]> err.no Git - linux-2.6/commitdiff
RDMA/cxgb3: Don't use mm after it's freed in iwch_mmap()
authorSteve Wise <swise@opengridcomputing.com>
Fri, 2 Mar 2007 22:06:36 +0000 (16:06 -0600)
committerRoland Dreier <rolandd@cisco.com>
Tue, 6 Mar 2007 19:48:17 +0000 (11:48 -0800)
Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
drivers/infiniband/hw/cxgb3/iwch_provider.c

index 9947a144a929551dfd740cab7a31b334e6ecf240..b357c11d148f6f830e3676ffaa672a8ec404ba86 100644 (file)
@@ -331,6 +331,7 @@ static int iwch_mmap(struct ib_ucontext *context, struct vm_area_struct *vma)
        int ret = 0;
        struct iwch_mm_entry *mm;
        struct iwch_ucontext *ucontext;
+       u64 addr;
 
        PDBG("%s pgoff 0x%lx key 0x%x len %d\n", __FUNCTION__, vma->vm_pgoff,
             key, len);
@@ -345,10 +346,11 @@ static int iwch_mmap(struct ib_ucontext *context, struct vm_area_struct *vma)
        mm = remove_mmap(ucontext, key, len);
        if (!mm)
                return -EINVAL;
+       addr = mm->addr;
        kfree(mm);
 
-       if ((mm->addr >= rdev_p->rnic_info.udbell_physbase) &&
-           (mm->addr < (rdev_p->rnic_info.udbell_physbase +
+       if ((addr >= rdev_p->rnic_info.udbell_physbase) &&
+           (addr < (rdev_p->rnic_info.udbell_physbase +
                       rdev_p->rnic_info.udbell_len))) {
 
                /*
@@ -362,7 +364,7 @@ static int iwch_mmap(struct ib_ucontext *context, struct vm_area_struct *vma)
                vma->vm_flags |= VM_DONTCOPY | VM_DONTEXPAND;
                vma->vm_flags &= ~VM_MAYREAD;
                ret = io_remap_pfn_range(vma, vma->vm_start,
-                                        mm->addr >> PAGE_SHIFT,
+                                        addr >> PAGE_SHIFT,
                                         len, vma->vm_page_prot);
        } else {
 
@@ -370,7 +372,7 @@ static int iwch_mmap(struct ib_ucontext *context, struct vm_area_struct *vma)
                 * Map WQ or CQ contig dma memory...
                 */
                ret = remap_pfn_range(vma, vma->vm_start,
-                                     mm->addr >> PAGE_SHIFT,
+                                     addr >> PAGE_SHIFT,
                                      len, vma->vm_page_prot);
        }