Re: [PATCH] usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop

Next message: Maxime Ripard: "Re: [PATCH v2 4/4] clk: test: convert constants to use HZ_PER_MHZ"
Previous message: Robin Murphy: "Re: [PATCH] perf/arm-cmn: Fix resource_size_t printk specifier in arm_cmn_init_dtc()"
In reply to: Dayu Jiang: "Re: [PATCH] usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop"
Next in thread: Dayu Jiang: "Re: [PATCH] usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Thu Mar 26 2026 - 06:47:42 EST

On Thu, Mar 26, 2026 at 03:53:13PM +0800, Dayu Jiang wrote:
> On Wed, Mar 11, 2026 at 05:12:15PM +0800, Kuen-Han Tsai wrote:
> > A race condition between gether_disconnect() and eth_stop() leads to a
> > NULL pointer dereference. Specifically, if eth_stop() is triggered
> > concurrently while gether_disconnect() is tearing down the endpoints,
> > eth_stop() attempts to access the cleared endpoint descriptor, causing
> > the following NPE:
> >
> > Unable to handle kernel NULL pointer dereference
> > Call trace:
> > __dwc3_gadget_ep_enable+0x60/0x788
> > dwc3_gadget_ep_enable+0x70/0xe4
> > usb_ep_enable+0x60/0x15c
> > eth_stop+0xb8/0x108
> >
> > Because eth_stop() crashes while holding the dev->lock, the thread
> > running gether_disconnect() fails to acquire the same lock and spins
> > forever, resulting in a hardlockup:
> >
> > Core - Debugging Information for Hardlockup core(7)
> > Call trace:
> > queued_spin_lock_slowpath+0x94/0x488
> > _raw_spin_lock+0x64/0x6c
> > gether_disconnect+0x19c/0x1e8
> > ncm_set_alt+0x68/0x1a0
> > composite_setup+0x6a0/0xc50
> >
> Hi Greg,
> Hit the same issue during NCM switch stress test.
> Can you take a look at this patch and check if it’s ready for merge?

This is already in my tree and in linux-next and will go to Linus this
weekend.

thanks,

greg k-h