It looks that re_rxeof() might leak mbufs in two cases. The first case
happens if the controller returns an incomplete frame when frames are
expected to be non-fragmented. Note that in this instance the fragment
list sc->rl_head should be empty and does not need clearing.
The second leak happens if a frame has a reception error. The code has
cleared any preceding fragments but leaks the list's final mbuf.
Index: dev/ic/re.c
===================================================================
RCS file: src/sys/dev/ic/re.c,v
retrieving revision 1.210
diff -u -p -r1.210 re.c
--- dev/ic/re.c 7 May 2021 09:13:19 -0000 1.210
+++ dev/ic/re.c 13 May 2021 14:33:20 -0000
@@ -1280,6 +1280,8 @@ re_rxeof(struct rl_softc *sc)
if ((sc->rl_flags & RL_FLAG_JUMBOV2) != 0 &&
(rxstat & (RL_RDESC_STAT_SOF | RL_RDESC_STAT_EOF)) !=
(RL_RDESC_STAT_SOF | RL_RDESC_STAT_EOF)) {
+ ifp->if_ierrors++;
+ m_freem(m);
continue;
} else if (!(rxstat & RL_RDESC_STAT_EOF)) {
m->m_len = RL_FRAMELEN(sc->rl_max_mtu);
@@ -1328,6 +1330,7 @@ re_rxeof(struct rl_softc *sc)
m_freem(sc->rl_head);
sc->rl_head = sc->rl_tail = NULL;
}
+ m_freem(m);
continue;
}
