Commit 98022748 authored Aug 17, 2012 by Al Viro

eventpoll: use-after-possible-free in epoll_create1()



As soon as we'd installed the file into descriptor table, it can
get closed by another thread.  Freeing ep in process...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

parent 31605deb

fs/eventpoll.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags)
		error = PTR_ERR(file);
		goto out_free_fd;
		}
		fd_install(fd, file);
		ep->file = file;
		fd_install(fd, file);
		return fd;

		out_free_fd: