Commit 98022748 authored by Al Viro's avatar Al Viro

eventpoll: use-after-possible-free in epoll_create1()

As soon as we'd installed the file into descriptor table, it can
get closed by another thread.  Freeing ep in process...
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
parent 31605deb
...@@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags) ...@@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags)
error = PTR_ERR(file); error = PTR_ERR(file);
goto out_free_fd; goto out_free_fd;
} }
fd_install(fd, file);
ep->file = file; ep->file = file;
fd_install(fd, file);
return fd; return fd;
out_free_fd: out_free_fd:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment