IB/core: Free umem when mm is already gone

Free umem when task's mm is already destroyed by the time
ib_umem_release gets called.

Found by Dotan Barak at Mellanox.

Signed-off-by: Eli Cohen <eli@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>

diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c
index f32ca5f..6009234 100644 (file)
--- a/drivers/infiniband/core/umem.c
+++ b/drivers/infiniband/core/umem.c
@@ -209,8 +209,10 @@ void ib_umem_release(struct ib_umem *umem)
        __ib_umem_release(umem->context->device, umem, 1);
 
        mm = get_task_mm(current);
-       if (!mm)
+       if (!mm) {
+               kfree(umem);
                return;
+       }
 
        diff = PAGE_ALIGN(umem->length + umem->offset) >> PAGE_SHIFT;