site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com The bug number is 4117818. -josh On Aug 2, 2005, at 7:55 AM, Markus Hanauska wrote: Hello Everyone, Straight to the point: Why does this part of a KEXT crash? /* IP Filter */ errno_t pre(ipf_input_func)( void *cookie, mbuf_t *data, int offset, u_int8_t protocol ) { char *tag; size_t len; if (pre(connectedProcesses) == 0) return KERN_SUCCESS; if (protocol == IPPROTO_ESP) { if ( mbuf_tag_allocate( *data, pre(mbufTag), 1, strlen(STR(ESP_MARKER)) + 1, MBUF_DONTWAIT, (void **)&tag ) == 0) { bcopy(STR(ESP_MARKER), tag, strlen(STR(ESP_MARKER)) + 1); } } else if ( mbuf_tag_find( *data, pre(mbufTag), 1, &len, (void **) &tag ) == 0) { if (len == strlen(STR(ESP_MARKER)) + 1 && memcmp(tag, STR(ESP_MARKER), len) == 0) { size_t mbufSize, space = -1; mbuf_tag_free(*data, pre(mbufTag), 1); mbufSize = (mbuf_flags(*data) & MBUF_PKTHDR) ? mbuf_pkthdr_len(*data) : mbuf_len(*data); if ( ctl_getenqueuespace( pre(userSpaceSock), 0, &space ) == 0 && space >= mbufSize ) { mbuf_t dupe; if (mbuf_dup(*data, MBUF_DONTWAIT, &dupe) == 0) { if (ctl_enqueuembuf ( pre(userSpaceSock), 0, dupe, 0) != 0 ) { printf("Failed to send\n"); mbuf_freem(dupe); } } else printf("Failed to dupe\n"); } else printf("Not enough space: %d >= %d\n", space, mbufSize); } else printf("Marker does not match\n"); } return KERN_SUCCESS; } I know where it crashes, it crashes in /xnu-792.2.4/bsd/kern/uipc_mbuf.c:1267 where a manual panic is created: "m_freem_list: m_nextpkt of m_next != NULL" mbuf_t dupe2 = dupe; while (dupe2) { if (mbuf_nextpkt(dupe2)) mbuf_setnextpkt(dupe2, NULL); dupe2 = mbuf_next(dupe2); } BTW, I'll did the same for *data in another test and then for both. Oh, BTW pre(...) is a makro, it expands the name to a more unique one: #define pre3(x,y) x ## y #define pre2(x,y) pre3(x,y) #define pre(x) pre2(FUNCTION_PREFIX, x) #define STR2(x) #x #define STR(x) STR2(x) Any help appreciated, thank you very much! -- Best Regards, Markus Hanauska This email sent to jgraessley@apple.com _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... This email sent to site_archiver@lists.apple.com There is a known issue with mbuf_dup and mbuf tags. mbuf_dup copies the tag pointer. The tags are stored in a chain of mbufs. When you free either the original or the dup'd packet, the mbufs for the tags are freed. When you free the remaining mbuf, the machine panics because the mbufs used for the tags are already free. One option would be to use mbuf_copym instead of mbuf_dup. It should be quicker too because it doesn't need to duplicate the data. Another option would be to not add the tags until after you have done the dupe. That's a bad solution because you never know if some other third party kext has added tags already. Fine, but I did the following as well (just from top of my head, excute stupid coding errors, of course the version I tried had no such errors): So there was definately no m_nextpkt set along the chain. Modifying the code to send the original mbuf (*data) and then not freeing it (EJUSTRETURN as ctl_getenqueuespace consumes the package on success) works just fine. So I don't see how this could be my mistake. I tried not to equeue the package at all, just dupe and then mbuf_freem and I run into a panic, too. Haven't checked so far if it's the same one. and FUNCTION_PREFIX is a long, unique reverted domain name (no string). This does not relate to the problem. STR converts defines to strings: And I also know that the above function is anything but high- performance, however it was just quick and dirty as a proof of concept, that did not work so far, cause it panics. _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/jgraessley% 40apple.com smime.p7s