Author: adrian
Date: Mon Sep 15 20:50:26 2014
New Revision: 271647
URL: http://svnweb.freebsd.org/changeset/base/271647
Log:
Fix a double-free of mbufs in rx_ixgbe_discard().
fmp->buf at the free point is already part of the chain being freed,
so double-freeing is counter-productive.
Submitted by: Marc De La Gueronniere <mdelagueronni...@verisign.com>
MFC after: 1 week
Sponsored by: Verisign, Inc.
Modified:
head/sys/dev/ixgbe/ixgbe.c
Modified: head/sys/dev/ixgbe/ixgbe.c
==============================================================================
--- head/sys/dev/ixgbe/ixgbe.c Mon Sep 15 20:08:07 2014 (r271646)
+++ head/sys/dev/ixgbe/ixgbe.c Mon Sep 15 20:50:26 2014 (r271647)
@@ -4523,11 +4523,6 @@ ixgbe_rx_discard(struct rx_ring *rxr, in
rbuf = &rxr->rx_buffers[i];
- if (rbuf->fmp != NULL) {/* Partial chain ? */
- rbuf->fmp->m_flags |= M_PKTHDR;
- m_freem(rbuf->fmp);
- rbuf->fmp = NULL;
- }
/*
** With advanced descriptors the writeback
@@ -4536,7 +4531,13 @@ ixgbe_rx_discard(struct rx_ring *rxr, in
** the normal refresh path to get new buffers
** and mapping.
*/
- if (rbuf->buf) {
+
+ if (rbuf->fmp != NULL) {/* Partial chain ? */
+ rbuf->fmp->m_flags |= M_PKTHDR;
+ m_freem(rbuf->fmp);
+ rbuf->fmp = NULL;
+ rbuf->buf = NULL; /* rbuf->buf is part of fmp's chain */
+ } else if (rbuf->buf) {
m_free(rbuf->buf);
rbuf->buf = NULL;
}
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
