When a packet is longer than PAGE_SIZE bytes, ixgbe has to
split it across multiple descriptors. As it build up the
mbuf chain representing the packet, it saves the mbuf chain
in the rxbuf struct for the next descriptor index. If the
interface is disabled while ixgbe is doing this, a stale mbuf
chain will be left in the rxbuf.
When the interface is brought back up, the init routine ignores
the built-up mbuf chain, but it does free the mbuf associated with
the descriptor. This means that the mbuf chain is left in a state
where the final mbuf in the chain is now free. When receive starts
again, once it processes that descriptor rxeof will encounter the
stale mbuf chain and begin processing it, eventually passing it up
the stack. Eventually the chain is freed and the final mbuf in
the chain is freed a second time, leading to all the hilarity that
a double free in the kernel can cause.
Also correct an error case that did not perform proper locking
before touching an rx ring.