Re: [syzbot] [usb?] general protection fault in usb_gadget_udc_reset (4)

[Alan Stern]

On Sat, Mar 07, 2026 at 02:52:24AM -0800, syzbot wrote:
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    651690480a96 Merge tag 'spi-fix-v7.0-rc2' of git://git.ker..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=11ec0806580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=2a019678b1a3a692
> dashboard link: https://syzkaller.appspot.com/bug?extid=19bed92c97bee999e5db
> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10b2db5a580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14fed8d6580000
> 
> Downloadable assets:
> disk image: https://storage.googleapis.com/syzbot-assets/0e393fccfaa3/disk-65169048.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/2930e8c98c89/vmlinux-65169048.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/34e9e7d322b1/bzImage-65169048.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+19bed92c97bee999e5db@xxxxxxxxxxxxxxxxxxxxxxxxx
> 
> usb 1-1: reset high-speed USB device number 2 using dummy_hcd
> usb 1-1: device descriptor read/8, error -32
> Oops: general protection fault, probably [  120.351719][ T6052] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
> CPU: 0 UID: 0 PID: 6052 Comm: kworker/0:7 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:usb_gadget_udc_reset+0x27/0x60 drivers/usb/gadget/udc/core.c:1200

> Call Trace:
>  <TASK>
>  set_link_state+0x80b/0x1220 drivers/usb/gadget/udc/dummy_hcd.c:469

It's a little hard to tell exactly what is wrong here, but it looks like 
the driver argument to usb_gadget_udc_reset() may be NULL.  Let's see if 
that's really the problem.

Alan Stern

#syz test: upstream 651690480a96

Index: usb-devel/drivers/usb/gadget/udc/dummy_hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/gadget/udc/dummy_hcd.c
+++ usb-devel/drivers/usb/gadget/udc/dummy_hcd.c
@@ -465,7 +465,9 @@ static void set_link_state(struct dummy_
 			stop_activity(dum);
 			++dum->callback_usage;
 			spin_unlock(&dum->lock);
-			if (reset)
+			if (!dum->driver)
+				dev_err(dummy_dev(dum_hcd), "**** NO DRIVER!\n");
+			else if (reset)
 				usb_gadget_udc_reset(&dum->gadget, dum->driver);
 			else
 				dum->driver->disconnect(&dum->gadget);