

Reply via email to