Re: [syzbot] [usb?] general protection fault in usb_gadget_udc_reset (4)
From: Alan Stern
Date: Mon Mar 09 2026 - 11:29:23 EST
On Mon, Mar 09, 2026 at 07:55:02AM -0700, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> general protection fault in usb_gadget_udc_reset
>
> raw-gadget.0 gadget.1: Reset #2
> usb 2-1: device descriptor read/64, error -32
> gadget gadget.1: Reset #1, driver 0000000000000000
> Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KASAN PTI
> KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047]
> CPU: 0 UID: 0 PID: 5814 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
> Workqueue: usb_hub_wq hub_event
> RIP: 0010:usb_gadget_udc_reset+0x42/0x80 drivers/usb/gadget/udc/core.c:1201
That's a little weird. All the new debugging messages in the console
log are of the form "raw-gadget.0 gadget.1 Reset ...", but the last,
failing one says "gadget gadget.1 Reset ...". I wonder what that
indicates.
Maybe this next test will help find out.
Alan Stern
#syz test: upstream 651690480a96
Index: usb-devel/drivers/usb/gadget/udc/core.c
===================================================================
--- usb-devel.orig/drivers/usb/gadget/udc/core.c
+++ usb-devel/drivers/usb/gadget/udc/core.c
@@ -1192,7 +1192,9 @@ EXPORT_SYMBOL_GPL(usb_udc_vbus_handler);
void usb_gadget_udc_reset(struct usb_gadget *gadget,
struct usb_gadget_driver *driver)
{
+ dev_info(&gadget->dev, "Reset #1, gadget %p driver %p\n", gadget, driver);
driver->reset(gadget);
+ dev_info(&gadget->dev, "Reset #2\n");
usb_gadget_set_state(gadget, USB_STATE_DEFAULT);
}
EXPORT_SYMBOL_GPL(usb_gadget_udc_reset);