From: Jimmy Hu <hhhuuu@google.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Alan Stern <stern@rowland.harvard.edu>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
Jimmy Hu <hhhuuu@google.com>,
stable@vger.kernel.org
Subject: [PATCH] usb: gadget: udc: Fix NULL pointer dereference in gadget_match_driver
Date: Tue, 26 May 2026 15:06:35 +0800 [thread overview]
Message-ID: <20260526070635.839701-1-hhhuuu@google.com> (raw)
A NULL pointer dereference occurs in gadget_match_driver() because a
race condition exists between the DRD mode-switch work and the
configfs UDC write path:
1. The DRD mode-switch work invokes __dwc3_set_mode(), which calls
dwc3_gadget_exit() and subsequently frees the UDC device name via
device_unregister(&udc->dev).
2. The configfs UDC write path invokes gadget_dev_desc_UDC_store(),
which calls usb_gadget_register_driver() and subsequently
compares the UDC device name via gadget_match_driver().
If gadget_match_driver() runs concurrently during UDC unregistration, it
may access the freed UDC device name. Once the freed memory is zeroed,
dev_name(&udc->dev) returns NULL, causing a panic in strcmp().
[39430.908615][ T1171] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[39430.911397][ T1171] pc : __pi_strcmp+0x20/0x140
[39430.911441][ T1171] lr : gadget_match_driver+0x34/0x60
...
[39430.911890][ T1171] usb_gadget_register_driver_owner+0x50/0xf8
[39430.911910][ T1171] gadget_dev_desc_UDC_store+0xf4/0x140
[39430.931308][ T1171] configfs_write_iter+0xec/0x134
...
[39430.957058][ T1171] Workqueue: events_freezable __dwc3_set_mode
[39430.957287][ T1171] dwc3_gadget_exit+0x34/0x8c
[39430.957304][ T1171] __dwc3_set_mode+0xc0/0x664
[39430.957341][ T1171] worker_thread+0x244/0x334
Fix this by checking dev_name(&udc->dev) before calling strcmp().
Fixes: fc274c1e9973 ("USB: gadget: Add a new bus for gadgets")
Cc: stable@vger.kernel.org
Signed-off-by: Jimmy Hu <hhhuuu@google.com>
---
drivers/usb/gadget/udc/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c
index e8861eaad907..79baed640428 100644
--- a/drivers/usb/gadget/udc/core.c
+++ b/drivers/usb/gadget/udc/core.c
@@ -1594,7 +1594,7 @@ static int gadget_match_driver(struct device *dev, const struct device_driver *d
struct usb_gadget_driver, driver);
/* If the driver specifies a udc_name, it must match the UDC's name */
- if (driver->udc_name &&
+ if (driver->udc_name && dev_name(&udc->dev) &&
strcmp(driver->udc_name, dev_name(&udc->dev)) != 0)
return 0;
base-commit: 5d6919055dec134de3c40167a490f33c74c12581
--
2.54.0.746.g67dd491aae-goog
next reply other threads:[~2026-05-26 7:06 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-26 7:06 Jimmy Hu [this message]
2026-05-26 18:00 ` [PATCH] usb: gadget: udc: Fix NULL pointer dereference in gadget_match_driver Alan Stern
2026-06-02 5:34 ` Jimmy Hu (xWF)
2026-06-02 14:30 ` Alan Stern
2026-06-16 5:14 ` Jimmy Hu (xWF)
2026-06-16 14:28 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260526070635.839701-1-hhhuuu@google.com \
--to=hhhuuu@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox