Re: [syzbot] [usb?] general protection fault in usb_gadget_udc_reset (4)
From: Alan Stern
Date: Sat Mar 14 2026 - 12:42:27 EST
On Fri, Mar 13, 2026 at 02:28:02PM -0700, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+19bed92c97bee999e5db@xxxxxxxxxxxxxxxxxxxxxxxxx
> Tested-by: syzbot+19bed92c97bee999e5db@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> Tested on:
>
> commit: 65169048 Merge tag 'spi-fix-v7.0-rc2' of git://git.ker..
> git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
> console output: https://syzkaller.appspot.com/x/log.txt?x=14ab954a580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=2a019678b1a3a692
> dashboard link: https://syzkaller.appspot.com/bug?extid=19bed92c97bee999e5db
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> patch: https://syzkaller.appspot.com/x/patch.diff?x=113b1602580000
>
> Note: testing is done by a robot and is best-effort only.
Just out of curiosity, let's see if this test crashes with only the
second change (moving stop_activity()) and not the first (moving the
synchronize_irq() emulation).
Alan Stern
#syz test: upstream 651690480a96
Index: usb-devel/drivers/usb/gadget/udc/dummy_hcd.c
===================================================================
--- usb-devel.orig/drivers/usb/gadget/udc/dummy_hcd.c
+++ usb-devel/drivers/usb/gadget/udc/dummy_hcd.c
@@ -462,8 +462,13 @@ static void set_link_state(struct dummy_
/* Report reset and disconnect events to the driver */
if (dum->ints_enabled && (disconnect || reset)) {
- stop_activity(dum);
++dum->callback_usage;
+ /*
+ * stop_activity() can drop dum->lock, so it must
+ * must not come between the dum->ints_enabled test
+ * and the ++dum->callback_usage.
+ */
+ stop_activity(dum);
spin_unlock(&dum->lock);
if (reset)
usb_gadget_udc_reset(&dum->gadget, dum->driver);