Changes in v2: - Resent using git-send-email (previous submission had incorrect formatting). - No code changes.
This series contains two small fixes for the Greybus audio manager:
1) Fix a NULL dereference in gb_audio_manager_get_module(). 2) Drop a stale TODO in the module release callback.
Both are correctness / cleanup fixes with no functional change beyond preventing crashes.
Thanks, Hardik
Hardik Phalet (2): staging: greybus: audio: fix NULL dereference in gb_audio_manager_get_module() staging: greybus: audio: drop stale TODO in module release
drivers/staging/greybus/audio_manager.c | 3 ++- drivers/staging/greybus/audio_manager_module.c | 1 - 2 files changed, 2 insertions(+), 2 deletions(-)
gb_audio_manager_get_module() calls gb_audio_manager_get_locked(), which can return NULL when the requested id does not exist. The returned pointer is dereferenced unconditionally via kobject_get(), leading to a NULL pointer dereference.
Only take a kobject reference when the module is found.
Signed-off-by: Hardik Phalet hardik.phalet@pm.me --- drivers/staging/greybus/audio_manager.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/greybus/audio_manager.c b/drivers/staging/greybus/audio_manager.c index 27ca5f796c5f..1da8804e61ca 100644 --- a/drivers/staging/greybus/audio_manager.c +++ b/drivers/staging/greybus/audio_manager.c @@ -111,7 +111,8 @@ struct gb_audio_manager_module *gb_audio_manager_get_module(int id)
down_read(&modules_rwsem); module = gb_audio_manager_get_locked(id); - kobject_get(&module->kobj); + if (module) + kobject_get(&module->kobj); up_read(&modules_rwsem); return module; }
On Fri, Feb 20, 2026 at 06:30:10AM +0000, Hardik Phalet wrote:
gb_audio_manager_get_module() calls gb_audio_manager_get_locked(), which can return NULL when the requested id does not exist. The returned pointer is dereferenced unconditionally via kobject_get(), leading to a NULL pointer dereference.
Only take a kobject reference when the module is found.
Signed-off-by: Hardik Phalet hardik.phalet@pm.me
drivers/staging/greybus/audio_manager.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/greybus/audio_manager.c b/drivers/staging/greybus/audio_manager.c index 27ca5f796c5f..1da8804e61ca 100644 --- a/drivers/staging/greybus/audio_manager.c +++ b/drivers/staging/greybus/audio_manager.c @@ -111,7 +111,8 @@ struct gb_audio_manager_module *gb_audio_manager_get_module(int id)
I don't think this gb_audio_manager_get_module() function is ever called. If it is then we need a Fixes tag.
regards, dan carpenter
On Fri Feb 20, 2026 at 1:38 PM IST, Dan Carpenter wrote:
On Fri, Feb 20, 2026 at 06:30:10AM +0000, Hardik Phalet wrote:
gb_audio_manager_get_module() calls gb_audio_manager_get_locked(), which can return NULL when the requested id does not exist. The returned pointer is dereferenced unconditionally via kobject_get(), leading to a NULL pointer dereference.
Only take a kobject reference when the module is found.
Signed-off-by: Hardik Phalet hardik.phalet@pm.me
drivers/staging/greybus/audio_manager.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/greybus/audio_manager.c b/drivers/staging/greybus/audio_manager.c index 27ca5f796c5f..1da8804e61ca 100644 --- a/drivers/staging/greybus/audio_manager.c +++ b/drivers/staging/greybus/audio_manager.c @@ -111,7 +111,8 @@ struct gb_audio_manager_module *gb_audio_manager_get_module(int id)
I don't think this gb_audio_manager_get_module() function is ever called. If it is then we need a Fixes tag.
regards, dan carpenter
Thanks for pointing that out.
I double-checked and could not find any in-tree callers for gb_audio_manager_get_module(), so this appears to be dead code and the NULL dereference is not reachable today.
Would you prefer that I drop this fix, or should I follow up with a cleanup patch?
Regards, Hardik Phalet
On Fri, Feb 20, 2026 at 10:09:33AM +0000, Hardik Phalet wrote:
On Fri Feb 20, 2026 at 1:38 PM IST, Dan Carpenter wrote:
On Fri, Feb 20, 2026 at 06:30:10AM +0000, Hardik Phalet wrote:
gb_audio_manager_get_module() calls gb_audio_manager_get_locked(), which can return NULL when the requested id does not exist. The returned pointer is dereferenced unconditionally via kobject_get(), leading to a NULL pointer dereference.
Only take a kobject reference when the module is found.
Signed-off-by: Hardik Phalet hardik.phalet@pm.me
drivers/staging/greybus/audio_manager.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/greybus/audio_manager.c b/drivers/staging/greybus/audio_manager.c index 27ca5f796c5f..1da8804e61ca 100644 --- a/drivers/staging/greybus/audio_manager.c +++ b/drivers/staging/greybus/audio_manager.c @@ -111,7 +111,8 @@ struct gb_audio_manager_module *gb_audio_manager_get_module(int id)
I don't think this gb_audio_manager_get_module() function is ever called. If it is then we need a Fixes tag.
regards, dan carpenter
Thanks for pointing that out.
I double-checked and could not find any in-tree callers for gb_audio_manager_get_module(), so this appears to be dead code and the NULL dereference is not reachable today.
Would you prefer that I drop this fix, or should I follow up with a cleanup patch?
Redo the series and just remove the unused functions entirely.
thanks,
greg k-h
Modules are removed from modules_list in gb_audio_manager_remove() and gb_audio_manager_remove_all() before kobject_put(). The TODO suggesting list deletion in the kobject release callback is stale and misleading.
Signed-off-by: Hardik Phalet hardik.phalet@pm.me --- drivers/staging/greybus/audio_manager_module.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/drivers/staging/greybus/audio_manager_module.c b/drivers/staging/greybus/audio_manager_module.c index 4a4dfb42f50f..b1dd3da9f57c 100644 --- a/drivers/staging/greybus/audio_manager_module.c +++ b/drivers/staging/greybus/audio_manager_module.c @@ -69,7 +69,6 @@ static void gb_audio_module_release(struct kobject *kobj) struct gb_audio_manager_module *module = to_gb_audio_module(kobj);
pr_info("Destroying audio module #%d\n", module->id); - /* TODO -> delete from list */ kfree(module); }
-
Dan Carpenter -
Greg Kroah-Hartman -
Hardik Phalet