From: Al Viro Date: Sat, 18 Aug 2012 02:42:36 +0000 (-0400) Subject: eventpoll: use-after-possible-free in epoll_create1() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=98022748f6c7bce85b9f123fd4d1a621219dd8d9;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git eventpoll: use-after-possible-free in epoll_create1() As soon as we'd installed the file into descriptor table, it can get closed by another thread. Freeing ep in process... Signed-off-by: Al Viro --- diff --git a/fs/eventpoll.c b/fs/eventpoll.c index 1c8b55670804..eedec84c1809 100644 --- a/fs/eventpoll.c +++ b/fs/eventpoll.c @@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags) error = PTR_ERR(file); goto out_free_fd; } - fd_install(fd, file); ep->file = file; + fd_install(fd, file); return fd; out_free_fd: