In function cpuacct_charge(), the NULL pointer dereference happens
with the stack pointer being zero inside the task_struct when the
task_cpu() is trying to access the member cpu of the struct
thread_info inside the stack. It's a use-after-free corruption
happening in the situation that the task_struct is released almost
concurrently before accessing the task_struct->stack.