From: Li Zefan <lizefan@huawei.com>
Date: Fri, 26 Apr 2013 18:58:02 +0000 (-0700)
Subject: cgroup: fix use-after-free when umounting cgroupfs
X-Git-Tag: omap-for-v3.10/dt-fixes-for-merge-window~124^2~4
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc20e01cd607282d48f8ea538aba10fa850a4312;p=pandora-kernel.git

cgroup: fix use-after-free when umounting cgroupfs

Try:
  # mount -t cgroup xxx /cgroup
  # mkdir /cgroup/sub && rmdir /cgroup/sub && umount /cgroup

And you might see this:

ida_remove called for id=1 which is not allocated.

It's because cgroup_kill_sb() is called to destroy root->cgroup_ida
and free cgrp->root before ida_simple_removed() is called. What's
worse is we're accessing cgrp->root while it has been freed.

Signed-off-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
---

Reading git-diff-tree failed