Re: [PATCH] usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop

[Dayu Jiang]

On Thu, Mar 26, 2026 at 11:35:31AM +0100, Greg Kroah-Hartman wrote:
> On Thu, Mar 26, 2026 at 03:53:13PM +0800, Dayu Jiang wrote:
> > On Wed, Mar 11, 2026 at 05:12:15PM +0800, Kuen-Han Tsai wrote:
> > > A race condition between gether_disconnect() and eth_stop() leads to a
> > > NULL pointer dereference. Specifically, if eth_stop() is triggered
> > > concurrently while gether_disconnect() is tearing down the endpoints,
> > > eth_stop() attempts to access the cleared endpoint descriptor, causing
> > > the following NPE:
> > > 
> > >   Unable to handle kernel NULL pointer dereference
> > >   Call trace:
> > >    __dwc3_gadget_ep_enable+0x60/0x788
> > >    dwc3_gadget_ep_enable+0x70/0xe4
> > >    usb_ep_enable+0x60/0x15c
> > >    eth_stop+0xb8/0x108
> > > 
> > > Because eth_stop() crashes while holding the dev->lock, the thread
> > > running gether_disconnect() fails to acquire the same lock and spins
> > > forever, resulting in a hardlockup:
> > > 
> > >   Core - Debugging Information for Hardlockup core(7)
> > >   Call trace:
> > >    queued_spin_lock_slowpath+0x94/0x488
> > >    _raw_spin_lock+0x64/0x6c
> > >    gether_disconnect+0x19c/0x1e8
> > >    ncm_set_alt+0x68/0x1a0
> > >    composite_setup+0x6a0/0xc50
> > >
> > Hi Greg,
> > Hit the same issue during NCM switch stress test.
> > Can you take a look at this patch and check if it’s ready for merge?
> 
> This is already in my tree and in linux-next and will go to Linus this
> weekend.
Got it. Sorry for the multiple copies of the same email—our mail server had some issues and sent them repeatedly. My apologies for the noise.
>
> thanks,
> 
> greg k-h