U-Boot 1.1.2 In function: int ppc_440x_eth_initialize (bd_t * bis)
This function malloc's a data structures
/* Allocate our private use data */ hw = (EMAC_440GX_HW_PST) malloc (sizeof (EMAC_440GX_HW_ST));
Later in function: static int ppc_440x_eth_init (struct eth_device *dev, bd_t * bis)
/* Free "old" buffers */ if (hw_p->alloc_tx_buf) free (hw_p->alloc_tx_buf); if (hw_p->alloc_rx_buf) free (hw_p->alloc_rx_buf);
The first time through, the code assumes hw_p->alloc_tx_buf and hw_p->alloc_rx_buf will be zero. A malloc doesn't guarantee that and the variables are never initialized to zero. If the malloc'd memory is all "F"s you end up with : free(0xFFFFFFFF); Or it may be any random non-zero value you try to free.
I added a memset after the malloc to init the struct to zero. I suppose replacing the malloc with calloc will do the trick as well.
-John Roberts