diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2012-08-18 04:42:36 +0200 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2012-08-22 16:26:55 +0200 |
commit | 98022748f6c7bce85b9f123fd4d1a621219dd8d9 (patch) | |
tree | 475003205a40e79060c072bf4ed6a2cf097ff7ed /fs/eventpoll.c | |
parent | vfio: grab vfio_device reference *before* exposing the sucker via fd_install() (diff) | |
download | linux-98022748f6c7bce85b9f123fd4d1a621219dd8d9.tar.xz linux-98022748f6c7bce85b9f123fd4d1a621219dd8d9.zip |
eventpoll: use-after-possible-free in epoll_create1()
As soon as we'd installed the file into descriptor table, it can
get closed by another thread. Freeing ep in process...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to '')
-rw-r--r-- | fs/eventpoll.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 1c8b55670804..eedec84c1809 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags) error = PTR_ERR(file); goto out_free_fd; } - fd_install(fd, file); ep->file = file; + fd_install(fd, file); return fd; out_free_fd: |