Re: Easy mbuf_pullup Question (I hope)
Re: Easy mbuf_pullup Question (I hope)
- Subject: Re: Easy mbuf_pullup Question (I hope)
- From: Andrew Gallatin <email@hidden>
- Date: Wed, 7 Feb 2007 06:29:43 -0500 (EST)
Terry Lambert writes:
> to something like:
>
> x_t *
> foo(x_t **xpp)
> {
> ...
> *xpp = NULL; /* destroy caller's pointer to prevent use of freed
> memory */
> return(newxp);
> }
The mbuf_pullup KPI is already more or less like this: it always
alters the mbuf you pass in and returns an errno. I was just so
incredibly stupid that even this did not save me. My problem was that
I saved a copy of the pointer *before* I altered the pointer with
mbuf_pullup():
xmit():
/* save mbuf for tx done irq */
pkt_complete[tx_ring_entry].mbuf = m;
/* make sure ip proto and ih_hlen are in first segment
for csum offload setup */
if (mlen < (ip_hdr_off + sizeof (struct ip)) {
err = mbuf_pullup(&m, ip_hdr_off + sizeof (struct ip))
}
xmit_complete():
mbuf_freem(pkt_complete[tx_ring_entry].mbuf);
By the time the xmit_complete() ran, somebody else had allocated 'm',
and was happily using it. My mbuf_freem() freed 'm' out from under
them, and when they freed it, there was a panic.
Drew
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden