bsdacct: use del_timer_sync() in acct_exit_ns()
Vitaliy Gusev [Tue, 11 May 2010 21:06:56 +0000 (14:06 -0700)]
acct_exit_ns --> acct_file_reopen deletes timer without check timer
execution on other CPUs.  So acct_timeout() can change an unmapped memory.

Signed-off-by: Vitaliy Gusev <vgusev@openvz.org>
Cc: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

kernel/acct.c

index 24f8c81..e4c0e1f 100644 (file)
@@ -353,17 +353,18 @@ restart:
 
 void acct_exit_ns(struct pid_namespace *ns)
 {
-       struct bsd_acct_struct *acct;
+       struct bsd_acct_struct *acct = ns->bacct;
 
-       spin_lock(&acct_lock);
-       acct = ns->bacct;
-       if (acct != NULL) {
-               if (acct->file != NULL)
-                       acct_file_reopen(acct, NULL, NULL);
+       if (acct == NULL)
+               return;
 
-               kfree(acct);
-       }
+       del_timer_sync(&acct->timer);
+       spin_lock(&acct_lock);
+       if (acct->file != NULL)
+               acct_file_reopen(acct, NULL, NULL);
        spin_unlock(&acct_lock);
+
+       kfree(acct);
 }
 
 /*