drivers/usb/gadget/function/u_ether.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
Commit ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with
device_move") reparents the gadget device to /sys/devices/virtual during
unbind, clearing the gadget pointer. If the userspace tool queries on
the surviving interface during this detached window, this leads to a
NULL pointer dereference.
Unable to handle kernel NULL pointer dereference
Call trace:
eth_get_drvinfo+0x50/0x90
ethtool_get_drvinfo+0x5c/0x1f0
__dev_ethtool+0xaec/0x1fe0
dev_ethtool+0x134/0x2e0
dev_ioctl+0x338/0x560
Add a NULL check for dev->gadget in eth_get_drvinfo(). When detached,
skip copying the fw_version and bus_info strings, which is natively
handled by ethtool_get_drvinfo for empty strings.
Suggested-by: Val Packett <val@packett.cool>
Reported-by: Val Packett <val@packett.cool>
Closes: https://lore.kernel.org/linux-usb/10890524-cf83-4a71-b879-93e2b2cc1fcc@packett.cool/
Fixes: ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with device_move")
Cc: stable@vger.kernel.org
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
---
drivers/usb/gadget/function/u_ether.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
index 1a9e7c495e2e..a653fae9c0cb 100644
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -113,8 +113,10 @@ static void eth_get_drvinfo(struct net_device *net, struct ethtool_drvinfo *p)
strscpy(p->driver, "g_ether", sizeof(p->driver));
strscpy(p->version, UETH__VERSION, sizeof(p->version));
- strscpy(p->fw_version, dev->gadget->name, sizeof(p->fw_version));
- strscpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof(p->bus_info));
+ if (dev->gadget) {
+ strscpy(p->fw_version, dev->gadget->name, sizeof(p->fw_version));
+ strscpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof(p->bus_info));
+ }
}
/* REVISIT can also support:
---
base-commit: d0d9b1f4f5391e6a00cee81d73ed2e8f98446d5f
change-id: 20260316-eth-null-deref-0304bb048267
Best regards,
--
Kuen-Han Tsai <khtsai@google.com>On 16/03/2026 08:49, Kuen-Han Tsai wrote:
> Commit ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with
> device_move") reparents the gadget device to /sys/devices/virtual during
> unbind, clearing the gadget pointer. If the userspace tool queries on
> the surviving interface during this detached window, this leads to a
> NULL pointer dereference.
>
> Unable to handle kernel NULL pointer dereference
> Call trace:
> eth_get_drvinfo+0x50/0x90
> ethtool_get_drvinfo+0x5c/0x1f0
> __dev_ethtool+0xaec/0x1fe0
> dev_ethtool+0x134/0x2e0
> dev_ioctl+0x338/0x560
>
> Add a NULL check for dev->gadget in eth_get_drvinfo(). When detached,
> skip copying the fw_version and bus_info strings, which is natively
> handled by ethtool_get_drvinfo for empty strings.
>
> Suggested-by: Val Packett <val@packett.cool>
> Reported-by: Val Packett <val@packett.cool>
> Closes: https://lore.kernel.org/linux-usb/10890524-cf83-4a71-b879-93e2b2cc1fcc@packett.cool/
> Fixes: ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with device_move")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
> ---
Works for us in sdm845-next too,
Tested-by: David Heidelberg <david@ixit.cz>
--
David Heidelberg
On 3/16/26 8:49 AM, Kuen-Han Tsai wrote:
> Commit ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with
> device_move") reparents the gadget device to /sys/devices/virtual during
> unbind, clearing the gadget pointer. If the userspace tool queries on
> the surviving interface during this detached window, this leads to a
> NULL pointer dereference.
>
> Unable to handle kernel NULL pointer dereference
> Call trace:
> eth_get_drvinfo+0x50/0x90
> ethtool_get_drvinfo+0x5c/0x1f0
> __dev_ethtool+0xaec/0x1fe0
> dev_ethtool+0x134/0x2e0
> dev_ioctl+0x338/0x560
>
> Add a NULL check for dev->gadget in eth_get_drvinfo(). When detached,
> skip copying the fw_version and bus_info strings, which is natively
> handled by ethtool_get_drvinfo for empty strings.
>
> Suggested-by: Val Packett <val@packett.cool>
> Reported-by: Val Packett <val@packett.cool>
> Closes: https://lore.kernel.org/linux-usb/10890524-cf83-4a71-b879-93e2b2cc1fcc@packett.cool/
> Fixes: ec35c1969650 ("usb: gadget: f_ncm: Fix net_device lifecycle with device_move")
> Cc: stable@vger.kernel.org
> Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
> ---
> drivers/usb/gadget/function/u_ether.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c
> index 1a9e7c495e2e..a653fae9c0cb 100644
> --- a/drivers/usb/gadget/function/u_ether.c
> +++ b/drivers/usb/gadget/function/u_ether.c
> @@ -113,8 +113,10 @@ static void eth_get_drvinfo(struct net_device *net, struct ethtool_drvinfo *p)
>
> strscpy(p->driver, "g_ether", sizeof(p->driver));
> strscpy(p->version, UETH__VERSION, sizeof(p->version));
> - strscpy(p->fw_version, dev->gadget->name, sizeof(p->fw_version));
> - strscpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof(p->bus_info));
> + if (dev->gadget) {
> + strscpy(p->fw_version, dev->gadget->name, sizeof(p->fw_version));
> + strscpy(p->bus_info, dev_name(&dev->gadget->dev), sizeof(p->bus_info));
> + }
> }
>
> /* REVISIT can also support:
>
> ---
> base-commit: d0d9b1f4f5391e6a00cee81d73ed2e8f98446d5f
> change-id: 20260316-eth-null-deref-0304bb048267
>
> Best regards,
Thank you for the patch! This does fix the null pointer dereference for me.
Tested-by: Aelin Reidel <aelin@mainlining.org>
© 2016 - 2026 Red Hat, Inc.