Date: Mon, 15 Sep 2014 20:50:27 +0000 (UTC) From: Adrian Chadd <adrian@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r271647 - head/sys/dev/ixgbe Message-ID: <201409152050.s8FKoR4X002120@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: adrian Date: Mon Sep 15 20:50:26 2014 New Revision: 271647 URL: http://svnweb.freebsd.org/changeset/base/271647 Log: Fix a double-free of mbufs in rx_ixgbe_discard(). fmp->buf at the free point is already part of the chain being freed, so double-freeing is counter-productive. Submitted by: Marc De La Gueronniere <mdelagueronniere@verisign.com> MFC after: 1 week Sponsored by: Verisign, Inc. Modified: head/sys/dev/ixgbe/ixgbe.c Modified: head/sys/dev/ixgbe/ixgbe.c ============================================================================== --- head/sys/dev/ixgbe/ixgbe.c Mon Sep 15 20:08:07 2014 (r271646) +++ head/sys/dev/ixgbe/ixgbe.c Mon Sep 15 20:50:26 2014 (r271647) @@ -4523,11 +4523,6 @@ ixgbe_rx_discard(struct rx_ring *rxr, in rbuf = &rxr->rx_buffers[i]; - if (rbuf->fmp != NULL) {/* Partial chain ? */ - rbuf->fmp->m_flags |= M_PKTHDR; - m_freem(rbuf->fmp); - rbuf->fmp = NULL; - } /* ** With advanced descriptors the writeback @@ -4536,7 +4531,13 @@ ixgbe_rx_discard(struct rx_ring *rxr, in ** the normal refresh path to get new buffers ** and mapping. */ - if (rbuf->buf) { + + if (rbuf->fmp != NULL) {/* Partial chain ? */ + rbuf->fmp->m_flags |= M_PKTHDR; + m_freem(rbuf->fmp); + rbuf->fmp = NULL; + rbuf->buf = NULL; /* rbuf->buf is part of fmp's chain */ + } else if (rbuf->buf) { m_free(rbuf->buf); rbuf->buf = NULL; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201409152050.s8FKoR4X002120>