Hello,

I'm still trying to track down a use-after-free in the tcp stack.
It is difficult to reproduce, and I've only seen it when using the intel iwlwifi
driver, and only reliably reproducing now against one certain AP.

 From debugging efforts, it appears that a freed skb is accessed when tcp is walking
the rbtree retransmit skb collection.

After taking a closer look at skbuff.h, I notice that rbnode is in a union so
that it would be easy to corrupt that if skb was also placed into some other list.

I did not see any existing option to reliably catch a case where skb was inserted
into rbtree twice, or if it was inserted into rbtree while also being in a list.

Any suggestions for debugging this problem?

Thanks,
Ben

-- 
Ben Greear [off-list ref]
Candela Technologies Inc  http://www.candelatech.com