Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release

Next message: Hao Ge: "[PATCH] mm/alloc_tag: clear codetag for pages allocated before page_ext initialization"
Previous message: Vincent Guittot: "Re: [PATCH 3/4] sched/fair: Enable EAS with SMT on SD_ASYM_CPUCAPACITY systems"
In reply to: Guangshuo Li: "Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release"
Next in thread: Andy Shevchenko: "Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Geert Uytterhoeven

Date: Fri Mar 27 2026 - 04:11:19 EST

Hi Guangshuo,

Thanks for your patch!

On Thu, 26 Mar 2026 at 18:14, Guangshuo Li <lgs201920130244@xxxxxxxxx> wrote:
> linedisp_release() currently retrieves the enclosing struct linedisp via
> to_linedisp(). That lookup depends on the attachment list, but the
> attachment may already have been removed before put_device() invokes the
> release callback. This can happen in linedisp_unregister(), and can also
> be reached from some linedisp_register() error paths.
>
> In that case, to_linedisp() returns NULL and linedisp_release()
> dereferences it while freeing the display resources.

Indeed, the attachment is not yet or no longer available when
put_device() is called.

> The struct device released here is the embedded linedisp->dev used by
> linedisp_register(), so retrieve the enclosing object directly with
> container_of() instead.

True.

> Fixes: 66c93809487e ("auxdisplay: linedisp: encapsulate container_of usage within to_linedisp")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>

Reviewed-by: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>

Gr{oetje,eeting}s,

Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@xxxxxxxxxxxxxx

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds