site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Bhavesh, On Jan 29, 2007, at 5:45 PM, Bhavesh Davda wrote: I noticed when my interface filter output method gets called for IPV6 packets (in particular ICMP6 echo replies), that the mbuf contains an aux data pointer in its m_pkthdr. Browsing the xnu-792.13.8 code, it looks like when you mbuf_dup() an mbuf, the pkthdr of the new mbuf is a copy of the pkthdr of the source mbuf, which means that the new mbuf's pkthdr's aux field points to the same piece of data as the original mbuf. Then when mbuf_freem() is called, it unconditionally frees this aux data if there was any on the mbuf chain that you're freeing. Without reference counting the aux field, this is really bad. "freeing free mbufs" panics ensue from this. This is a bug indeed. You may want your code to first check if the new mbuf resulted from mbuf_dup() has the same auxiliary mbuf attached to it, and if so manually copy the auxiliary mbuf and attach it to the new mbuf using mbuf_aux_add(). That way, when this bug is fixed your code would still work. Adi Thanks! -- Bhavesh P. Davda _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/adi%40apple.com _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... This email sent to site_archiver@lists.apple.com What's my workaround? This email sent to adi@apple.com smime.p7s