1 files changed, 4 insertions, 10 deletions

diff --git a/kernel/ns_cgroup.c b/kernel/ns_cgroup.c
index 78bc3fdac0d2..5aa854f9e5ae 100644
--- a/kernel/ns_cgroup.c
+++ b/kernel/ns_cgroup.c
@@ -34,7 +34,7 @@ int ns_cgroup_clone(struct task_struct *task, struct pid *pid)
 
 /*
  * Rules:
- *   1. you can only enter a cgroup which is a child of your current
+ *   1. you can only enter a cgroup which is a descendant of your current
  *     cgroup
  *   2. you can only place another process into a cgroup if
  *     a. you have CAP_SYS_ADMIN
@@ -45,21 +45,15 @@ int ns_cgroup_clone(struct task_struct *task, struct pid *pid)
 static int ns_can_attach(struct cgroup_subsys *ss,
                 struct cgroup *new_cgroup, struct task_struct *task)
 {
-        struct cgroup *orig;
-
         if (current != task) {
                 if (!capable(CAP_SYS_ADMIN))
                         return -EPERM;
 
-                if (!cgroup_is_descendant(new_cgroup))
+                if (!cgroup_is_descendant(new_cgroup, current))
                         return -EPERM;
         }
 
-        if (atomic_read(&new_cgroup->count) != 0)
-                return -EPERM;
-
-        orig = task_cgroup(task, ns_subsys_id);
-        if (orig && orig != new_cgroup->parent)
+        if (!cgroup_is_descendant(new_cgroup, task))
                 return -EPERM;
 
         return 0;
@@ -77,7 +71,7 @@ static struct cgroup_subsys_state *ns_create(struct cgroup_subsys *ss,
 
         if (!capable(CAP_SYS_ADMIN))
                 return ERR_PTR(-EPERM);
-        if (!cgroup_is_descendant(cgroup))
+        if (!cgroup_is_descendant(cgroup, current))
                 return ERR_PTR(-EPERM);
 
         ns_cgroup = kzalloc(sizeof(*ns_cgroup), GFP_KERNEL);