drivers/auxdisplay/line-display.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
linedisp_release() currently retrieves the enclosing struct linedisp via
to_linedisp(). That lookup depends on the attachment list, but the
attachment may already have been removed before put_device() invokes the
release callback. This can happen in linedisp_unregister(), and can also
be reached from some linedisp_register() error paths.
In that case, to_linedisp() returns NULL and linedisp_release()
dereferences it while freeing the display resources.
The struct device released here is the embedded linedisp->dev used by
linedisp_register(), so retrieve the enclosing object directly with
container_of() instead.
Fixes: 66c93809487e ("auxdisplay: linedisp: encapsulate container_of usage within to_linedisp")
Cc: stable@vger.kernel.org
Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
---
drivers/auxdisplay/line-display.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/auxdisplay/line-display.c b/drivers/auxdisplay/line-display.c
index 4e22373fcc1a..e80e94262830 100644
--- a/drivers/auxdisplay/line-display.c
+++ b/drivers/auxdisplay/line-display.c
@@ -365,7 +365,7 @@ static DEFINE_IDA(linedisp_id);
static void linedisp_release(struct device *dev)
{
- struct linedisp *linedisp = to_linedisp(dev);
+ struct linedisp *linedisp = container_of(dev, struct linedisp, dev);
kfree(linedisp->map);
kfree(linedisp->message);
--
2.43.0Hi Guangshuo,
Thanks for your patch!
On Thu, 26 Mar 2026 at 18:14, Guangshuo Li <lgs201920130244@gmail.com> wrote:
> linedisp_release() currently retrieves the enclosing struct linedisp via
> to_linedisp(). That lookup depends on the attachment list, but the
> attachment may already have been removed before put_device() invokes the
> release callback. This can happen in linedisp_unregister(), and can also
> be reached from some linedisp_register() error paths.
>
> In that case, to_linedisp() returns NULL and linedisp_release()
> dereferences it while freeing the display resources.
Indeed, the attachment is not yet or no longer available when
put_device() is called.
> The struct device released here is the embedded linedisp->dev used by
> linedisp_register(), so retrieve the enclosing object directly with
> container_of() instead.
True.
> Fixes: 66c93809487e ("auxdisplay: linedisp: encapsulate container_of usage within to_linedisp")
> Cc: stable@vger.kernel.org
> Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
On Fri, Mar 27, 2026 at 09:10:50AM +0100, Geert Uytterhoeven wrote:
> Hi Guangshuo,
>
> Thanks for your patch!
>
> On Thu, 26 Mar 2026 at 18:14, Guangshuo Li <lgs201920130244@gmail.com> wrote:
> > linedisp_release() currently retrieves the enclosing struct linedisp via
> > to_linedisp(). That lookup depends on the attachment list, but the
> > attachment may already have been removed before put_device() invokes the
> > release callback. This can happen in linedisp_unregister(), and can also
> > be reached from some linedisp_register() error paths.
> >
> > In that case, to_linedisp() returns NULL and linedisp_release()
> > dereferences it while freeing the display resources.
>
> Indeed, the attachment is not yet or no longer available when
> put_device() is called.
>
> > The struct device released here is the embedded linedisp->dev used by
> > linedisp_register(), so retrieve the enclosing object directly with
> > container_of() instead.
>
> True.
>
> > Fixes: 66c93809487e ("auxdisplay: linedisp: encapsulate container_of usage within to_linedisp")
> > Cc: stable@vger.kernel.org
> > Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com>
>
> Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Pushed to my review and testing queue, thanks!
--
With Best Regards,
Andy Shevchenko
On Fri, Mar 27, 2026 at 01:14:12AM +0800, Guangshuo Li wrote: > linedisp_release() currently retrieves the enclosing struct linedisp via > to_linedisp(). That lookup depends on the attachment list, but the > attachment may already have been removed before put_device() invokes the > release callback. This can happen in linedisp_unregister(), and can also > be reached from some linedisp_register() error paths. > > In that case, to_linedisp() returns NULL and linedisp_release() > dereferences it while freeing the display resources. > > The struct device released here is the embedded linedisp->dev used by > linedisp_register(), so retrieve the enclosing object directly with > container_of() instead. Makes sense to me. How did you find the issue? Geert, do you agree with this change? -- With Best Regards, Andy Shevchenko
Hi Andy, Thanks. I found it by manual code inspection while reviewing the teardown paths around linedisp_unregister() and linedisp_register() error handling. Best regards, Guangshuo Andy Shevchenko <andriy.shevchenko@intel.com> 于2026年3月27日周五 03:18写道: > > On Fri, Mar 27, 2026 at 01:14:12AM +0800, Guangshuo Li wrote: > > linedisp_release() currently retrieves the enclosing struct linedisp via > > to_linedisp(). That lookup depends on the attachment list, but the > > attachment may already have been removed before put_device() invokes the > > release callback. This can happen in linedisp_unregister(), and can also > > be reached from some linedisp_register() error paths. > > > > In that case, to_linedisp() returns NULL and linedisp_release() > > dereferences it while freeing the display resources. > > > > The struct device released here is the embedded linedisp->dev used by > > linedisp_register(), so retrieve the enclosing object directly with > > container_of() instead. > > Makes sense to me. How did you find the issue? > > Geert, do you agree with this change? > > -- > With Best Regards, > Andy Shevchenko > >
© 2016 - 2026 Red Hat, Inc.