提交 98022748 编写于 作者: A Al Viro

eventpoll: use-after-possible-free in epoll_create1()

As soon as we'd installed the file into descriptor table, it can
get closed by another thread.  Freeing ep in process...
Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
上级 31605deb
...@@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags) ...@@ -1654,8 +1654,8 @@ SYSCALL_DEFINE1(epoll_create1, int, flags)
error = PTR_ERR(file); error = PTR_ERR(file);
goto out_free_fd; goto out_free_fd;
} }
fd_install(fd, file);
ep->file = file; ep->file = file;
fd_install(fd, file);
return fd; return fd;
out_free_fd: out_free_fd:
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册