MFC r208084:

  If controller received bad frames make sure to update newly added
  RFA. Also drop frames that have either CRC error or alignment
  error. Normally bad frames are not received at all. But controllers
  running in promiscuous mode will receive bad frames. 82557 will
  also receive bad frames to receive VLAN oversized frames.

  While I'm here mark RNR condition if driver happen to see RNR in
  RFA status and restart RU to receive frames again. Because driver
  checks all received frames in RX loop, RNR condition could be set
  in the middle of RX processing. Just relying on RNR interrupt was
  not enough.

  This change fixes "Memory modified after free" issue when fxp(4)
  is running as a member of if_bridge(4).

  Tested by:	Larry Baird <lab <> gta dot com>

1 files changed, 7 insertions, 2 deletions

diff --git a/sys/dev/fxp/if_fxp.c b/sys/dev/fxp/if_fxp.c
index 006ec52..079ecc1 100644
--- a/sys/dev/fxp/if_fxp.c
+++ b/sys/dev/fxp/if_fxp.c
@@ -1916,6 +1916,8 @@ fxp_intr_body(struct fxp_softc *sc, struct ifnet *ifp, uint8_t statack,
 		if ((status & FXP_RFA_STATUS_C) == 0)
 			break;
 
+		if ((status & FXP_RFA_STATUS_RNR) != 0)
+			rnr++;
 		/*
 		 * Advance head forward.
 		 */
@@ -1942,9 +1944,12 @@ fxp_intr_body(struct fxp_softc *sc, struct ifnet *ifp, uint8_t statack,
 				total_len -= 2;
 			}
 			if (total_len < sizeof(struct ether_header) ||
-			    total_len > MCLBYTES - RFA_ALIGNMENT_FUDGE -
-				sc->rfa_size || status & FXP_RFA_STATUS_CRC) {
+			    total_len > (MCLBYTES - RFA_ALIGNMENT_FUDGE -
+			    sc->rfa_size) ||
+			    status & (FXP_RFA_STATUS_CRC |
+			    FXP_RFA_STATUS_ALIGN)) {
 				m_freem(m);
+				fxp_add_rfabuf(sc, rxp);
 				continue;
 			}