[IB] ib_umad: fix crash when freeing send buffers

The conversion of user_mad.c to the new MAD send API was slightly off:
in a few places, we used packet->msg instead of packet->msg->mad when
referring to the actual data buffer, which ended up corrupting the
underlying data structure and crashing when we free an invalid pointer.

Signed-off-by: Roland Dreier <rolandd@cisco.com>

diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index fc5519a3de997e6592812326a8ba5f2334f38c29..a48166a8e04bded895df959f9463447f9bd34e17 100644 (file)
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -398,12 +398,12 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
         * transaction ID matches the agent being used to send the
         * MAD.
         */
-       method = ((struct ib_mad_hdr *) packet->msg)->method;
+       method = ((struct ib_mad_hdr *) packet->msg->mad)->method;
 
        if (!(method & IB_MGMT_METHOD_RESP)       &&
            method != IB_MGMT_METHOD_TRAP_REPRESS &&
            method != IB_MGMT_METHOD_SEND) {
-               tid = &((struct ib_mad_hdr *) packet->msg)->tid;
+               tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid;
                *tid = cpu_to_be64(((u64) agent->hi_tid) << 32 |
                                   (be64_to_cpup(tid) & 0xffffffff));
        }