Skip to content

Commit

Permalink
cgroups: fix possible use after free
Browse files Browse the repository at this point in the history 
In cgroup_kill_sb(), root is freed before sb is detached from the list, so
another sget() may find this sb and call cgroup_test_super(), which will
access the root that has been freed.

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Acked-by: Paul Menage <menage@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  • Loading branch information
Li Zefan authored and Linus Torvalds committed Feb 18, 2009
1 parent 1cf6e7d commit 67e055d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion kernel/cgroup.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1122,8 +1122,8 @@ static void cgroup_kill_sb(struct super_block *sb) {

mutex_unlock(&cgroup_mutex);

kfree(root);
kill_litter_super(sb);
kfree(root);
}

static struct file_system_type cgroup_fs_type = {
Expand Down

0 comments on commit 67e055d

Please sign in to comment.