On Tue, Jul 27, 2021 at 05:14:55PM +0300, Dan Carpenter wrote: > On Tue, Jul 27, 2021 at 06:01:51PM +0800, Hillf Danton wrote: > > Along the probe path, > > > > em28xx_usb_probe > > dev = kzalloc(sizeof(*dev), GFP_KERNEL); > > retval = em28xx_init_dev(dev, udev, intf, nr); > > em28xx_init_extension(dev); > > em28xx_ir_init(struct em28xx *dev) > > kref_get(&dev->ref); > > > > kref_init(&dev->ref); > > Good detective work. > > I've created a Smatch check to try find these. It uses the fact that > Smatch creates a bunch of fake assignments to set all the struct members > of "dev" to zero. Then it uses the modification hook to find the > kref_init(). Those are sort of new uses for those hooks so that's quite > fun. > > I'll test it out overnight and see how it works. My Smatch check didn't find any other bugs, but it only had 3 false positives so I'll keep running it nightly on new code. regards, dan carpenter
