cgroups: fix possible use after free

In cgroup_kill_sb(), root is freed before sb is detached from the list, so another sget() may find this sb and call cgroup_test_super(), which will access the root that has been freed. Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Li Zefan <lizf@cn.fujitsu.com> Acked-by: Paul Menage <menage@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

cgroups: fix possible use after free
In cgroup_kill_sb(), root is freed before sb is detached from the list, so another sget() may find this sb and call cgroup_test_super(), which will access the root that has been freed. Reported-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Li Zefan <lizf@cn.fujitsu.com> Acked-by: Paul Menage <menage@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Li Zefan · Linus Torvalds
1 parent 1cf6e7d83b
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
kernel/cgroup.c
@@ -1122,8 +1122,8 @@
  
 	mutex_unlock(&cgroup_mutex);
  
-	kfree(root);
 	kill_litter_super(sb);
+	kfree(root);
 }
  
 static struct file_system_type cgroup_fs_type = {
...	...	@@ -1122,8 +1122,8 @@
1122	1122
1123	1123	mutex_unlock(&cgroup_mutex);
1124	1124
1125		- kfree(root);
1126	1125	kill_litter_super(sb);
	1126	+ kfree(root);
1127	1127	}
1128	1128
1129	1129	static struct file_system_type cgroup_fs_type = {