eventpoll: use-after-possible-free in epoll_create1()
authorAl Viro <viro@zeniv.linux.org.uk>
Sat, 18 Aug 2012 02:42:36 +0000 (22:42 -0400)
committerAl Viro <viro@zeniv.linux.org.uk>
Wed, 22 Aug 2012 14:26:55 +0000 (10:26 -0400)
As soon as we'd installed the file into descriptor table, it can
get closed by another thread.  Freeing ep in process...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/eventpoll.c

index 1c8b55670804c20e88a10a48668f574d54f58205..eedec84c1809173eb4c627815ad70122de66eeb3 100644 (file)
@@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags)
                error = PTR_ERR(file);
                goto out_free_fd;
        }
-       fd_install(fd, file);
        ep->file = file;
+       fd_install(fd, file);
        return fd;
 
 out_free_fd: