the gprs_llc_tx_ui() will call down to BSSGP/NS, which in turn will call msgb_free() themselves in their error path, so the msgb is already freed at that time.

As discussed on the mailing list quite some time ago, msgb ownership policy/rules and implementation need to be more clearly defined, and this definition adopted in the implementation.

Thanks to Holger for reproducing this. --- openbsc/src/gprs/gprs_sndcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/openbsc/src/gprs/gprs_sndcp.c b/openbsc/src/gprs/gprs_sndcp.c index 853f8db..6564ffb 100644 --- a/openbsc/src/gprs/gprs_sndcp.c +++ b/openbsc/src/gprs/gprs_sndcp.c @@ -420,7 +420,8 @@ static int sndcp_send_ud_frag(struct sndcp_frag_state *fs) rc = gprs_llc_tx_ui(fmsg, lle->sapi, 0, fs->mmcontext); if (rc < 0) { /* abort in case of error, do not advance frag_nr / next_byte */ - msgb_free(fmsg); + /* do not msgb_free() here, as the lower layer is doing + * that if an actual transmission error occurs */ return rc; }