RDMA/cxgb3: Don't use mm after it's freed in iwch_mmap()
Signed-off-by: Steve Wise <swise@opengridcomputing.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
diff --git a/drivers/infiniband/hw/cxgb3/iwch_provider.c b/drivers/infiniband/hw/cxgb3/iwch_provider.c
index 9947a14..b357c11 100644
--- a/drivers/infiniband/hw/cxgb3/iwch_provider.c
+++ b/drivers/infiniband/hw/cxgb3/iwch_provider.c
@@ -331,6 +331,7 @@
int ret = 0;
struct iwch_mm_entry *mm;
struct iwch_ucontext *ucontext;
+ u64 addr;
PDBG("%s pgoff 0x%lx key 0x%x len %d\n", __FUNCTION__, vma->vm_pgoff,
key, len);
@@ -345,10 +346,11 @@
mm = remove_mmap(ucontext, key, len);
if (!mm)
return -EINVAL;
+ addr = mm->addr;
kfree(mm);
- if ((mm->addr >= rdev_p->rnic_info.udbell_physbase) &&
- (mm->addr < (rdev_p->rnic_info.udbell_physbase +
+ if ((addr >= rdev_p->rnic_info.udbell_physbase) &&
+ (addr < (rdev_p->rnic_info.udbell_physbase +
rdev_p->rnic_info.udbell_len))) {
/*
@@ -362,7 +364,7 @@
vma->vm_flags |= VM_DONTCOPY | VM_DONTEXPAND;
vma->vm_flags &= ~VM_MAYREAD;
ret = io_remap_pfn_range(vma, vma->vm_start,
- mm->addr >> PAGE_SHIFT,
+ addr >> PAGE_SHIFT,
len, vma->vm_page_prot);
} else {
@@ -370,7 +372,7 @@
* Map WQ or CQ contig dma memory...
*/
ret = remap_pfn_range(vma, vma->vm_start,
- mm->addr >> PAGE_SHIFT,
+ addr >> PAGE_SHIFT,
len, vma->vm_page_prot);
}