auxdisplay: line-display: fix NULL dereference in linedisp_release

lgs2513 · andy-shev · commit 7f138de156b2 · 2026-03-27T09:54:31.000+01:00
linedisp_release() currently retrieves the enclosing struct linedisp via to_linedisp(). That lookup depends on the attachment list, but the attachment may already have been removed before put_device() invokes the release callback. This can happen in linedisp_unregister(), and can also be reached from some linedisp_register() error paths. In that case, to_linedisp() returns NULL and linedisp_release() dereferences it while freeing the display resources. The struct device released here is the embedded linedisp->dev used by linedisp_register(), so retrieve the enclosing object directly with container_of() instead. Fixes: 66c9380 ("auxdisplay: linedisp: encapsulate container_of usage within to_linedisp") Cc: stable@vger.kernel.org Signed-off-by: Guangshuo Li <lgs201920130244@gmail.com> Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
diff --git a/drivers/auxdisplay/line-display.c b/drivers/auxdisplay/line-display.c
@@ -365,7 +365,7 @@ static DEFINE_IDA(linedisp_id);
 
 static void linedisp_release(struct device *dev)
 {
-	struct linedisp *linedisp = to_linedisp(dev);
+	struct linedisp *linedisp = container_of(dev, struct linedisp, dev);
 
 	kfree(linedisp->map);
 	kfree(linedisp->message);

Original file line number	Diff line number	Diff line change
`@@ -365,7 +365,7 @@ static DEFINE_IDA(linedisp_id);`
`365`	`365`
`366`	`366`	`static void linedisp_release(struct device *dev)`
`367`	`367`	`{`
`368`		`- struct linedisp *linedisp = to_linedisp(dev);`
	`368`	`+ struct linedisp *linedisp = container_of(dev, struct linedisp, dev);`
`369`	`369`
`370`	`370`	`kfree(linedisp->map);`
`371`	`371`	`kfree(linedisp->message);`