eventpoll: use-after-possible-free in epoll_create1()
Al Viro [Sat, 18 Aug 2012 02:42:36 +0000 (22:42 -0400)]
As soon as we'd installed the file into descriptor table, it can
get closed by another thread.  Freeing ep in process...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

fs/eventpoll.c

index 1c8b556..eedec84 100644 (file)
@@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags)
                error = PTR_ERR(file);
                goto out_free_fd;
        }
-       fd_install(fd, file);
        ep->file = file;
+       fd_install(fd, file);
        return fd;
 
 out_free_fd: