Hi Holger, On Wed, Jul 31, 2013 at 10:16:49PM +0200, Holger Hans Peter Freyther wrote:
> Maybe you want to try to fix the issue based on this setup? I _think_ the following (untested) patch should do the trick. >From 495d53fe3feda42635f3caa25bc8784164d9d2d4 Mon Sep 17 00:00:00 2001 From: Harald Welte <[email protected]> Date: Thu, 1 Aug 2013 20:45:46 +0800 Subject: [PATCH] SNDCP: don't msgb_free() if gprs_llc_tx_ui() fails. the gprs_llc_tx_ui() will call down to BSSGP/NS, which in turn will call msgb_free() themselves in their error path, so the msgb is already freed at that time. As discussed on the mailing list quite some time ago, msgb ownership policy/rules and implementation need to be more clearly defined, and this definition adopted in the implementation. Thanks to Holger for reproducing this. --- openbsc/src/gprs/gprs_sndcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openbsc/src/gprs/gprs_sndcp.c b/openbsc/src/gprs/gprs_sndcp.c index 853f8db..6564ffb 100644 --- a/openbsc/src/gprs/gprs_sndcp.c +++ b/openbsc/src/gprs/gprs_sndcp.c @@ -420,7 +420,8 @@ static int sndcp_send_ud_frag(struct sndcp_frag_state *fs) rc = gprs_llc_tx_ui(fmsg, lle->sapi, 0, fs->mmcontext); if (rc < 0) { /* abort in case of error, do not advance frag_nr / next_byte */ - msgb_free(fmsg); + /* do not msgb_free() here, as the lower layer is doing + * that if an actual transmission error occurs */ return rc; } -- 1.8.3.2 -- - Harald Welte <[email protected]> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)
