From 9e927fb6186b6913d47d33068160088a084d568e Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Fri, 10 Mar 2006 18:08:09 -0800 Subject: [PATCH] [PATCH] Wrong return value corrupts free object in e1000 driver For some reason, E1000's ->hard_start_xmit() routine returns -EFAULT instead of one of the NETDEV_TX_* error codes. In fact, it frees up the SKB before returning this. This makes the queueing layer think the packet should be requeued and subsequently we corrupt a freed object. Signed-off-by: David S. Miller Signed-off-by: Jeff Garzik --- drivers/net/e1000/e1000_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/e1000/e1000_main.c b/drivers/net/e1000/e1000_main.c index 5b7d0f425af2..4c4db96d0b7b 100644 --- a/drivers/net/e1000/e1000_main.c +++ b/drivers/net/e1000/e1000_main.c @@ -2917,7 +2917,7 @@ e1000_xmit_frame(struct sk_buff *skb, struct net_device *netdev) if (!__pskb_pull_tail(skb, pull_size)) { printk(KERN_ERR "__pskb_pull_tail failed.\n"); dev_kfree_skb_any(skb); - return -EFAULT; + return NETDEV_TX_OK; } len = skb->len - skb->data_len; } -- 2.20.1