Hi, I put here two bugs among others: ------------------------ sys/dev/pci/hifn7751.c ------------------------
2757 if (!(m0->m_flags & M_EXT)) m_freem(m0); len = MCLBYTES; totlen -= len; m0->m_pkthdr.len = m0->m_len = len; mlast = m0; ------------------------------------------------------------------------ Use-after-free with 'm0'. ------------------------ sys/dev/pci/hifn7751.c ------------------------ 2766 MGET(m, M_DONTWAIT, MT_DATA); if (m == NULL) { m_freem(m0); return (NULL); } MCLGET(m, M_DONTWAIT); if (!(m->m_flags & M_EXT)) { m_freem(m0); return (NULL); } len = MCLBYTES; ------------------------------------------------------------------------ 'm' is leaked. Found by The Brainy Code Scanner. Maxime