Re: [PATCH v2 0/7] usb: gadget: Fix net_device lifecycle with device_move

[Luca Weiss]

Hi Kuen-Han,

On Mon Mar 9, 2026 at 1:04 PM CET, Kuen-Han Tsai wrote:
> PROBLEMS
> --------
> The net_device in f_ncm is allocated at function instance creation
> and registered at bind time with the gadget device as its sysfs parent.
> When the gadget unbinds, the parent device is destroyed but the
> net_device survives, leaving dangling sysfs symlinks and a NULL pointer
> dereference when userspace accesses the orphaned interface:
>
> Problem 1: Unable to handle kernel NULL pointer dereference
>  Call trace:
>    __pi_strlen+0x14/0x150
>    rtnl_fill_ifinfo+0x6b4/0x708
>    rtmsg_ifinfo_build_skb+0xd8/0x13c
>    ...
>    netlink_sendmsg+0x2e0/0x3d4
>
> Problem 2: Dangling sysfs symlinks
>  console:/ # ls -l /sys/class/net/ncm0
>  lrwxrwxrwx ... /sys/class/net/ncm0 ->
>  /sys/devices/platform/.../gadget.0/net/ncm0
>  console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0
>  ls: .../gadget.0/net/ncm0: No such file or directory
>
> BACKGROUND & THE REVERTS
> ------------------------
> The deferred allocation causes a regression for userspace tools during
> network setup (such as the postmarketOS DHCP daemon). By moving the
> allocation out of alloc_inst, configfs returns the name pattern "usb%d"
> instead of the actual interface name (e.g., "usb0") when userspace reads
> the 'ifname' attribute.
>
> Investigating a fix for this naming issue revealed a deeper
> architectural flaw introduced by the series. Deferring the allocation to
> bind() means that a single function instance will spawn multiple network
> devices if it is symlinked to multiple USB configurations.
>
> Because all configurations tied to the same function instance are
> architecturally designed to share a single network device, and configfs
> only exposes a single 'ifname' attribute per instance, this 1-to-many
> bug cannot be safely patched.
>
> To restore the correct 1:1 mapping and resolve the userspace
> regressions, this series reverts the changes in reverse order, returning
> the net_device allocation back to the instance level (alloc_inst).
>
> THE NEW SOLUTION
> ----------------
> Use device_move() to reparent the net_device between the gadget device
> tree and /sys/devices/virtual across bind/unbind cycles. On the last
> unbind, device_move(NULL) moves the net_device to the virtual device
> tree before the gadget device is destroyed. On rebind, device_move()
> reparents it back under the new gadget, restoring proper sysfs topology
> and power management ordering. 
>
> The 1:1 mapping between function instance and net_device is maintained,
> and configfs always reports the resolved interface name.
>
> A bind_count tracks how many configurations reference the function
> instance, ensuring device_move fires only on the first bind.
> __free(detach_gadget) ensures the net_device is moved back to virtual
> if bind fails after a successful device_move, preventing dangling
> sysfs on partial bind failure.

Applying this series on v7.0-rc3 fixes the reported issues for me on
Qualcomm-based Fairphone (Gen. 6). For v7.0-rc3 the first two commits
need to be skipped, looks like the original commits are only in -next
and not in v7.0-rc?

Tested-by: Luca Weiss <luca.weiss@xxxxxxxxxxxxx> # milos-fairphone-fp6

Thanks for fixing this!

Regards
Luca

>
> Reported-by: David Heidelberg <david@xxxxxxx>
> Link: https://lore.kernel.org/linux-usb/70b558ea-a12e-4170-9b8e-c951131249af@xxxxxxx/
> Signed-off-by: Kuen-Han Tsai <khtsai@xxxxxxxxxx>
> ---
> Changes in v2:
> - Introduce a new solution
> - Link to v1: https://lore.kernel.org/r/20260304-f-ncm-revert-v1-0-57c9157b58af@xxxxxxxxxx
>
> ---
> Kuen-Han Tsai (7):
>       Revert "usb: gadget: f_ncm: Fix atomic context locking issue"
>       Revert "usb: legacy: ncm: Fix NPE in gncm_bind"
>       Revert "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind"
>       Revert "usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device"
>       Revert "usb: gadget: u_ether: use <linux/hex.h> header file"
>       Revert "usb: gadget: u_ether: add gether_opts for config caching"
>       usb: gadget: f_ncm: Fix net_device lifecycle with device_move
>
>  drivers/usb/gadget/function/f_ncm.c            | 129 +++++++++++--------
>  drivers/usb/gadget/function/u_ether.c          |  67 ++++------
>  drivers/usb/gadget/function/u_ether.h          |  56 ++++-----
>  drivers/usb/gadget/function/u_ether_configfs.h | 168 -------------------------
>  drivers/usb/gadget/function/u_ncm.h            |   5 +-
>  drivers/usb/gadget/legacy/ncm.c                |  13 +-
>  6 files changed, 127 insertions(+), 311 deletions(-)
> ---
> base-commit: 1be3b77de4eb89af8ae2fd6610546be778e25589
> change-id: 20260304-f-ncm-revert-490a66ae8da0
>
> Best regards,