Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release

Next message: Rosen Penev: "Re: [PATCH] w1: simplify allocation of w1_master"
Previous message: Rob Herring: "Re: [PATCH v3 0/7] Refactor reserved memory regions handling code"
In reply to: Guangshuo Li: "[PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release"
Next in thread: Guangshuo Li: "Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Thu Mar 26 2026 - 15:20:22 EST

On Fri, Mar 27, 2026 at 01:14:12AM +0800, Guangshuo Li wrote:
> linedisp_release() currently retrieves the enclosing struct linedisp via
> to_linedisp(). That lookup depends on the attachment list, but the
> attachment may already have been removed before put_device() invokes the
> release callback. This can happen in linedisp_unregister(), and can also
> be reached from some linedisp_register() error paths.
>
> In that case, to_linedisp() returns NULL and linedisp_release()
> dereferences it while freeing the display resources.
>
> The struct device released here is the embedded linedisp->dev used by
> linedisp_register(), so retrieve the enclosing object directly with
> container_of() instead.

Makes sense to me. How did you find the issue?

Geert, do you agree with this change?

--
With Best Regards,
Andy Shevchenko