[openib-general] Kernel oops: NULL ptr dereference in ib_umem_get

[Roland Dreier]

    ardavis> With a little stress, I see the following oops (running
    ardavis> latest from the trunk). Let me know if you need any more
    ardavis> information.

Can you try this patch and let me know if it helps at all?

Thanks,
  Roland

--- infiniband/core/uverbs_mem.c	(revision 2156)
+++ infiniband/core/uverbs_mem.c	(working copy)
@@ -60,16 +60,16 @@ static void __ib_umem_unmark(struct ib_u
 	unsigned long cur_base;
 
 	vma = find_vma(mm, umem->user_base);
+	cur_base = umem->user_base;
 
-	for (cur_base = umem->user_base;
-	     cur_base < umem->user_base + umem->length;
-	     cur_base = vma->vm_end) {
-		if (!vma || vma->vm_start > umem->user_base + umem->length)
+	while (cur_base < umem->user_base + umem->length && vma &&
+	       vma->vm_start < umem->user_base + umem->length) {
 			break;
 
 		if (!(vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_MAYWRITE))
 			vma->vm_flags &= ~VM_DONTCOPY;
 
+		cur_base = vma->vm_end;
 		vma = vma->vm_next;
 	}
 }
@@ -102,10 +102,9 @@ int ib_umem_get(struct ib_device *dev, s
 	down_write(&current->mm->mmap_sem);
 
 	vma = find_vma(current->mm, mem->user_base);
+	cur_base = mem->user_base;
 
-	for (cur_base = mem->user_base;
-	     cur_base < mem->user_base + size;
-	     cur_base = vma->vm_end) {
+	while (cur_base < mem->user_base + size) {
 		if (!vma || vma->vm_start > cur_base) {
 			ret = -ENOMEM;
 			goto out;
@@ -114,6 +113,7 @@ int ib_umem_get(struct ib_device *dev, s
 		if (!(vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_MAYWRITE))
 			vma->vm_flags |= VM_DONTCOPY;
 
+		cur_base = vma->vm_end;
 		vma = vma->vm_next;
 	}