[IB] ib_umad: fix crash when freeing send buffers

The conversion of user_mad.c to the new MAD send API was slightly off: in a few places, we used packet->msg instead of packet->msg->mad when referring to the actual data buffer, which ended up corrupting the underlying data structure and crashing when we free an invalid pointer. Signed-off-by: Roland Dreier <rolandd@cisco.com>
author: Roland Dreier <rolandd@cisco.com> 2005-10-27 23:33:43 -0400
committer: Roland Dreier <rolandd@cisco.com> 2005-10-27 23:33:43 -0400
commit: 089a1bedd84be16a4f49a319e7ccb4a128da5ce9 (patch)
tree: d2bad46f16a76769b1f8d87aad369d50b4966cb6 /drivers/infiniband
parent: 3d155f8cd0d077938d271225d26ee52f8eb26082 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index fc5519a3de99..a48166a8e04b 100644
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -398,12 +398,12 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
         * transaction ID matches the agent being used to send the
         * MAD.
         */
-        method = ((struct ib_mad_hdr *) packet->msg)->method;
+        method = ((struct ib_mad_hdr *) packet->msg->mad)->method;
        if (!(method & IB_MGMT_METHOD_RESP)       &&
            method != IB_MGMT_METHOD_TRAP_REPRESS &&
            method != IB_MGMT_METHOD_SEND) {
-                tid = &((struct ib_mad_hdr *) packet->msg)->tid;
+                tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid;
                *tid = cpu_to_be64(((u64) agent->hi_tid) << 32 |
                                   (be64_to_cpup(tid) & 0xffffffff));
        }
author	Roland Dreier <rolandd@cisco.com>	2005-10-27 23:33:43 -0400
committer	Roland Dreier <rolandd@cisco.com>	2005-10-27 23:33:43 -0400
commit	089a1bedd84be16a4f49a319e7ccb4a128da5ce9 (patch)
tree	d2bad46f16a76769b1f8d87aad369d50b4966cb6 /drivers/infiniband
parent	3d155f8cd0d077938d271225d26ee52f8eb26082 (diff)

diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c index fc5519a3de99..a48166a8e04b 100644 --- a/drivers/infiniband/core/user_mad.c +++ b/drivers/infiniband/core/user_mad.c
@@ -398,12 +398,12 @@ static ssize_t ib_umad_write(struct file filp, const char __user buf,
398	* transaction ID matches the agent being used to send the	398	* transaction ID matches the agent being used to send the
399	* MAD.	399	* MAD.
400	*/	400	*/
401	method = ((struct ib_mad_hdr *) packet->msg)->method;	401	method = ((struct ib_mad_hdr *) packet->msg->mad)->method;
402		402
403	if (!(method & IB_MGMT_METHOD_RESP) &&	403	if (!(method & IB_MGMT_METHOD_RESP) &&
404	method != IB_MGMT_METHOD_TRAP_REPRESS &&	404	method != IB_MGMT_METHOD_TRAP_REPRESS &&
405	method != IB_MGMT_METHOD_SEND) {	405	method != IB_MGMT_METHOD_SEND) {
406	tid = &((struct ib_mad_hdr *) packet->msg)->tid;	406	tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid;
407	*tid = cpu_to_be64(((u64) agent->hi_tid) << 32 \|	407	*tid = cpu_to_be64(((u64) agent->hi_tid) << 32 \|
408	(be64_to_cpup(tid) & 0xffffffff));	408	(be64_to_cpup(tid) & 0xffffffff));
409	}	409	}