Re: mbuf_dup/mbuf_freem with mbufs containing aux data
Re: mbuf_dup/mbuf_freem with mbufs containing aux data
- Subject: Re: mbuf_dup/mbuf_freem with mbufs containing aux data
- From: Adi Masputra <email@hidden>
- Date: Mon, 29 Jan 2007 18:49:16 -0800
Bhavesh,
On Jan 29, 2007, at 5:45 PM, Bhavesh Davda wrote:
I noticed when my interface filter output method gets called for IPV6
packets (in particular ICMP6 echo replies), that the mbuf contains an
aux data pointer in its m_pkthdr.
Browsing the xnu-792.13.8 code, it looks like when you mbuf_dup() an
mbuf, the pkthdr of the new mbuf is a copy of the pkthdr of the source
mbuf, which means that the new mbuf's pkthdr's aux field points to the
same piece of data as the original mbuf.
Then when mbuf_freem() is called, it unconditionally frees this aux
data if there was any on the mbuf chain that you're freeing.
Without reference counting the aux field, this is really bad. "freeing
free mbufs" panics ensue from this.
This is a bug indeed.
What's my workaround?
You may want your code to first check if the new mbuf resulted from
mbuf_dup() has the same auxiliary mbuf attached to it, and if so
manually copy the auxiliary mbuf and attach it to the new mbuf using
mbuf_aux_add(). That way, when this bug is fixed your code would
still work.
Adi
Thanks!
--
Bhavesh P. Davda
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden