On Mon, May 16, 2022 at 09:18:55AM +0200, Christian König wrote: > > > 557 > > > 558 return dmabuf; > > > 559 > > > 560 err_sysfs: > > > 561 /* > > > 562 * Set file->f_path.dentry->d_fsdata to NULL so that when > > > 563 * dma_buf_release() gets invoked by dentry_ops, it exits > > > 564 * early before calling the release() dma_buf op. > > > 565 */ > > > 566 file->f_path.dentry->d_fsdata = NULL; > > > 567 fput(file); > > > 568 err_dmabuf: > > > 569 kfree(dmabuf); > > > > > > dmabuf is freed, but it's still on the list so it leads to a use after > > > free. > > This seems to be a false positive. On closing the file @line no:567, it > > ends up calling dma_buf_file_release() which does remove dmabuf from its > > list. > > Yeah, correct as far as I can see. The checker just can't see that the fput > will cleanup the list. Yep. Thanks! I hope that that Smatch will be better at parsing the fput() by the end of the year but right now it doesn't work at all. regards, dan carpenter
