[PATCH] auxdisplay: line-display: fix NULL dereference in linedisp

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release
@ 2026-03-26 17:14 Guangshuo Li
  2026-03-26 19:18 ` Andy Shevchenko
  2026-03-27  8:10 ` Geert Uytterhoeven
  0 siblings, 2 replies; 5+ messages in thread
From: Guangshuo Li @ 2026-03-26 17:14 UTC (permalink / raw)
  To: Andy Shevchenko, Geert Uytterhoeven, Jean-François Lessard,
	Ingo Molnar, Thomas Gleixner, Guangshuo Li, linux-kernel
  Cc: stable

linedisp_release() currently retrieves the enclosing struct linedisp via
to_linedisp(). That lookup depends on the attachment list, but the
attachment may already have been removed before put_device() invokes the
release callback. This can happen in linedisp_unregister(), and can also
be reached from some linedisp_register() error paths.

In that case, to_linedisp() returns NULL and linedisp_release()
dereferences it while freeing the display resources.

The struct device released here is the embedded linedisp->dev used by
linedisp_register(), so retrieve the enclosing object directly with
container_of() instead.

Fixes: 66c93809487e ("auxdisplay: linedisp: encapsulate container_of usage within to_linedisp")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
 drivers/auxdisplay/line-display.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/auxdisplay/line-display.c b/drivers/auxdisplay/line-display.c
index 4e22373fcc1a..e80e94262830 100644
--- a/drivers/auxdisplay/line-display.c
+++ b/drivers/auxdisplay/line-display.c
@@ -365,7 +365,7 @@ static DEFINE_IDA(linedisp_id);

 static void linedisp_release(struct device *dev)
 {
-	struct linedisp *linedisp = to_linedisp(dev);
+	struct linedisp *linedisp = container_of(dev, struct linedisp, dev);

 	kfree(linedisp->map);
 	kfree(linedisp->message);
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release
  2026-03-26 17:14 [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release Guangshuo Li
@ 2026-03-26 19:18 ` Andy Shevchenko
  2026-03-27  4:28   ` Guangshuo Li
  2026-03-27  8:10 ` Geert Uytterhoeven
  1 sibling, 1 reply; 5+ messages in thread
From: Andy Shevchenko @ 2026-03-26 19:18 UTC (permalink / raw)
  To: Guangshuo Li
  Cc: Andy Shevchenko, Geert Uytterhoeven, Jean-François Lessard,
	Ingo Molnar, Thomas Gleixner, linux-kernel, stable

On Fri, Mar 27, 2026 at 01:14:12AM +0800, Guangshuo Li wrote:
> linedisp_release() currently retrieves the enclosing struct linedisp via
> to_linedisp(). That lookup depends on the attachment list, but the
> attachment may already have been removed before put_device() invokes the
> release callback. This can happen in linedisp_unregister(), and can also
> be reached from some linedisp_register() error paths.
> 
> In that case, to_linedisp() returns NULL and linedisp_release()
> dereferences it while freeing the display resources.
> 
> The struct device released here is the embedded linedisp->dev used by
> linedisp_register(), so retrieve the enclosing object directly with
> container_of() instead.

Makes sense to me. How did you find the issue?

Geert, do you agree with this change?

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release
  2026-03-26 19:18 ` Andy Shevchenko
@ 2026-03-27  4:28   ` Guangshuo Li
  0 siblings, 0 replies; 5+ messages in thread
From: Guangshuo Li @ 2026-03-27  4:28 UTC (permalink / raw)
  To: Andy Shevchenko
  Cc: Andy Shevchenko, Geert Uytterhoeven, Jean-François Lessard,
	Ingo Molnar, Thomas Gleixner, linux-kernel, stable

Hi Andy,

Thanks.

I found it by manual code inspection while reviewing the teardown paths around
linedisp_unregister() and linedisp_register() error handling.

Best regards,
Guangshuo

Andy Shevchenko <andriy.shevchenko@intel.com> 于2026年3月27日周五 03:18写道：
>
> On Fri, Mar 27, 2026 at 01:14:12AM +0800, Guangshuo Li wrote:
> > linedisp_release() currently retrieves the enclosing struct linedisp via
> > to_linedisp(). That lookup depends on the attachment list, but the
> > attachment may already have been removed before put_device() invokes the
> > release callback. This can happen in linedisp_unregister(), and can also
> > be reached from some linedisp_register() error paths.
> >
> > In that case, to_linedisp() returns NULL and linedisp_release()
> > dereferences it while freeing the display resources.
> >
> > The struct device released here is the embedded linedisp->dev used by
> > linedisp_register(), so retrieve the enclosing object directly with
> > container_of() instead.
>
> Makes sense to me. How did you find the issue?
>
> Geert, do you agree with this change?
>
> --
> With Best Regards,
> Andy Shevchenko
>
>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release
  2026-03-26 17:14 [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release Guangshuo Li
  2026-03-26 19:18 ` Andy Shevchenko
@ 2026-03-27  8:10 ` Geert Uytterhoeven
  2026-03-27  8:54   ` Andy Shevchenko
  1 sibling, 1 reply; 5+ messages in thread
From: Geert Uytterhoeven @ 2026-03-27  8:10 UTC (permalink / raw)
  To: Guangshuo Li
  Cc: Andy Shevchenko, Jean-François Lessard, Ingo Molnar,
	Thomas Gleixner, linux-kernel, stable

Hi Guangshuo,

Thanks for your patch!

On Thu, 26 Mar 2026 at 18:14, Guangshuo Li <lgs201920130244@gmail.com> wrote:
> linedisp_release() currently retrieves the enclosing struct linedisp via
> to_linedisp(). That lookup depends on the attachment list, but the
> attachment may already have been removed before put_device() invokes the
> release callback. This can happen in linedisp_unregister(), and can also
> be reached from some linedisp_register() error paths.
>
> In that case, to_linedisp() returns NULL and linedisp_release()
> dereferences it while freeing the display resources.

Indeed, the attachment is not yet or no longer available when
put_device() is called.

> The struct device released here is the embedded linedisp->dev used by
> linedisp_register(), so retrieve the enclosing object directly with
> container_of() instead.

True.

> Fixes: 66c93809487e ("auxdisplay: linedisp: encapsulate container_of usage within to_linedisp")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>

Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release
  2026-03-27  8:10 ` Geert Uytterhoeven
@ 2026-03-27  8:54   ` Andy Shevchenko
  0 siblings, 0 replies; 5+ messages in thread
From: Andy Shevchenko @ 2026-03-27  8:54 UTC (permalink / raw)
  To: Geert Uytterhoeven
  Cc: Guangshuo Li, Andy Shevchenko, Jean-François Lessard,
	Ingo Molnar, Thomas Gleixner, linux-kernel, stable

On Fri, Mar 27, 2026 at 09:10:50AM +0100, Geert Uytterhoeven wrote:
> Hi Guangshuo,
> 
> Thanks for your patch!
> 
> On Thu, 26 Mar 2026 at 18:14, Guangshuo Li <lgs201920130244@gmail.com> wrote:
> > linedisp_release() currently retrieves the enclosing struct linedisp via
> > to_linedisp(). That lookup depends on the attachment list, but the
> > attachment may already have been removed before put_device() invokes the
> > release callback. This can happen in linedisp_unregister(), and can also
> > be reached from some linedisp_register() error paths.
> >
> > In that case, to_linedisp() returns NULL and linedisp_release()
> > dereferences it while freeing the display resources.
> 
> Indeed, the attachment is not yet or no longer available when
> put_device() is called.
> 
> > The struct device released here is the embedded linedisp->dev used by
> > linedisp_register(), so retrieve the enclosing object directly with
> > container_of() instead.
> 
> True.
> 
> > Fixes: 66c93809487e ("auxdisplay: linedisp: encapsulate container_of usage within to_linedisp")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
> 
> Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>

Pushed to my review and testing queue, thanks!

-- 
With Best Regards,
Andy Shevchenko



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-03-27  8:54 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-26 17:14 [PATCH] auxdisplay: line-display: fix NULL dereference in linedisp_release Guangshuo Li
2026-03-26 19:18 ` Andy Shevchenko
2026-03-27  4:28   ` Guangshuo Li
2026-03-27  8:10 ` Geert Uytterhoeven
2026-03-27  8:54   ` Andy Shevchenko

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox