Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

kernel panic after calling freePacket()

I get the following kernel panic when calling free() on my IOKit ethernet driver.

panic(cpu 1): freeing free mbuf
backtrace:
0x00080e18 0x000811b8 0x00027928 0x0019d3f8 0x169a3d70 0x19a2a738 0x19a26fb0 0x001fe350
0x001fe388 0x00203674 0x002034e4 0x001fe350 0x001fe388 0x001b93b0 0x001cc6c8 0x001cc9a8
0x001cca60 0x001e613c 0x0007b288 0x00029a68 0x000246d0 0x0008e7b8 0x2415a000

exception state (sv = 0x16ebf000)
PC=0x70000978 MSR=0x0200f030 DAR=0x000e4550 DSISR=0x40000000 LR=0x70005b34 RI=0xbffff680
XCP=0x00000030 (0xc00 system call)

This is on OS X 10.1.3 (Darwin 5.3).

The following code snippets are involved:

bool com_chuck_iokit_tulip::_initRxRing()
{
struct mbuf* m;
struct IOPhysicalSegment vector;
int segments, i, lastI = 0;

_freeRxRing();

// now allocate new mbufs and setup the descriptors
for ( i = 0; i < TULIP_RX_RING_LENGTH; i++)
{
rx_mbuf_ring[ i] = m = allocatePacket( kIOEthernetMaxPacketSize);
if ( !m) {
IOLog("rx_mbuf_ring allocatePacket failed on %d.\n", i); IOSleep(2000);
return false;
}// could not allocate mbuf
// snip unrelated code
}

return true;
}

bool com_chuck_iokit_tulip::_freeRxRing()
{
// release any mbufs held by the ring
for ( int i = 0; i < TULIP_RX_RING_LENGTH; i++)
{
if ( rx_mbuf_ring[ i] != NULL)
{
IOLog("begin rx_mbuf_ring freePacket %d at 0x%08x\n", i, (UInt32)rx_mbuf_ring[ i]);
IOSleep(2000);
freePacket( rx_mbuf_ring[ i]);
IOLog("end rx_mbuf_ring freePacket %d\n", i); IOSleep(2000);
rx_mbuf_ring[ i] = NULL;
rx_desc_ring[ i].buffer1 = rx_desc_ring[ i].buffer2 = rx_desc_ring[ i].status =
rx_desc_ring[ i].control = 0;
}
}
return true;
}

void com_chuck_iokit_tulip::free(void)
{
APRINT("free");
if ( mediaCapability) mediaCapability->release();
if ( eeprom) eeprom->release();
if ( netif) netif->release();
if ( timerSrc) timerSrc->release();
if ( interruptSrc) interruptSrc->release();
if ( transmitQueue) transmitQueue->release();
if ( rxMbufCursor) rxMbufCursor->release();
if ( txMbufCursor) txMbufCursor->release();
_freeRxRing(); // KERNEL PANIC IN THIS METHOD
_freeTxRing();

if ( csrMap) csrMap->release();
if ( pciNub) { pciNub->close(this); pciNub->release(); }
if ( myWorkLoop) myWorkLoop->release();
super::free();
ZPRINT("free");
}

The method _freeRxRing() is called during the start() routine and works okay. It used to panic the same way until I added a loop in init() to set each rx_mbuf_ring[] array element to NULL. Now it panics during free(). Each rx_mbuf_ring[] element should have an mbuf associated with it. The system.log has this in it:

Mar 31 21:20:22 12-247-44-84 mach_kernel: Enter free
Mar 31 21:20:24 12-247-44-84 mach_kernel: Enter _freeRxRing
Mar 31 21:20:26 12-247-44-84 mach_kernel: begin rx_mbuf_ring freePacket 0 at 0x15782400
Mar 31 21:28:19 12-247-44-84 syslogd: restart

It panics after calling freePacket() on rx_mbuf_ring[ 1]. The log is missing the last two entries which show that it loops around a second time.

Help? I don't have the luxury of a second Mac to attach a kernel debugger.
..

cr
_______________________________________________
darwin-development mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-development
Do not post admin requests to the list. They will be ignored.


Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.