Re: [REGRESSION] usb: gadget: u_ether NULL deref in eth_stop after gether_detach_gadget

Next message: Jianqiang kang: "[PATCH 5.15.y] i3c: mipi-i3c-hci: Correct RING_CTRL_ABORT handling in DMA dequeue"
Previous message: Krzysztof Kozlowski: "Re: [PATCH v9 2/3] media: dt-bindings: Add CSI Pixel Formatter DT bindings"
In reply to: Greg Kroah-Hartman: "Re: [REGRESSION] usb: gadget: u_ether NULL deref in eth_stop after gether_detach_gadget"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ivaylo Dimitrov

Date: Wed May 27 2026 - 04:38:18 EST

On 27.05.26 г. 11:03 ч., Greg Kroah-Hartman wrote:

On Tue, May 26, 2026 at 08:56:15AM +0300, Ivaylo Dimitrov wrote:

on linux 6.18.31 I am seeing a NULL pointer dereference during RNDIS gadget
teardown.

Does this also happen on the latest 7.1-rc release?

I didn't test this on current -rc (this is a mobile phone and not particularly easy to run latest Linux on), however this looks more like an object lifetime contract issue than something specific to 6.18.y.

Also, the suspected patch was backported to 6.18.y together with e002e92e88e12457373ed096b18716d97e7bbb20 ("usb: gadget: u_ether: Fix NULL pointer deref in eth_get_drvinfo"), which fixes a similar issue, so I strongly suspect the issue exists in current -rc as well.

I suspect the reason is commit:

usb: gadget: f_ncm: Fix net_device lifecycle with device_move

Do you have a proposed fix for this issue?

Not really, as checking whether dev->gadget is NULL before calling DBG() looks more like a workaround than a proper fix to me. I also don't know the subsystem well enough to judge whether switching to netdev_dbg() instead of DBG() would be appropriate here, or whether that would defeat the purpose of the existing debug messages (or cause confusion by mixing gadget and netdev based logging).

I could use some maintainer advice on what they think the proper fix should look like, and then I'll try to put together a fix.

Thanks,
Ivo