Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release

Next message: Holger Dengler: "Re: [PATCH 1/3] crypto: s390 - Remove des and des3_ede code"
Previous message: Neal Frager: "[PATCH v1 1/1] arch: microblaze: allocate stack space for register params"
In reply to: Geert Uytterhoeven: "Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Andy Shevchenko

Date: Fri Mar 27 2026 - 04:58:03 EST

On Fri, Mar 27, 2026 at 09:10:50AM +0100, Geert Uytterhoeven wrote:
> Hi Guangshuo,
>
> Thanks for your patch!
>
> On Thu, 26 Mar 2026 at 18:14, Guangshuo Li <lgs201920130244@xxxxxxxxx> wrote:
> > linedisp_release() currently retrieves the enclosing struct linedisp via
> > to_linedisp(). That lookup depends on the attachment list, but the
> > attachment may already have been removed before put_device() invokes the
> > release callback. This can happen in linedisp_unregister(), and can also
> > be reached from some linedisp_register() error paths.
> >
> > In that case, to_linedisp() returns NULL and linedisp_release()
> > dereferences it while freeing the display resources.
>
> Indeed, the attachment is not yet or no longer available when
> put_device() is called.
>
> > The struct device released here is the embedded linedisp->dev used by
> > linedisp_register(), so retrieve the enclosing object directly with
> > container_of() instead.
>
> True.
>
> > Fixes: 66c93809487e ("auxdisplay: linedisp: encapsulate container_of usage within to_linedisp")
> > Cc: stable@xxxxxxxxxxxxxxx
> > Signed-off-by: Guangshuo Li <lgs201920130244@xxxxxxxxx>
>
> Reviewed-by: Geert Uytterhoeven <geert@xxxxxxxxxxxxxx>

Pushed to my review and testing queue, thanks!

--
With Best Regards,
Andy Shevchenko