From: David S. Miller Date: Sat, 11 Mar 2006 02:08:09 +0000 (-0800) Subject: [PATCH] Wrong return value corrupts free object in e1000 driver X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=9e927fb6186b6913d47d33068160088a084d568e;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git [PATCH] Wrong return value corrupts free object in e1000 driver For some reason, E1000's ->hard_start_xmit() routine returns -EFAULT instead of one of the NETDEV_TX_* error codes. In fact, it frees up the SKB before returning this. This makes the queueing layer think the packet should be requeued and subsequently we corrupt a freed object. Signed-off-by: David S. Miller Signed-off-by: Jeff Garzik --- diff --git a/drivers/net/e1000/e1000_main.c b/drivers/net/e1000/e1000_main.c index 5b7d0f425af2..4c4db96d0b7b 100644 --- a/drivers/net/e1000/e1000_main.c +++ b/drivers/net/e1000/e1000_main.c @@ -2917,7 +2917,7 @@ e1000_xmit_frame(struct sk_buff *skb, struct net_device *netdev) if (!__pskb_pull_tail(skb, pull_size)) { printk(KERN_ERR "__pskb_pull_tail failed.\n"); dev_kfree_skb_any(skb); - return -EFAULT; + return NETDEV_TX_OK; } len = skb->len - skb->data_len; }