From 8128ee7851b62e1d1a975b817b3a86e66c5331ca Mon Sep 17 00:00:00 2001
From: adrian <adrian@FreeBSD.org>
Date: Sat, 11 Oct 2014 22:08:53 +0000
Subject: Merge r271647 - Fix a double-free of mbufs in rx_ixgbe_discard().

  fmp->buf at the free point is already part of the chain being freed,
  so double-freeing is counter-productive.

Submitted by:	Marc De La Gueronniere <mdelagueronniere@verisign.com>
Sponsored by:	Verisign, Inc.
---
 sys/dev/ixgbe/ixgbe.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/sys/dev/ixgbe/ixgbe.c b/sys/dev/ixgbe/ixgbe.c
index 1e9b980..c2f258a 100644
--- a/sys/dev/ixgbe/ixgbe.c
+++ b/sys/dev/ixgbe/ixgbe.c
@@ -4368,11 +4368,6 @@ ixgbe_rx_discard(struct rx_ring *rxr, int i)
 
 	rbuf = &rxr->rx_buffers[i];
 
-        if (rbuf->fmp != NULL) {/* Partial chain ? */
-		rbuf->fmp->m_flags |= M_PKTHDR;
-                m_freem(rbuf->fmp);
-                rbuf->fmp = NULL;
-	}
 
 	/*
 	** With advanced descriptors the writeback
@@ -4381,7 +4376,13 @@ ixgbe_rx_discard(struct rx_ring *rxr, int i)
 	** the normal refresh path to get new buffers
 	** and mapping.
 	*/
-	if (rbuf->buf) {
+
+	if (rbuf->fmp != NULL) {/* Partial chain ? */
+		rbuf->fmp->m_flags |= M_PKTHDR;
+		m_freem(rbuf->fmp);
+		rbuf->fmp = NULL;
+		rbuf->buf = NULL; /* rbuf->buf is part of fmp's chain */
+	} else if (rbuf->buf) {
 		m_free(rbuf->buf);
 		rbuf->buf = NULL;
 	}
-- 
cgit v1.1