diff options
author | Li Zefan <lizefan@huawei.com> | 2013-04-26 11:58:02 -0700 |
---|---|---|
committer | Tejun Heo <tj@kernel.org> | 2013-04-26 11:58:02 -0700 |
commit | cc20e01cd607282d48f8ea538aba10fa850a4312 (patch) | |
tree | 598ff80edab2c3bb3547dcd109e35ed1291f4454 /kernel/cpuset.c | |
parent | 712317ad97f41e738e1a19aa0a6392a78a84094e (diff) | |
download | linux-cc20e01cd607282d48f8ea538aba10fa850a4312.tar.gz linux-cc20e01cd607282d48f8ea538aba10fa850a4312.tar.bz2 linux-cc20e01cd607282d48f8ea538aba10fa850a4312.zip |
cgroup: fix use-after-free when umounting cgroupfs
Try:
# mount -t cgroup xxx /cgroup
# mkdir /cgroup/sub && rmdir /cgroup/sub && umount /cgroup
And you might see this:
ida_remove called for id=1 which is not allocated.
It's because cgroup_kill_sb() is called to destroy root->cgroup_ida
and free cgrp->root before ida_simple_removed() is called. What's
worse is we're accessing cgrp->root while it has been freed.
Signed-off-by: Li Zefan <lizefan@huawei.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Diffstat (limited to 'kernel/cpuset.c')
0 files changed, 0 insertions, 0 deletions