I'm not very familiar with kernel controls but I have a feeling that
the kernel panics are coming from how I'm using them, mainly because
I simply do not know very much about how they work (there's not much
documentation on them). The panic itself seems to occur when data is
sent out (ctl_enqueue'd), although I have no way of being certain.
It seems to have something to do with memory allocation. One other
thing is that at the end of my ctl_sendfunc (called when the client
sends data to the kext), I always call mbuf_freem() on the mbut_t
structure passed in, I saw this done in some Brian's Peer-Guardian
source, however I don't know anything about its proper usage.
Short answer: don't free the buffer.
Long answer: If you really need to free mbufs, you probably should be
using freem_list so that it will clean up an mbuf chain, but failing to
do so would just cause a slight leak, not a panic. However, in this case,
you are actually causing a double free.
The calling code does appear to release the mbuf, though I had to trace my
way back a half dozen functions to find where it does. If you look at the
file "kern/uipc_socket.c" in the xnu sources, you'll see what's going on.
At about line 1401 (depending on what version you're looking at), when it
dereferences the function pointer:
*so->so_proto->pr_usrreqs->pru_send
I'll add something to the docs the next time it gets updated.