eventpoll: use-after-possible-free in epoll_create1()

As soon as we'd installed the file into descriptor table, it can get closed by another thread. Freeing ep in process... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

eventpoll: use-after-possible-free in epoll_create1()
As soon as we'd installed the file into descriptor table, it can get closed by another thread. Freeing ep in process... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro
1 parent 31605debdf
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
fs/eventpoll.c
@@ -1654,8 +1654,8 @@
 		error = PTR_ERR(file);
 		goto out_free_fd;
 	}
-	fd_install(fd, file);
 	ep->file = file;
+	fd_install(fd, file);
 	return fd;
  
 out_free_fd:
...	...	@@ -1654,8 +1654,8 @@
1654	1654	error = PTR_ERR(file);
1655	1655	goto out_free_fd;
1656	1656	}
1657		- fd_install(fd, file);
1658	1657	ep->file = file;
	1658	+ fd_install(fd, file);
1659	1659	return fd;
1660	1660
1661	1661	out_free_fd: