4 files changed, 50 insertions, 21 deletions

diff --git a/kernel/acct.c b/kernel/acct.c
index 24f8c81fc48d..e4c0e1fee9b0 100644
--- a/kernel/acct.c
+++ b/kernel/acct.c
@@ -353,17 +353,18 @@ restart:
 
 void acct_exit_ns(struct pid_namespace *ns)
 {
-        struct bsd_acct_struct *acct;
+        struct bsd_acct_struct *acct = ns->bacct;
 
-        spin_lock(&acct_lock);
-        acct = ns->bacct;
-        if (acct != NULL) {
-                if (acct->file != NULL)
-                        acct_file_reopen(acct, NULL, NULL);
+        if (acct == NULL)
+                return;
 
-                kfree(acct);
-        }
+        del_timer_sync(&acct->timer);
+        spin_lock(&acct_lock);
+        if (acct->file != NULL)
+                acct_file_reopen(acct, NULL, NULL);
         spin_unlock(&acct_lock);
+
+        kfree(acct);
 }
 
 /*
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index 3a53c771e503..6d870f2d1228 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -4435,7 +4435,15 @@ __setup("cgroup_disable=", cgroup_disable);
  */
 unsigned short css_id(struct cgroup_subsys_state *css)
 {
-        struct css_id *cssid = rcu_dereference(css->id);
+        struct css_id *cssid;
+
+        /*
+         * This css_id() can return correct value when somone has refcnt
+         * on this or this is under rcu_read_lock(). Once css->id is allocated,
+         * it's unchanged until freed.
+         */
+        cssid = rcu_dereference_check(css->id,
+                        rcu_read_lock_held() || atomic_read(&css->refcnt));
 
         if (cssid)
                 return cssid->id;
@@ -4445,7 +4453,10 @@ EXPORT_SYMBOL_GPL(css_id);
 
 unsigned short css_depth(struct cgroup_subsys_state *css)
 {
-        struct css_id *cssid = rcu_dereference(css->id);
+        struct css_id *cssid;
+
+        cssid = rcu_dereference_check(css->id,
+                        rcu_read_lock_held() || atomic_read(&css->refcnt));
 
         if (cssid)
                 return cssid->depth;
@@ -4453,15 +4464,36 @@ unsigned short css_depth(struct cgroup_subsys_state *css)
 }
 EXPORT_SYMBOL_GPL(css_depth);
 
+/**
+ *  css_is_ancestor - test "root" css is an ancestor of "child"
+ * @child: the css to be tested.
+ * @root: the css supporsed to be an ancestor of the child.
+ *
+ * Returns true if "root" is an ancestor of "child" in its hierarchy. Because
+ * this function reads css->id, this use rcu_dereference() and rcu_read_lock().
+ * But, considering usual usage, the csses should be valid objects after test.
+ * Assuming that the caller will do some action to the child if this returns
+ * returns true, the caller must take "child";s reference count.
+ * If "child" is valid object and this returns true, "root" is valid, too.
+ */
+
 bool css_is_ancestor(struct cgroup_subsys_state *child,
                     const struct cgroup_subsys_state *root)
 {
-        struct css_id *child_id = rcu_dereference(child->id);
-        struct css_id *root_id = rcu_dereference(root->id);
+        struct css_id *child_id;
+        struct css_id *root_id;
+        bool ret = true;
 
-        if (!child_id || !root_id || (child_id->depth < root_id->depth))
-                return false;
-        return child_id->stack[root_id->depth] == root_id->id;
+        rcu_read_lock();
+        child_id  = rcu_dereference(child->id);
+        root_id = rcu_dereference(root->id);
+        if (!child_id
+            || !root_id
+            || (child_id->depth < root_id->depth)
+            || (child_id->stack[root_id->depth] != root_id->id))
+                ret = false;
+        rcu_read_unlock();
+        return ret;
 }
 
 static void __free_css_id_cb(struct rcu_head *head)
diff --git a/kernel/fork.c b/kernel/fork.c
index 44b0791b0a2e..4c14942a0ee3 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1114,8 +1114,6 @@ static struct task_struct *copy_process(unsigned long clone_flags,
 
         p->bts = NULL;
 
-        p->stack_start = stack_start;
-
         /* Perform scheduler related setup. Assign this task to a CPU. */
         sched_fork(p, clone_flags);
 
diff --git a/kernel/kexec.c b/kernel/kexec.c
index 87ebe8adc474..474a84715eac 100644
--- a/kernel/kexec.c
+++ b/kernel/kexec.c
@@ -1134,11 +1134,9 @@ int crash_shrink_memory(unsigned long new_size)
 
         free_reserved_phys_range(end, crashk_res.end);
 
-        if (start == end) {
-                crashk_res.end = end;
+        if (start == end)
                 release_resource(&crashk_res);
-        } else
-                crashk_res.end = end - 1;
+        crashk_res.end = end - 1;
 
 unlock:
         mutex_unlock(&kexec_mutex);