diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2012-08-17 22:42:36 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2012-08-22 10:26:55 -0400 |
| commit | 98022748f6c7bce85b9f123fd4d1a621219dd8d9 (patch) | |
| tree | 475003205a40e79060c072bf4ed6a2cf097ff7ed /fs/eventpoll.c | |
| parent | 31605debdf5459cc8aacabf192a911a803a81c26 (diff) | |
eventpoll: use-after-possible-free in epoll_create1()
As soon as we'd installed the file into descriptor table, it can
get closed by another thread. Freeing ep in process...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/eventpoll.c')
| -rw-r--r-- | fs/eventpoll.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 1c8b55670804..eedec84c1809 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c | |||
| @@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags) | |||
| 1654 | error = PTR_ERR(file); | 1654 | error = PTR_ERR(file); |
| 1655 | goto out_free_fd; | 1655 | goto out_free_fd; |
| 1656 | } | 1656 | } |
| 1657 | fd_install(fd, file); | ||
| 1658 | ep->file = file; | 1657 | ep->file = file; |
| 1658 | fd_install(fd, file); | ||
| 1659 | return fd; | 1659 | return fd; |
| 1660 | 1660 | ||
| 1661 | out_free_fd: | 1661 | out_free_fd: |