summaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2012-08-18 04:42:36 +0200
committerAl Viro <viro@zeniv.linux.org.uk>2012-08-22 16:26:55 +0200
commit98022748f6c7bce85b9f123fd4d1a621219dd8d9 (patch)
tree475003205a40e79060c072bf4ed6a2cf097ff7ed /fs
parentvfio: grab vfio_device reference *before* exposing the sucker via fd_install() (diff)
downloadlinux-98022748f6c7bce85b9f123fd4d1a621219dd8d9.tar.xz
linux-98022748f6c7bce85b9f123fd4d1a621219dd8d9.zip
eventpoll: use-after-possible-free in epoll_create1()
As soon as we'd installed the file into descriptor table, it can get closed by another thread. Freeing ep in process... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs')
-rw-r--r--fs/eventpoll.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 1c8b55670804..eedec84c1809 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags)
error = PTR_ERR(file);
goto out_free_fd;
}
- fd_install(fd, file);
ep->file = file;
+ fd_install(fd, file);
return fd;
out_free_fd: