Hello Lin Ma,
Commit 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
from Aug 7, 2022 (linux-next), leads to the following Smatch static
checker warning:
drivers/media/dvb-core/dvbdev.c:601 dvb_remove_device()
error: double free of 'dvbdev' (line 598)
drivers/media/dvb-core/dvbdev.c
591 void dvb_remove_device(struct dvb_device *dvbdev)
592 {
593 if (!dvbdev)
594 return;
595
596 down_write(&minor_rwsem);
597 dvb_minors[dvbdev->minor] = NULL;
598 dvb_device_put(dvbdev);
^^^^^^^^^^^^^^^^^^^^^^
If this drops the last reference then it frees "dvbdev" so Smatch complains
about use after frees.
599 up_write(&minor_rwsem);
600
--> 601 dvb_media_device_free(dvbdev);
^^^^^^
602
603 device_destroy(dvb_class, MKDEV(DVB_MAJOR, dvbdev->minor));
^^^^^^^^^^^^^
604
605 list_del(&dvbdev->list_head);
^^^^^^
606 }
regards,
dan carpenter
