the gprs_llc_tx_ui() will call down to BSSGP/NS, which in turn will call msgb_free() themselves in their error path, so the msgb is already freed at that time. As discussed on the mailing list quite some time ago, msgb ownership policy/rules and implementation need to be more clearly defined, and this definition adopted in the implementation. Thanks to Holger for reproducing this. --- openbsc/src/gprs/gprs_sndcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/openbsc/src/gprs/gprs_sndcp.c b/openbsc/src/gprs/gprs_sndcp.c index 853f8db..6564ffb 100644 --- a/openbsc/src/gprs/gprs_sndcp.c +++ b/openbsc/src/gprs/gprs_sndcp.c @@ -420,7 +420,8 @@ static int sndcp_send_ud_frag(struct sndcp_frag_state *fs) rc = gprs_llc_tx_ui(fmsg, lle->sapi, 0, fs->mmcontext); if (rc < 0) { /* abort in case of error, do not advance frag_nr / next_byte */ - msgb_free(fmsg); + /* do not msgb_free() here, as the lower layer is doing + * that if an actual transmission error occurs */ return rc; } -- 1.8.3.2 -- - Harald Welte &lt;laforge(a)gnumonks.org&gt; http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)