Re: [PATCH v2 0/7] usb: gadget: Fix net_device lifecycle with device_move

[Kuen-Han Tsai]

Hi Luca,

On Fri, Mar 13, 2026 at 8:40 PM Luca Weiss <luca.weiss@xxxxxxxxxxxxx> wrote:
>
> Hi Kuen-Han,
>
> On Mon Mar 9, 2026 at 1:04 PM CET, Kuen-Han Tsai wrote:
> > PROBLEMS
> > --------
> > The net_device in f_ncm is allocated at function instance creation
> > and registered at bind time with the gadget device as its sysfs parent.
> > When the gadget unbinds, the parent device is destroyed but the
> > net_device survives, leaving dangling sysfs symlinks and a NULL pointer
> > dereference when userspace accesses the orphaned interface:
> >
> > Problem 1: Unable to handle kernel NULL pointer dereference
> >  Call trace:
> >    __pi_strlen+0x14/0x150
> >    rtnl_fill_ifinfo+0x6b4/0x708
> >    rtmsg_ifinfo_build_skb+0xd8/0x13c
> >    ...
> >    netlink_sendmsg+0x2e0/0x3d4
> >
> > Problem 2: Dangling sysfs symlinks
> >  console:/ # ls -l /sys/class/net/ncm0
> >  lrwxrwxrwx ... /sys/class/net/ncm0 ->
> >  /sys/devices/platform/.../gadget.0/net/ncm0
> >  console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0
> >  ls: .../gadget.0/net/ncm0: No such file or directory
> >
> > BACKGROUND & THE REVERTS
> > ------------------------
> > The deferred allocation causes a regression for userspace tools during
> > network setup (such as the postmarketOS DHCP daemon). By moving the
> > allocation out of alloc_inst, configfs returns the name pattern "usb%d"
> > instead of the actual interface name (e.g., "usb0") when userspace reads
> > the 'ifname' attribute.
> >
> > Investigating a fix for this naming issue revealed a deeper
> > architectural flaw introduced by the series. Deferring the allocation to
> > bind() means that a single function instance will spawn multiple network
> > devices if it is symlinked to multiple USB configurations.
> >
> > Because all configurations tied to the same function instance are
> > architecturally designed to share a single network device, and configfs
> > only exposes a single 'ifname' attribute per instance, this 1-to-many
> > bug cannot be safely patched.
> >
> > To restore the correct 1:1 mapping and resolve the userspace
> > regressions, this series reverts the changes in reverse order, returning
> > the net_device allocation back to the instance level (alloc_inst).
> >
> > THE NEW SOLUTION
> > ----------------
> > Use device_move() to reparent the net_device between the gadget device
> > tree and /sys/devices/virtual across bind/unbind cycles. On the last
> > unbind, device_move(NULL) moves the net_device to the virtual device
> > tree before the gadget device is destroyed. On rebind, device_move()
> > reparents it back under the new gadget, restoring proper sysfs topology
> > and power management ordering.
> >
> > The 1:1 mapping between function instance and net_device is maintained,
> > and configfs always reports the resolved interface name.
> >
> > A bind_count tracks how many configurations reference the function
> > instance, ensuring device_move fires only on the first bind.
> > __free(detach_gadget) ensures the net_device is moved back to virtual
> > if bind fails after a successful device_move, preventing dangling
> > sysfs on partial bind failure.
>
> Applying this series on v7.0-rc3 fixes the reported issues for me on
> Qualcomm-based Fairphone (Gen. 6). For v7.0-rc3 the first two commits
> need to be skipped, looks like the original commits are only in -next
> and not in v7.0-rc?
>
> Tested-by: Luca Weiss <luca.weiss@xxxxxxxxxxxxx> # milos-fairphone-fp6
>
> Thanks for fixing this!
>
> Regards
> Luca

Thanks for testing.

That is correct. The first two commits:

- [Patch v2 1/7] Revert "usb: gadget: f_ncm: Fix atomic context locking issue"
- [Patch v2 2/7] Revert "usb: legacy: ncm: Fix NPE in gncm_bind"

have not been merged into the mainline yet, so skipping them for your
test was the right move. This series is based on Greg's usb-linus
branch rather than the Linux's master branch.

Thanks again!

Regards,
Kuen-Han

>
> >
> > Reported-by: David Heidelberg <david@xxxxxxx>
> > Link: https://lore.kernel.org/linux-usb/70b558ea-a12e-4170-9b8e-c951131249af@xxxxxxx/
> > Signed-off-by: Kuen-Han Tsai <khtsai@xxxxxxxxxx>
> > ---
> > Changes in v2:
> > - Introduce a new solution
> > - Link to v1: https://lore.kernel.org/r/20260304-f-ncm-revert-v1-0-57c9157b58af@xxxxxxxxxx
> >
> > ---
> > Kuen-Han Tsai (7):
> >       Revert "usb: gadget: f_ncm: Fix atomic context locking issue"
> >       Revert "usb: legacy: ncm: Fix NPE in gncm_bind"
> >       Revert "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind"
> >       Revert "usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device"
> >       Revert "usb: gadget: u_ether: use <linux/hex.h> header file"
> >       Revert "usb: gadget: u_ether: add gether_opts for config caching"
> >       usb: gadget: f_ncm: Fix net_device lifecycle with device_move
> >
> >  drivers/usb/gadget/function/f_ncm.c            | 129 +++++++++++--------
> >  drivers/usb/gadget/function/u_ether.c          |  67 ++++------
> >  drivers/usb/gadget/function/u_ether.h          |  56 ++++-----
> >  drivers/usb/gadget/function/u_ether_configfs.h | 168 -------------------------
> >  drivers/usb/gadget/function/u_ncm.h            |   5 +-
> >  drivers/usb/gadget/legacy/ncm.c                |  13 +-
> >  6 files changed, 127 insertions(+), 311 deletions(-)
> > ---
> > base-commit: 1be3b77de4eb89af8ae2fd6610546be778e25589
> > change-id: 20260304-f-ncm-revert-490a66ae8da0
> >
> > Best regards,
>