Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release

Next message: Suren Baghdasaryan: "Re: [PATCH v2] mm/alloc_tag: clear codetag for pages allocated before page_ext initialization"
Previous message: Shawn Lin: "[PATCH] mmc: core: Switch to use pm_ptr() for mmc_host_class_dev_pm_ops"
In reply to: Andy Shevchenko: "Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release"
Next in thread: Geert Uytterhoeven: "Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Guangshuo Li

Date: Fri Mar 27 2026 - 00:28:24 EST

Hi Andy,

Thanks.

I found it by manual code inspection while reviewing the teardown paths around
linedisp_unregister() and linedisp_register() error handling.

Best regards,
Guangshuo

Andy Shevchenko <andriy.shevchenko@xxxxxxxxx> 于2026年3月27日周五 03:18写道：
>
> On Fri, Mar 27, 2026 at 01:14:12AM +0800, Guangshuo Li wrote:
> > linedisp_release() currently retrieves the enclosing struct linedisp via
> > to_linedisp(). That lookup depends on the attachment list, but the
> > attachment may already have been removed before put_device() invokes the
> > release callback. This can happen in linedisp_unregister(), and can also
> > be reached from some linedisp_register() error paths.
> >
> > In that case, to_linedisp() returns NULL and linedisp_release()
> > dereferences it while freeing the display resources.
> >
> > The struct device released here is the embedded linedisp->dev used by
> > linedisp_register(), so retrieve the enclosing object directly with
> > container_of() instead.
>
> Makes sense to me. How did you find the issue?
>
> Geert, do you agree with this change?
>
> --
> With Best Regards,
> Andy Shevchenko
>
>