the gprs_llc_tx_ui() will call down to BSSGP/NS, which in turn will
call msgb_free() themselves in their error path, so the msgb is
already freed at that time.
As discussed on the mailing list quite some time ago, msgb ownership
policy/rules and implementation need to be more clearly defined, and
this definition adopted in the implementation.
Thanks to Holger for reproducing this.
---
openbsc/src/gprs/gprs_sndcp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/openbsc/src/gprs/gprs_sndcp.c b/openbsc/src/gprs/gprs_sndcp.c
index 853f8db..6564ffb 100644
--- a/openbsc/src/gprs/gprs_sndcp.c
+++ b/openbsc/src/gprs/gprs_sndcp.c
@@ -420,7 +420,8 @@ static int sndcp_send_ud_frag(struct sndcp_frag_state *fs)
rc = gprs_llc_tx_ui(fmsg, lle->sapi, 0, fs->mmcontext);
if (rc < 0) {
/* abort in case of error, do not advance frag_nr / next_byte */
- msgb_free(fmsg);
+ /* do not msgb_free() here, as the lower layer is doing
+ * that if an actual transmission error occurs */
return rc;
}
--
1.8.3.2
--
- Harald Welte <laforge(a)gnumonks.org>
http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)