Hi! I can reliably produce an oops + reboot on sama5d2 when attempting to remove a gadget configuration from configfs. The stack trace follows: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1109 at drivers/usb/gadget/function/u_serial.c:1184 gserial_free_port+0xe4/0xec Modules linked in: can_raw can at91_sama5d2_adc industrialio_triggered_buffer kfifo_buf gpio_sama5d2_piobu industrialio m_can_platform m_can sdhci_of_at91 can_dev sdhci_pltfm sdhci mmc_core ohci_at91 ohci_hcd ehci_atmel sch_fq_codel prox2_hal(O) CPU: 0 PID: 1109 Comm: rmdir Tainted: G O 5.7.6-prox2+ #1 Hardware name: Atmel SAMA5 [<c010c5a0>] (unwind_backtrace) from [<c0109ef4>] (show_stack+0x10/0x14) [<c0109ef4>] (show_stack) from [<c012a4f8>] (__warn+0xbc/0xd4) [<c012a4f8>] (__warn) from [<c012a574>] (warn_slowpath_fmt+0x64/0xc4) [<c012a574>] (warn_slowpath_fmt) from [<c04c0f4c>] (gserial_free_port+0xe4/0xec) [<c04c0f4c>] (gserial_free_port) from [<c04c0f94>] (gserial_free_line+0x40/0x74) [<c04c0f94>] (gserial_free_line) from [<c04c0a8c>] (acm_free_instance+0x10/0x1c) [<c04c0a8c>] (acm_free_instance) from [<c04b9f2c>] (usb_put_function_instance+0x1c/0x28) [<c04b9f2c>] (usb_put_function_instance) from [<c027f8b4>] (config_item_put.part.0+0x90/0xb0) [<c027f8b4>] (config_item_put.part.0) from [<c027e2bc>] (configfs_rmdir+0x1b4/0x270) [<c027e2bc>] (configfs_rmdir) from [<c0203560>] (vfs_rmdir+0x6c/0x1b4) [<c0203560>] (vfs_rmdir) from [<c02077b8>] (do_rmdir+0x154/0x1bc) [<c02077b8>] (do_rmdir) from [<c0100060>] (ret_fast_syscall+0x0/0x54) Exception stack(0xc118bfa8 to 0xc118bff0) bfa0: bea1de4d bea1dd38 bea1de4d 00000001 00493a74 b6e770e8 bfc0: bea1de4d bea1dd38 00000000 00000028 0047c6d4 0047c2b0 00000000 00000000 bfe0: 00493b5c bea1db94 004509a3 b6e18858 ---[ end trace db1d6cc2dc22fb43 ]--- 8<--- cut here --- Unable to handle kernel NULL pointer dereference at virtual address 00000004 pgd = 4b49c8b1 [00000004] *pgd=00000000 Internal error: Oops: 80000005 [#1] ARM Modules linked in: can_raw can at91_sama5d2_adc industrialio_triggered_buffer kfifo_buf gpio_sama5d2_piobu industrialio m_can_platform m_can sdhci_of_at91 can_dev sdhci_pltfm sdhci mmc_core ohci_at91 ohci_hcd ehci_atmel sch_fq_codel prox2_hal(O) CPU: 0 PID: 1111 Comm: rmdir Tainted: G W O 5.7.6-prox2+ #1 Hardware name: Atmel SAMA5 PC is at 0x4 LR is at eth_stop+0x4c/0xa4 pc : [<00000004>] lr : [<c04c2470>] psr: 200f0093 sp : c1223de0 ip : 000003e8 fp : c78e3d40 r10: 00000000 r9 : c0899e04 r8 : 00000001 r7 : 00000001 r6 : a00f0013 r5 : c6014000 r4 : c62eb300 r3 : 00000004 r2 : c785f980 r1 : a00f0013 r0 : c62eb300 Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none Control: 10c53c7d Table: 21224059 DAC: 00000051 Process rmdir (pid: 1111, stack limit = 0xbbf9cfde) Stack: (0xc1223de0 to 0xc1224000) 3de0: c6014000 c1223e5c 00000000 00000001 00000001 c05515cc b3b5ffa3 c0204f00 3e00: 00000000 c6014000 00000000 c0d03208 c1223e68 c6014000 c1223e5c c05516cc 3e20: 00000000 c02020b8 00000000 c0d03208 c1223e68 c6014000 c1223ea4 c1223e5c 3e40: 00000001 c055256c c1223ea8 c7891c60 c1223e80 c7891c60 c789b850 c6014044 3e60: c6014044 c0211524 5e46c117 00000000 232aaf83 c0d03208 c6014000 00000000 3e80: c073f69c 00000000 00000000 c0d2da34 00000000 c05529f4 c788a2a8 c7891c60 3ea0: c789b850 c601403c c601403c c0d03208 232aaf83 c6014000 00000000 c0552a98 3ec0: c6014500 c04c2cd8 c785fa00 c04c3d2c 00000000 c04b9f2c c785fa00 c027f8b4 3ee0: 00000000 c785fa00 c7a9ed20 00000000 c789b850 c027e2bc 00000002 c0d03208 3f00: c788a2a8 c788a2a8 00000000 c79958c0 be84ce4c ffffff9c c1223f68 c1223f5c 3f20: c4b41000 c0203560 00000000 c0203244 00000001 00000000 c788a2a8 be84ce4c 3f40: ffffff9c c02077b8 c1223f68 c1223f5c c1223f7c c070b5c0 00000000 00000000 3f60: c6bacd90 c788ae58 13f1481e 00000008 c4b4103e 00100000 00000070 c0d03208 3f80: be84c6f0 be84ce4c be84cd38 00000000 00000028 c0100264 c1222000 00000028 3fa0: 00000000 c0100060 be84ce4c be84cd38 be84ce4c 00000001 004e9a74 b6f6d0e8 3fc0: be84ce4c be84cd38 00000000 00000028 004d26d4 004d22b0 00000000 00000000 3fe0: 004e9b5c be84cb94 004a69a3 b6f0e858 600f0030 be84ce4c 00000000 00000000 [<c04c2470>] (eth_stop) from [<c05515cc>] (__dev_close_many+0xac/0x12c) [<c05515cc>] (__dev_close_many) from [<c05516cc>] (dev_close_many+0x80/0x118) [<c05516cc>] (dev_close_many) from [<c055256c>] (rollback_registered_many+0x114/0x504) [<c055256c>] (rollback_registered_many) from [<c05529f4>] (unregister_netdevice_queue+0x98/0x124) [<c05529f4>] (unregister_netdevice_queue) from [<c0552a98>] (unregister_netdev+0x18/0x20) [<c0552a98>] (unregister_netdev) from [<c04c2cd8>] (gether_cleanup+0x14/0x28) [<c04c2cd8>] (gether_cleanup) from [<c04c3d2c>] (ecm_free_inst+0x20/0x3c) [<c04c3d2c>] (ecm_free_inst) from [<c04b9f2c>] (usb_put_function_instance+0x1c/0x28) [<c04b9f2c>] (usb_put_function_instance) from [<c027f8b4>] (config_item_put.part.0+0x90/0xb0) [<c027f8b4>] (config_item_put.part.0) from [<c027e2bc>] (configfs_rmdir+0x1b4/0x270) [<c027e2bc>] (configfs_rmdir) from [<c0203560>] (vfs_rmdir+0x6c/0x1b4) [<c0203560>] (vfs_rmdir) from [<c02077b8>] (do_rmdir+0x154/0x1bc) [<c02077b8>] (do_rmdir) from [<c0100060>] (ret_fast_syscall+0x0/0x54) Exception stack(0xc1223fa8 to 0xc1223ff0) 3fa0: be84ce4c be84cd38 be84ce4c 00000001 004e9a74 b6f6d0e8 3fc0: be84ce4c be84cd38 00000000 00000028 004d26d4 004d22b0 00000000 00000000 3fe0: 004e9b5c be84cb94 004a69a3 b6f0e858 Code: bad PC value ---[ end trace db1d6cc2dc22fb44 ]--- The tainted flag is set, but it has nothing to do with the oops. I can produce another trace with the module unloaded if needed to remove the flag. The oops occurs when I do the following: rmdir /sys/kernel/config/usb_gadget/prox2/functions/ecm.usb0 I have been able to reproduce on kernels ranging from 4.4.x to 5.7.6. This is the script that I am using to start / stop the gadget device: #!/bin/sh grep -q configfs /proc/mounts || mount -t configfs none /sys/kernel/config case "$1" in "start" ) if [ -e /sys/kernel/config/usb_gadget/prox2 ]; then exit 0 fi mkdir -p /sys/kernel/config/usb_gadget/prox2 echo 0x0004 > /sys/kernel/config/usb_gadget/prox2/idVendor echo 0xF00D > /sys/kernel/config/usb_gadget/prox2/idProduct mkdir -p /sys/kernel/config/usb_gadget/prox2/strings/0x409 echo "Internet Widgets, LTD" > /sys/kernel/config/usb_gadget/prox2/strings/0x409/manufacturer echo nano-cv > /sys/kernel/config/usb_gadget/prox2/strings/0x409/product mkdir -p /sys/kernel/config/usb_gadget/prox2/functions/acm.GS0 mkdir -p /sys/kernel/config/usb_gadget/prox2/functions/ecm.usb0 mkdir -p /sys/kernel/config/usb_gadget/prox2/configs/ mkdir -p /sys/kernel/config/usb_gadget/prox2/configs/c.1 mkdir -p /sys/kernel/config/usb_gadget/prox2/configs/c.1/strings/0x409 echo "CDC ACM+ECM" > /sys/kernel/config/usb_gadget/prox2/configs/c.1/strings/0x409/configuration ln -s /sys/kernel/config/usb_gadget/prox2/functions/acm.GS0 /sys/kernel/config/usb_gadget/prox2/configs/c.1/ ln -s /sys/kernel/config/usb_gadget/prox2/functions/ecm.usb0 /sys/kernel/config/usb_gadget/prox2/configs/c.1/ echo 300000.gadget > /sys/kernel/config/usb_gadget/prox2/UDC ;; "stop" ) if [ -e /sys/kernel/config/usb_gadget/prox2/UDC ]; then echo > /sys/kernel/config/usb_gadget/prox2/UDC 2>/dev/null rm -f /sys/kernel/config/usb_gadget/prox2/configs/c.1/acm.GS0 /sys/kernel/config/usb_gadget/prox2/configs/c.1/ecm.usb0 rmdir /sys/kernel/config/usb_gadget/prox2/configs/c.1/strings/0x409 2>/dev/null rmdir /sys/kernel/config/usb_gadget/prox2/configs/c.1 2>/dev/null rmdir /sys/kernel/config/usb_gadget/prox2/configs 2>/dev/null rmdir /sys/kernel/config/usb_gadget/prox2/functions/acm.GS0 2>/dev/null rmdir /sys/kernel/config/usb_gadget/prox2/functions/ecm.usb0 2>/dev/null rmdir /sys/kernel/config/usb_gadget/prox2/strings/0x409 2>/dev/null rmdir /sys/kernel/config/usb_gadget/prox2 2>/dev/null fi ;; * ) echo "Usage: gadget [start | stop]" exit 255 ;; esac exit 0 Am I doing something incorrectly? What can I do to debug this further? All the best, Mark Deneen