Re: [PATCH 0/1] MR3040: services: Fix use after free on error path in service_start (scan-build).

On Mon Jun 12 12:02:42 2023 +0000, Piotr Caban wrote:

I don't see use after free error here. process_entry reference is stored in 2 places - in process variable and in service->process. Since The code is setting service->process to NULL it needs to decrease the reference counter. Later we're freeing process variable so another release_process call is needed. I guess the tool doesn't know that process == service->process.

scan-build thought that calling `release_process(process)` would free `process` before it is dereferenced in `ReleaseMutex(process->control_mutex)` a few lines later. But you're right, it's ref-counted, so there's no real problem here. Sorry for the noise.