2 files changed, 7 insertions, 6 deletions

diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index a0123d75ec9a..8c6e1c17e6d3 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -2735,6 +2735,8 @@ void cgroup_fork_callbacks(struct task_struct *child)
  * Called on every change to mm->owner. mm_init_owner() does not
  * invoke this routine, since it assigns the mm->owner the first time
  * and does not change it.
+ *
+ * The callbacks are invoked with mmap_sem held in read mode.
  */
 void cgroup_mm_owner_callbacks(struct task_struct *old, struct task_struct *new)
 {
@@ -2750,7 +2752,7 @@ void cgroup_mm_owner_callbacks(struct task_struct *old, struct task_struct *new)
                         if (oldcgrp == newcgrp)
                                 continue;
                         if (ss->mm_owner_changed)
-                                ss->mm_owner_changed(ss, oldcgrp, newcgrp);
+                                ss->mm_owner_changed(ss, oldcgrp, newcgrp, new);
                 }
         }
 }
diff --git a/kernel/exit.c b/kernel/exit.c
index 85a83c831856..0ef4673e351b 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -640,24 +640,23 @@ retry:
 assign_new_owner:
         BUG_ON(c == p);
         get_task_struct(c);
+        read_unlock(&tasklist_lock);
+        down_write(&mm->mmap_sem);
         /*
          * The task_lock protects c->mm from changing.
          * We always want mm->owner->mm == mm
          */
         task_lock(c);
-        /*
-         * Delay read_unlock() till we have the task_lock()
-         * to ensure that c does not slip away underneath us
-         */
-        read_unlock(&tasklist_lock);
         if (c->mm != mm) {
                 task_unlock(c);
+                up_write(&mm->mmap_sem);
                 put_task_struct(c);
                 goto retry;
         }
         cgroup_mm_owner_callbacks(mm->owner, c);
         mm->owner = c;
         task_unlock(c);
+        up_write(&mm->mmap_sem);
         put_task_struct(c);
 }
 #endif /* CONFIG_MM_OWNER */