On Mon, Jan 25, 2016 at 7:59 AM, Dmitry Vyukov <dvyu...@google.com> wrote:
> It seems that skb can be freed after skb_put() and spinlock unlock,
> but ircomm_param_request reads skb->len afterwards:
>
> int ircomm_param_request(struct ircomm_tty_cb *self, __u8 pi, int flush)
> {
> ...
> skb_put(skb, count);
> spin_unlock_irqrestore(&self->spinlock, flags);
> pr_debug("%s(), skb->len=%d\n", __func__ , skb->len);
>
This looks correct to me. We can either get rid of that debugging
print or move it under spinlock.
