rockchip64: fix USB gadget NULL pointer crash in eth_get_drvinfo (6.18 + 7.0)

[rubycomm]

Summary

• Port Ondrej Jirman's (megi) USB gadget dangling pointer fix from sunxi to rockchip64
• Prevents intermittent kernel panic in eth_get_drvinfo() when udev queries ethtool on a USB gadget ethernet interface during DWC3 bind/unbind cycles
• Applies to both current (6.18) and edge (7.0) kernel branches

Problem

When USB gadget ethernet (NCM/ECM/RNDIS) is configured, the DWC3 controller may destroy and re-create the gadget during role switching. If udev probes the network interface via ethtool during this window, eth_get_drvinfo() dereferences a NULL dev->gadget pointer, causing a kernel panic:

[   16.697591] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000068
[   16.707044] pc : eth_get_drvinfo+0x58/0x118 [u_ether]

This crash is intermittent — it depends on timing between udev and the gadget bind/unbind cycle.

Fix

The patch (originally by Ondrej Jirman / megi, already applied in sunxi):

• Adds NULL check for dev->gadget in eth_get_drvinfo()
• Sets gadget pointer to NULL in unbind callbacks for ECM, EEM, RNDIS, and subset functions
• Removes SET_NETDEV_DEV() parenting that creates stale references after gadget destruction
• Adds proper mutex locking around bind sequences

Note: The f_ncm.c hunks from the original patch are excluded because mainline already handles NCM gadget lifecycle via gether_attach_gadget()/gether_detach_gadget().

Test plan

• Patch applies cleanly to both 6.18 and 7.0 kernel source trees (git apply --check)
• Kernel builds successfully with patch applied
• USB gadget NCM interface loads and ethtool -i usb0 returns without crash
• 8 consecutive reboot cycles with zero panics, zero warnings
• Tested on NanoPi Zero2 (RK3528) with 6.18.20-current-rockchip64

Summary by CodeRabbit

• Bug Fixes
  • Fixed USB gadget network device issues occurring during repeated device creation and destruction cycles that could cause system instability
  • Improved gadget pointer state management for enhanced reliability
  • Strengthened NULL pointer safety checks in gadget operations

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 59336eef-dec8-4aff-a1e3-f1df2690f213

📥 Commits

Reviewing files that changed from the base of the PR and between 64c2128 and a26b091.

📒 Files selected for processing (2)

• patch/kernel/archive/rockchip64-6.18/general-usb-gadget-fix-dangling-pointer-in-netdev-private-data.patch
• patch/kernel/archive/rockchip64-7.0/general-usb-gadget-fix-dangling-pointer-in-netdev-private-data.patch

---

📝 Walkthrough

Walkthrough

These patches eliminate stale gadget pointers persisting in netdev private data across gadget destroy/recreate cycles. They synchronize gadget pointer updates during bind via gether_set_gadget() with appropriate locking, clear pointers during unbind, remove netdev-to-gadget device parenting, and add NULL-safety checks for driver info population across USB Ethernet gadget functions.

Changes

Cohort / File(s)	Summary
USB Gadget Ethernet Functions (Bind/Unbind Synchronization) drivers/usb/gadget/function/f_ecm.c, drivers/usb/gadget/function/f_eem.c, drivers/usb/gadget/function/f_rndis.c, drivers/usb/gadget/function/f_subset.c	Updated bind paths to set gadget pointer via gether_set_gadget(opts->net, cdev->gadget) under opts lock and mark netdev as bound only on success; unbind paths now clear gadget association with gether_set_gadget(opts->net, NULL) after resource cleanup.
Core Ethernet Gadget Module drivers/usb/gadget/function/u_ether.c	Removed netdev-to-gadget device parenting in gether_setup_name() and gether_set_gadget(); removed parent-check validation in gether_register_netdev() that previously rejected registration; hardened eth_get_drvinfo() to safely handle NULL gadget before copying firmware/bus info.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Pointers were dangling, so ghostly and stray,
Through gadget rebinds they would haunt every day,
Now synchronized locks keep them locked in their place,
Unbind clears the paths—no stale traces to chase!
The netdev stands freely, unparented and bright,
Our USB gathers run safer at night! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly identifies the primary fix (USB gadget NULL pointer crash in eth_get_drvinfo) and specifies both affected kernel versions (6.18 + 7.0), accurately reflecting the main change in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}