Hi, I put here a bug among others: -------------------------- sys/dev/pci/if_et.c -------------------------
1808 if (m_defrag(m, M_DONTWAIT)) {
m_freem(m);
printf("%s: can't defrag TX mbuf\n",
sc->sc_dev.dv_xname);
error = ENOBUFS;
goto back;
}
[...]
back:
if (error) {
m_freem(m);
*m0 = NULL;
}
------------------------------------------------------------------------
Use-after-free with 'm'.
Found by The Brainy Code Scanner.
Maxime
