Use after free from pid_nr_ns()

	PIDTYPE_PID,

	PIDTYPE_PGID,

	PIDTYPE_SID,

	PIDTYPE_MAX

	PIDTYPE_MAX,

	/* only valid to __task_pid_nr_ns() */

	__PIDTYPE_TGID

};

/*

	return tsk->tgid;

}

pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns);

static inline pid_t task_tgid_vnr(struct task_struct *tsk)

{

	return pid_vnr(task_tgid(tsk));

}

static inline int pid_alive(const struct task_struct *p);

static inline pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns);

static inline pid_t task_ppid_nr_ns(const struct task_struct *tsk, struct pid_namespace *ns)

{

	pid_t pid = 0;

	return __task_pid_nr_ns(tsk, PIDTYPE_SID, NULL);

}

static inline pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns)

{

	return __task_pid_nr_ns(tsk, __PIDTYPE_TGID, ns);

}

static inline pid_t task_tgid_vnr(struct task_struct *tsk)

{

	return __task_pid_nr_ns(tsk, __PIDTYPE_TGID, NULL);

}

/* obsolete, do not use */

static inline pid_t task_pgrp_nr(struct task_struct *tsk)

{

	if (!ns)

		ns = task_active_pid_ns(current);

	if (likely(pid_alive(task))) {

		if (type != PIDTYPE_PID)

		if (type != PIDTYPE_PID) {

			if (type == __PIDTYPE_TGID)

				type = PIDTYPE_PID;

			task = task->group_leader;

		}

		nr = pid_nr_ns(rcu_dereference(task->pids[type].pid), ns);

	}

	rcu_read_unlock();

}

EXPORT_SYMBOL(__task_pid_nr_ns);

pid_t task_tgid_nr_ns(struct task_struct *tsk, struct pid_namespace *ns)

{

	return pid_nr_ns(task_tgid(tsk), ns);

}

EXPORT_SYMBOL(task_tgid_nr_ns);

struct pid_namespace *task_active_pid_ns(struct task_struct *tsk)

{

	return ns_of_pid(task_pid(tsk));