In linehandle_create(), there is a statement like this:
  retain_and_null_ptr(lh);

Soon after, there is a debug printout that dereferences "lh", which
will crash things.

Avoid the crash by using handlereq.lines, which is the same value.

Fixes: da7e394bf58f ("gpio: convert linehandle_create() to FD_PREPARE()")
Signed-off-by: Douglas Anderson <dianders@chromium.org>
---

Changes in v2:
- Use handlereq.lines rather than creating another local shadow.

 drivers/gpio/gpiolib-cdev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpio/gpiolib-cdev.c b/drivers/gpio/gpiolib-cdev.c
index 2adc3c070908..189127721e38 100644
--- a/drivers/gpio/gpiolib-cdev.c
+++ b/drivers/gpio/gpiolib-cdev.c
@@ -388,7 +388,7 @@ static int linehandle_create(struct gpio_device *gdev, void __user *ip)
 	fd_publish(fdf);
 
 	dev_dbg(&gdev->dev, "registered chardev handle for %d lines\n",
-		lh->num_descs);
+		handlereq.lines);
 
 	return 0;
 }
-- 
2.53.0.273.g2a3d683680-goog

On Sun, 15 Feb 2026 12:05:55 -0800, Douglas Anderson wrote:
> In linehandle_create(), there is a statement like this:
>   retain_and_null_ptr(lh);
> 
> Soon after, there is a debug printout that dereferences "lh", which
> will crash things.
> 
> Avoid the crash by using handlereq.lines, which is the same value.
> 
> [...]

Applied, thanks!

[1/1] gpio: Avoid NULL dereference in linehandle_create()
      https://git.kernel.org/brgl/c/6af6be278e3ba2ffb6af5b796c89dfb3f5d9063e

Best regards,
-- 
Bartosz Golaszewski <bartosz.golaszewski@oss.qualcomm.com>