Hello Miklos Szeredi,
The patch 514b5e3ff45e: "fuse: get rid of fuse_mount refcount" from
Nov 11, 2020, leads to the following static checker warning:
fs/fuse/virtio_fs.c:1451 virtio_fs_get_tree()
error: double free of 'fm'
fs/fuse/virtio_fs.c
1418 if (!fs) {
1419 pr_info("virtio-fs: tag <%s> not found\n", fsc->source);
1420 return -EINVAL;
1421 }
1422
1423 err = -ENOMEM;
1424 fc = kzalloc(sizeof(struct fuse_conn), GFP_KERNEL);
1425 if (!fc)
1426 goto out_err;
1427
1428 fm = kzalloc(sizeof(struct fuse_mount), GFP_KERNEL);
1429 if (!fm)
1430 goto out_err;
1431
1432 fuse_conn_init(fc, fm, get_user_ns(current_user_ns()),
1433 &virtio_fs_fiq_ops, fs);
1434 fc->release = fuse_free_conn;
1435 fc->delete_stale = true;
1436 fc->auto_submounts = true;
1437
1438 fsc->s_fs_info = fm;
1439 sb = sget_fc(fsc, virtio_fs_test_super, set_anon_super_fc);
1440 if (fsc->s_fs_info) {
1441 fuse_conn_put(fc);
1442 kfree(fm);
^^^^^^^^^
Freed here
1443 }
1444 if (IS_ERR(sb))
1445 return PTR_ERR(sb);
1446
1447 if (!sb->s_root) {
1448 err = virtio_fs_fill_super(sb, fsc);
1449 if (err) {
1450 fuse_conn_put(fc);
1451 kfree(fm);
^^^^^^^^^
Double free
1452 sb->s_fs_info = NULL;
I'm sort of surprised this is setting "sb->" instead of "fsc->".
1453 deactivate_locked_super(sb);
1454 return err;
1455 }
1456
1457 sb->s_flags |= SB_ACTIVE;
1458 }
regards,
dan carpenter
