Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 089a1bed authored by Roland Dreier's avatar Roland Dreier
Browse files

[IB] ib_umad: fix crash when freeing send buffers 



The conversion of user_mad.c to the new MAD send API was slightly off:
in a few places, we used packet->msg instead of packet->msg->mad when
referring to the actual data buffer, which ended up corrupting the
underlying data structure and crashing when we free an invalid pointer.

Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
parent 3d155f8c

drivers/infiniband/core/user_mad.c

+2 −2
Original line number Diff line number Diff line
@@ -398,12 +398,12 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf, 
	 * transaction ID matches the agent being used to send the

	 * MAD.

	 */

	method = ((struct ib_mad_hdr *) packet->msg)->method;

	method = ((struct ib_mad_hdr *) packet->msg->mad)->method;



	if (!(method & IB_MGMT_METHOD_RESP)       &&

	    method != IB_MGMT_METHOD_TRAP_REPRESS &&

	    method != IB_MGMT_METHOD_SEND) {

		tid = &((struct ib_mad_hdr *) packet->msg)->tid;

		tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid;

		*tid = cpu_to_be64(((u64) agent->hi_tid) << 32 |

				   (be64_to_cpup(tid) & 0xffffffff));

	}