commit 7b82cd8ee7374f803a3daf9a6cbc6eb4bbb10a63
author Eli Cohen <eli@mellanox.co.il> Mon May 14 11:35:43 2007 +0300
committer Roland Dreier <rolandd@cisco.com> Sat May 19 08:51:53 2007 -0700
tree 2ff12883dc0f1116a29c83d4396e8c965fcd13fe
parent 55b637c6a003a8c4850b41a2c2fd6942d8a7f530

IB/core: Free umem when mm is already gone

Free umem when task's mm is already destroyed by the time
ib_umem_release gets called.

Found by Dotan Barak at Mellanox.

Signed-off-by: Eli Cohen <eli@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

drivers/infiniband/core/umem.c

diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index f32ca5f..6009234 100644
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -209,8 +209,10 @@
 	__ib_umem_release(umem->context->device, umem, 1);
 
 	mm = get_task_mm(current);
-	if (!mm)
+	if (!mm) {
+		kfree(umem);
 		return;
+	}
 
 	diff = PAGE_ALIGN(umem->length + umem->offset) >> PAGE_SHIFT;