summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2012-08-17 22:42:36 -0400
committerAl Viro <viro@zeniv.linux.org.uk>2012-08-22 10:26:55 -0400
commit98022748f6c7bce85b9f123fd4d1a621219dd8d9 (patch)
tree475003205a40e79060c072bf4ed6a2cf097ff7ed
parent31605debdf5459cc8aacabf192a911a803a81c26 (diff)
downloadlinux-3.10-98022748f6c7bce85b9f123fd4d1a621219dd8d9.tar.gz
linux-3.10-98022748f6c7bce85b9f123fd4d1a621219dd8d9.tar.bz2
linux-3.10-98022748f6c7bce85b9f123fd4d1a621219dd8d9.zip
eventpoll: use-after-possible-free in epoll_create1()
As soon as we'd installed the file into descriptor table, it can get closed by another thread. Freeing ep in process... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r--fs/eventpoll.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 1c8b5567080..eedec84c180 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags)
error = PTR_ERR(file);
goto out_free_fd;
}
- fd_install(fd, file);
ep->file = file;
+ fd_install(fd, file);
return fd;
out_free_fd: