[IB] ib_umad: fix crash when freeing send buffers

The conversion of user_mad.c to the new MAD send API was slightly off: in a few places, we used packet->msg instead of packet->msg->mad when referring to the actual data buffer, which ended up corrupting the underlying data structure and crashing when we free an invalid pointer. Signed-off-by: Roland Dreier <rolandd@cisco.com>
git-mirror · Oct 28, 2005 · 089a1be · 089a1be
1 parent 3d155f8
commit 089a1be
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
@@ -398,12 +398,12 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
 	 * transaction ID matches the agent being used to send the
 	 * MAD.
 	 */
-	method = ((struct ib_mad_hdr *) packet->msg)->method;
+	method = ((struct ib_mad_hdr *) packet->msg->mad)->method;
 
 	if (!(method & IB_MGMT_METHOD_RESP)       &&
 	    method != IB_MGMT_METHOD_TRAP_REPRESS &&
 	    method != IB_MGMT_METHOD_SEND) {
-		tid = &((struct ib_mad_hdr *) packet->msg)->tid;
+		tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid;
 		*tid = cpu_to_be64(((u64) agent->hi_tid) << 32 |
 				   (be64_to_cpup(tid) & 0xffffffff));
 	}