On Mon, May 16, 2022 at 09:18:55AM +0200, Christian König wrote:
557 558 return dmabuf; 559 560 err_sysfs: 561 /* 562 * Set file->f_path.dentry->d_fsdata to NULL so that when 563 * dma_buf_release() gets invoked by dentry_ops, it exits 564 * early before calling the release() dma_buf op. 565 */ 566 file->f_path.dentry->d_fsdata = NULL; 567 fput(file); 568 err_dmabuf: 569 kfree(dmabuf);
dmabuf is freed, but it's still on the list so it leads to a use after free.
This seems to be a false positive. On closing the file @line no:567, it ends up calling dma_buf_file_release() which does remove dmabuf from its list.
Yeah, correct as far as I can see. The checker just can't see that the fput will cleanup the list.
Yep. Thanks!
I hope that that Smatch will be better at parsing the fput() by the end of the year but right now it doesn't work at all.
regards, dan carpenter