[PATCH] Wrong return value corrupts free object in e1000 driver
authorDavid S. Miller <davem@davemloft.net>
Sat, 11 Mar 2006 02:08:09 +0000 (18:08 -0800)
committerJeff Garzik <jeff@garzik.org>
Sat, 11 Mar 2006 18:25:17 +0000 (13:25 -0500)
For some reason, E1000's ->hard_start_xmit() routine returns -EFAULT
instead of one of the NETDEV_TX_* error codes.  In fact, it frees up
the SKB before returning this.  This makes the queueing layer think
the packet should be requeued and subsequently we corrupt a freed
object.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
drivers/net/e1000/e1000_main.c

index 5b7d0f425af21a76966230ebdb97815bee869d21..4c4db96d0b7bd7b74064af24f59730d0f56d68b4 100644 (file)
@@ -2917,7 +2917,7 @@ e1000_xmit_frame(struct sk_buff *skb, struct net_device *netdev)
                        if (!__pskb_pull_tail(skb, pull_size)) {
                                printk(KERN_ERR "__pskb_pull_tail failed.\n");
                                dev_kfree_skb_any(skb);
-                               return -EFAULT;
+                               return NETDEV_TX_OK;
                        }
                        len = skb->len - skb->data_len;
                }