Bug 14636
| Summary: | invalid parameter for epoll_ctl will lead application coredump | ||
|---|---|---|---|
| Product: | File System | Reporter: | williamchen (fox144215) |
| Component: | Other | Assignee: | fs_other |
| Status: | RESOLVED INVALID | ||
| Severity: | normal | CC: | adobriyan |
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Kernel Version: | 2.6.16.6 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
you have an oops, or this is an observation? max_fds and fd are unsigned int oh, it's my fault. i have omitted max_fds and fd are unsigned int but this happend once in 64-bit operating system and i checked the fd to avoid my application crashed |
when user use system call epoll_ctl to insertion/removal/change file descriptor into epoll, like this: epoll_ctl(int epfd, int op, int fd=-1, struct epoll_event __user *event); this operate will lead application crash, the following function will lead to this problem when fd is -1: static inline struct file * fcheck_files(struct files_struct *files, unsigned int fd) { struct file * file = NULL; struct fdtable *fdt = files_fdtable(files); if (fd < fdt->max_fds) file = rcu_dereference(fdt->fd[fd]); /*here fd is -1*/ return file; }