summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEli Cohen <eli@mellanox.co.il>2007-05-14 10:35:43 +0200
committerRoland Dreier <rolandd@cisco.com>2007-05-19 17:51:53 +0200
commit7b82cd8ee7374f803a3daf9a6cbc6eb4bbb10a63 (patch)
tree2ff12883dc0f1116a29c83d4396e8c965fcd13fe
parentLinux v2.6.22-rc2 (diff)
downloadlinux-7b82cd8ee7374f803a3daf9a6cbc6eb4bbb10a63.tar.xz
linux-7b82cd8ee7374f803a3daf9a6cbc6eb4bbb10a63.zip
IB/core: Free umem when mm is already gone
Free umem when task's mm is already destroyed by the time ib_umem_release gets called. Found by Dotan Barak at Mellanox. Signed-off-by: Eli Cohen <eli@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>
-rw-r--r--drivers/infiniband/core/umem.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index f32ca5fbb26b..6009234e4f9e 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -209,8 +209,10 @@ void ib_umem_release(struct ib_umem *umem)
__ib_umem_release(umem->context->device, umem, 1);
mm = get_task_mm(current);
- if (!mm)
+ if (!mm) {
+ kfree(umem);
return;
+ }
diff = PAGE_ALIGN(umem->length + umem->offset) >> PAGE_SHIFT;