[PATCH RFC net-next] usb: gadget: u_ether: fix eth_get_drvinfo() oops

[PATCH RFC net-next] usb: gadget: u_ether: fix eth_get_drvinfo() oops

[Russell King (Oracle)]

The following oops was observed on the nVidia Jetson Xavier NX1
platform with 7.0.0-rc5, which is caused by dev->gadget becoming NULL
while the u_ether device is still visible to userspace. Adding some
debug reveals that we see this sequence:

net usb1: gadget detached
tegra-xudc 3550000.usb: ep 0 disabled
net usb1: no gadget for drvinfo
usb1 (unregistering): left allmulticast mode
usb1 (unregistering): left promiscuous mode
l4tbr0: port 2(usb1) entered disabled state

Put a sticky plaster over this (it's racy!) I suspect
gether_detach_gadget() needs to at least take the RTNL as well to
prevent ethtool ops running concurrently with the gadget being
detached.

Unable to handle kernel NULL pointer dereference at virtual address 000000000000
00d0
Mem abort info:
  ESR = 0x0000000096000004
  EC = 0x25: DABT (current EL), IL = 32 bits
  SET = 0, FnV = 0
  EA = 0, S1PTW = 0
  FSC = 0x04: level 0 translation fault
Data abort info:
  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
  CM = 0, WnR = 0, TnD = 0, TagAccess = 0
  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
user pgtable: 4k pages, 48-bit VAs, pgdp=00000001086b1000
[00000000000000d0] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1]  SMP
Modules linked in: snd_soc_tegra210_mvc snd_soc_tegra186_asrc snd_soc_tegra210_m
ixer snd_soc_tegra210_admaif snd_soc_tegra_pcm snd_soc_tegra210_ope snd_soc_tegr
a186_dspk snd_soc_tegra210_i2s snd_soc_simple_card_utils snd_soc_tegra210_dmic s
nd_soc_tegra210_amx snd_soc_tegra210_adx snd_soc_tegra210_sfc rtw88_8822ce rtw88
_8822c rtw88_pci rtw88_core mac80211 libarc4 sha256 cfg80211 snd_soc_tegra210_ah
ub snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer tegra210_adma zram tegra_drm
 zsmalloc usb_f_ncm syscopyarea usb_f_mass_storage drm_client_lib sysfillrect sy
simgblt ramoops fb_sys_fops reed_solomon nls_iso8859_1 drm_display_helper nls_cp437 vfat drm_kms_helper fb fat cec drm_dp_aux_bus tegra_aconnect usb_f_acm u_serial usb_f_rndis u_ether max77620_wdt realtek tegra_xudc phy_package snd phy_tegra194_p2u dwmac_dwc_qos_eth soundcore stmmac_platform pwm_tegra rtc_efi tegra186_gpc_dma virt_dma tegra_bpmp_thermal host1x pcie_tegra194 libcomposite udc_core drm drm_panel_orientation_quirks backlight efivarfs ip_tables
 x_tables
CPU: 1 UID: 0 PID: 4181 Comm: systemd-udevd Not tainted 7.0.0-rc5-net-next+ #640 PREEMPT
Hardware name: NVIDIA NVIDIA Jetson Xavier NX Developer Kit/Jetson, BIOS 6.0-37391689 08/28/2024
pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : eth_get_drvinfo+0x4c/0x80 [u_ether]
lr : eth_get_drvinfo+0x40/0x80 [u_ether]
sp : ffff80008484bb60
x29: ffff80008484bb60 x28: ffff000083de18c0 x27: 0000000000000000
x26: 0000000000000000 x25: ffff0000947da0a8 x24: 0000000000004000
x23: ffff0000a38a5600 x22: 0000000000000000 x21: ffff80007a3a5558
x20: ffff0000947da000 x19: ffff0000a38a5608 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe09af760
x14: 0000000000000000 x13: 0000000000000020 x12: 0101010101010101
x11: 7f7f7f7f7f7f7f7f x10: 00007ffff0071c50 x9 : 0000000000000020
x8 : 0101010101010101 x7 : ffff0000a38a5634 x6 : fefefefefefefeff
x5 : ffff0000a38a562c x4 : 0000000000383030 x3 : 0000000000383030
x2 : 0000000000000020 x1 : 0000000000000000 x0 : ffff0000a38a564c
Call trace:
 eth_get_drvinfo+0x4c/0x80 [u_ether] (P)
 ethtool_get_drvinfo+0x54/0x1e0
 __dev_ethtool+0x698/0x2000
 dev_ethtool+0x90/0x1a0
 dev_ioctl+0x37c/0x594
 sock_ioctl+0x390/0x5bc
 __arm64_sys_ioctl+0x408/0xeb4
 invoke_syscall.constprop.0+0x50/0xe0
 do_el0_svc+0x40/0xc0
 el0_svc+0x48/0x2a0
 el0t_64_sync_handler+0xa0/0xe4
 el0t_64_sync+0x19c/0x1a0
Code: 95a68811 f9468a81 d2800402 91011260 (f9406821)
---[ end trace 0000000000000000 ]---

Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
---

1. get_maintainers.pl is picking up on the PSTORE folk because of the
mention of "ramoops" in the commit message... even though this has
nothing to do with them.

2. I think there's more bugs here as mentioned in the commit message,
since setting dev->gadget to NULL without taking any locking while
the u_ether device is still published to userspace looks mightily
dangerous. Seems to be another kernel driver that fails to obey the
basics discussed in OLS some twenty years ago concerning the order
of setup/publish/unpublish/teardown... and we still don't seem to
be able to get it right. :(

3. Patch generated against the net-next tree, because that's what I'm
working with being focussed on stmmac at the moment - but I would like
my test platform not to oops and reboot itself when I instead want it
to power off.

 drivers/usb/gadget/function/u_ether.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
index 1a9e7c495e2e..d1ae91889537 100644
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -113,6 +113,10 @@ static void eth_get_drvinfo(struct net_device *net, struct ethtool_drvinfo *p)
 
 	strscpy(p->driver, "g_ether", sizeof(p->driver));
 	strscpy(p->version, UETH__VERSION, sizeof(p->version));
+
+	if (!dev->gadget)
+		return;
+
 	strscpy(p->fw_version, dev->gadget->name, sizeof(p->fw_version));
 	strscpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof(p->bus_info));
 }
-- 
2.47.3

Re: [PATCH RFC net-next] usb: gadget: u_ether: fix eth_get_drvinfo() oops

[Greg Kroah-Hartman]

On Sun, Mar 29, 2026 at 12:32:20PM +0100, Russell King (Oracle) wrote:
> The following oops was observed on the nVidia Jetson Xavier NX1
> platform with 7.0.0-rc5, which is caused by dev->gadget becoming NULL
> while the u_ether device is still visible to userspace. Adding some
> debug reveals that we see this sequence:
> 
> net usb1: gadget detached
> tegra-xudc 3550000.usb: ep 0 disabled
> net usb1: no gadget for drvinfo
> usb1 (unregistering): left allmulticast mode
> usb1 (unregistering): left promiscuous mode
> l4tbr0: port 2(usb1) entered disabled state
> 
> Put a sticky plaster over this (it's racy!) I suspect
> gether_detach_gadget() needs to at least take the RTNL as well to
> prevent ethtool ops running concurrently with the gadget being
> detached.
> 
> Unable to handle kernel NULL pointer dereference at virtual address 000000000000
> 00d0
> Mem abort info:
>   ESR = 0x0000000096000004
>   EC = 0x25: DABT (current EL), IL = 32 bits
>   SET = 0, FnV = 0
>   EA = 0, S1PTW = 0
>   FSC = 0x04: level 0 translation fault
> Data abort info:
>   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
>   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
>   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> user pgtable: 4k pages, 48-bit VAs, pgdp=00000001086b1000
> [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000
> Internal error: Oops: 0000000096000004 [#1]  SMP
> Modules linked in: snd_soc_tegra210_mvc snd_soc_tegra186_asrc snd_soc_tegra210_m
> ixer snd_soc_tegra210_admaif snd_soc_tegra_pcm snd_soc_tegra210_ope snd_soc_tegr
> a186_dspk snd_soc_tegra210_i2s snd_soc_simple_card_utils snd_soc_tegra210_dmic s
> nd_soc_tegra210_amx snd_soc_tegra210_adx snd_soc_tegra210_sfc rtw88_8822ce rtw88
> _8822c rtw88_pci rtw88_core mac80211 libarc4 sha256 cfg80211 snd_soc_tegra210_ah
> ub snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer tegra210_adma zram tegra_drm
>  zsmalloc usb_f_ncm syscopyarea usb_f_mass_storage drm_client_lib sysfillrect sy
> simgblt ramoops fb_sys_fops reed_solomon nls_iso8859_1 drm_display_helper nls_cp437 vfat drm_kms_helper fb fat cec drm_dp_aux_bus tegra_aconnect usb_f_acm u_serial usb_f_rndis u_ether max77620_wdt realtek tegra_xudc phy_package snd phy_tegra194_p2u dwmac_dwc_qos_eth soundcore stmmac_platform pwm_tegra rtc_efi tegra186_gpc_dma virt_dma tegra_bpmp_thermal host1x pcie_tegra194 libcomposite udc_core drm drm_panel_orientation_quirks backlight efivarfs ip_tables
>  x_tables
> CPU: 1 UID: 0 PID: 4181 Comm: systemd-udevd Not tainted 7.0.0-rc5-net-next+ #640 PREEMPT
> Hardware name: NVIDIA NVIDIA Jetson Xavier NX Developer Kit/Jetson, BIOS 6.0-37391689 08/28/2024
> pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : eth_get_drvinfo+0x4c/0x80 [u_ether]
> lr : eth_get_drvinfo+0x40/0x80 [u_ether]
> sp : ffff80008484bb60
> x29: ffff80008484bb60 x28: ffff000083de18c0 x27: 0000000000000000
> x26: 0000000000000000 x25: ffff0000947da0a8 x24: 0000000000004000
> x23: ffff0000a38a5600 x22: 0000000000000000 x21: ffff80007a3a5558
> x20: ffff0000947da000 x19: ffff0000a38a5608 x18: 0000000000000000
> x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe09af760
> x14: 0000000000000000 x13: 0000000000000020 x12: 0101010101010101
> x11: 7f7f7f7f7f7f7f7f x10: 00007ffff0071c50 x9 : 0000000000000020
> x8 : 0101010101010101 x7 : ffff0000a38a5634 x6 : fefefefefefefeff
> x5 : ffff0000a38a562c x4 : 0000000000383030 x3 : 0000000000383030
> x2 : 0000000000000020 x1 : 0000000000000000 x0 : ffff0000a38a564c
> Call trace:
>  eth_get_drvinfo+0x4c/0x80 [u_ether] (P)
>  ethtool_get_drvinfo+0x54/0x1e0
>  __dev_ethtool+0x698/0x2000
>  dev_ethtool+0x90/0x1a0
>  dev_ioctl+0x37c/0x594
>  sock_ioctl+0x390/0x5bc
>  __arm64_sys_ioctl+0x408/0xeb4
>  invoke_syscall.constprop.0+0x50/0xe0
>  do_el0_svc+0x40/0xc0
>  el0_svc+0x48/0x2a0
>  el0t_64_sync_handler+0xa0/0xe4
>  el0t_64_sync+0x19c/0x1a0
> Code: 95a68811 f9468a81 d2800402 91011260 (f9406821)
> ---[ end trace 0000000000000000 ]---
> 
> Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
> ---
> 
> 1. get_maintainers.pl is picking up on the PSTORE folk because of the
> mention of "ramoops" in the commit message... even though this has
> nothing to do with them.
> 
> 2. I think there's more bugs here as mentioned in the commit message,
> since setting dev->gadget to NULL without taking any locking while
> the u_ether device is still published to userspace looks mightily
> dangerous. Seems to be another kernel driver that fails to obey the
> basics discussed in OLS some twenty years ago concerning the order
> of setup/publish/unpublish/teardown... and we still don't seem to
> be able to get it right. :(
> 
> 3. Patch generated against the net-next tree, because that's what I'm
> working with being focussed on stmmac at the moment - but I would like
> my test platform not to oops and reboot itself when I instead want it
> to power off.
> 
>  drivers/usb/gadget/function/u_ether.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
> index 1a9e7c495e2e..d1ae91889537 100644
> --- a/drivers/usb/gadget/function/u_ether.c
> +++ b/drivers/usb/gadget/function/u_ether.c
> @@ -113,6 +113,10 @@ static void eth_get_drvinfo(struct net_device *net, struct ethtool_drvinfo *p)
>  
>  	strscpy(p->driver, "g_ether", sizeof(p->driver));
>  	strscpy(p->version, UETH__VERSION, sizeof(p->version));
> +
> +	if (!dev->gadget)
> +		return;
> +
>  	strscpy(p->fw_version, dev->gadget->name, sizeof(p->fw_version));
>  	strscpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof(p->bus_info));
>  }

Looks semi-sane, I'll pick this up through the USB tree now.

thanks,

greg k-h

Re: [PATCH RFC net-next] usb: gadget: u_ether: fix eth_get_drvinfo() oops

[Greg Kroah-Hartman]

On Sun, Mar 29, 2026 at 12:32:20PM +0100, Russell King (Oracle) wrote:
> The following oops was observed on the nVidia Jetson Xavier NX1
> platform with 7.0.0-rc5, which is caused by dev->gadget becoming NULL
> while the u_ether device is still visible to userspace. Adding some
> debug reveals that we see this sequence:
> 
> net usb1: gadget detached
> tegra-xudc 3550000.usb: ep 0 disabled
> net usb1: no gadget for drvinfo
> usb1 (unregistering): left allmulticast mode
> usb1 (unregistering): left promiscuous mode
> l4tbr0: port 2(usb1) entered disabled state
> 
> Put a sticky plaster over this (it's racy!) I suspect
> gether_detach_gadget() needs to at least take the RTNL as well to
> prevent ethtool ops running concurrently with the gadget being
> detached.
> 
> Unable to handle kernel NULL pointer dereference at virtual address 000000000000
> 00d0
> Mem abort info:
>   ESR = 0x0000000096000004
>   EC = 0x25: DABT (current EL), IL = 32 bits
>   SET = 0, FnV = 0
>   EA = 0, S1PTW = 0
>   FSC = 0x04: level 0 translation fault
> Data abort info:
>   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
>   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
>   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
> user pgtable: 4k pages, 48-bit VAs, pgdp=00000001086b1000
> [00000000000000d0] pgd=0000000000000000, p4d=0000000000000000
> Internal error: Oops: 0000000096000004 [#1]  SMP
> Modules linked in: snd_soc_tegra210_mvc snd_soc_tegra186_asrc snd_soc_tegra210_m
> ixer snd_soc_tegra210_admaif snd_soc_tegra_pcm snd_soc_tegra210_ope snd_soc_tegr
> a186_dspk snd_soc_tegra210_i2s snd_soc_simple_card_utils snd_soc_tegra210_dmic s
> nd_soc_tegra210_amx snd_soc_tegra210_adx snd_soc_tegra210_sfc rtw88_8822ce rtw88
> _8822c rtw88_pci rtw88_core mac80211 libarc4 sha256 cfg80211 snd_soc_tegra210_ah
> ub snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer tegra210_adma zram tegra_drm
>  zsmalloc usb_f_ncm syscopyarea usb_f_mass_storage drm_client_lib sysfillrect sy
> simgblt ramoops fb_sys_fops reed_solomon nls_iso8859_1 drm_display_helper nls_cp437 vfat drm_kms_helper fb fat cec drm_dp_aux_bus tegra_aconnect usb_f_acm u_serial usb_f_rndis u_ether max77620_wdt realtek tegra_xudc phy_package snd phy_tegra194_p2u dwmac_dwc_qos_eth soundcore stmmac_platform pwm_tegra rtc_efi tegra186_gpc_dma virt_dma tegra_bpmp_thermal host1x pcie_tegra194 libcomposite udc_core drm drm_panel_orientation_quirks backlight efivarfs ip_tables
>  x_tables
> CPU: 1 UID: 0 PID: 4181 Comm: systemd-udevd Not tainted 7.0.0-rc5-net-next+ #640 PREEMPT
> Hardware name: NVIDIA NVIDIA Jetson Xavier NX Developer Kit/Jetson, BIOS 6.0-37391689 08/28/2024
> pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
> pc : eth_get_drvinfo+0x4c/0x80 [u_ether]
> lr : eth_get_drvinfo+0x40/0x80 [u_ether]
> sp : ffff80008484bb60
> x29: ffff80008484bb60 x28: ffff000083de18c0 x27: 0000000000000000
> x26: 0000000000000000 x25: ffff0000947da0a8 x24: 0000000000004000
> x23: ffff0000a38a5600 x22: 0000000000000000 x21: ffff80007a3a5558
> x20: ffff0000947da000 x19: ffff0000a38a5608 x18: 0000000000000000
> x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffe09af760
> x14: 0000000000000000 x13: 0000000000000020 x12: 0101010101010101
> x11: 7f7f7f7f7f7f7f7f x10: 00007ffff0071c50 x9 : 0000000000000020
> x8 : 0101010101010101 x7 : ffff0000a38a5634 x6 : fefefefefefefeff
> x5 : ffff0000a38a562c x4 : 0000000000383030 x3 : 0000000000383030
> x2 : 0000000000000020 x1 : 0000000000000000 x0 : ffff0000a38a564c
> Call trace:
>  eth_get_drvinfo+0x4c/0x80 [u_ether] (P)
>  ethtool_get_drvinfo+0x54/0x1e0
>  __dev_ethtool+0x698/0x2000
>  dev_ethtool+0x90/0x1a0
>  dev_ioctl+0x37c/0x594
>  sock_ioctl+0x390/0x5bc
>  __arm64_sys_ioctl+0x408/0xeb4
>  invoke_syscall.constprop.0+0x50/0xe0
>  do_el0_svc+0x40/0xc0
>  el0_svc+0x48/0x2a0
>  el0t_64_sync_handler+0xa0/0xe4
>  el0t_64_sync+0x19c/0x1a0
> Code: 95a68811 f9468a81 d2800402 91011260 (f9406821)
> ---[ end trace 0000000000000000 ]---
> 
> Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
> ---
> 
> 1. get_maintainers.pl is picking up on the PSTORE folk because of the
> mention of "ramoops" in the commit message... even though this has
> nothing to do with them.
> 
> 2. I think there's more bugs here as mentioned in the commit message,
> since setting dev->gadget to NULL without taking any locking while
> the u_ether device is still published to userspace looks mightily
> dangerous. Seems to be another kernel driver that fails to obey the
> basics discussed in OLS some twenty years ago concerning the order
> of setup/publish/unpublish/teardown... and we still don't seem to
> be able to get it right. :(
> 
> 3. Patch generated against the net-next tree, because that's what I'm
> working with being focussed on stmmac at the moment - but I would like
> my test platform not to oops and reboot itself when I instead want it
> to power off.
> 
>  drivers/usb/gadget/function/u_ether.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
> index 1a9e7c495e2e..d1ae91889537 100644
> --- a/drivers/usb/gadget/function/u_ether.c
> +++ b/drivers/usb/gadget/function/u_ether.c
> @@ -113,6 +113,10 @@ static void eth_get_drvinfo(struct net_device *net, struct ethtool_drvinfo *p)
>  
>  	strscpy(p->driver, "g_ether", sizeof(p->driver));
>  	strscpy(p->version, UETH__VERSION, sizeof(p->version));
> +
> +	if (!dev->gadget)
> +		return;
> +
>  	strscpy(p->fw_version, dev->gadget->name, sizeof(p->fw_version));
>  	strscpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof(p->bus_info));
>  }
> -- 
> 2.47.3

This is fixed much the same way in a patch that was sent before you, so
I'll take that one and get it into 7.0-final so that you don't trip over
this anymore.

thanks,

greg k-h