Re: [PATCH] cgroup: fix use-after-free when umounting cgroupfs

From: Tejun Heo
Date: Fri Apr 26 2013 - 14:59:32 EST

On Fri, Apr 26, 2013 at 10:54:11AM +0800, Li Zefan wrote:
> Try:
> # mount -t cgroup xxx /cgroup
> # mkdir /cgroup/sub && rmdir /cgroup/sub && umount /cgroup
> And you might see this:
> ida_remove called for id=1 which is not allocated.
> It's because cgroup_kill_sb() is called to destroy root->cgroup_ida
> and free cgrp->root before ida_simple_removed() is called. What's
> worse is we're accessing cgrp->root while it has been freed.
> Signed-off-by: Li Zefan <lizefan@xxxxxxxxxx>

Applied to cgroup/for-3.10.


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at