Re: [PATCH 3/3] usb: gadget: f_ncm: align net_device lifecycle with bind/unbind

[David Heidelberg]

On 30/12/2025 11:13, Kuen-Han Tsai wrote:
> Currently, the net_device is allocated in ncm_alloc_inst() and freed in
> ncm_free_inst(). This ties the network interface's lifetime to the
> configuration instance rather than the USB connection (bind/unbind).
>
> This decoupling causes issues when the USB gadget is disconnected where
> the underlying gadget device is removed. The net_device can outlive its
> parent, leading to dangling sysfs links and NULL pointer dereferences
> when accessing the freed gadget device.
>
> Problem 1: NULL pointer dereference on disconnect
>   Unable to handle kernel NULL pointer dereference at virtual address
>   0000000000000000
>   Call trace:
>     __pi_strlen+0x14/0x150
>     rtnl_fill_ifinfo+0x6b4/0x708
>     rtmsg_ifinfo_build_skb+0xd8/0x13c
>     rtmsg_ifinfo+0x50/0xa0
>     __dev_notify_flags+0x4c/0x1f0
>     dev_change_flags+0x54/0x70
>     do_setlink+0x390/0xebc
>     rtnl_newlink+0x7d0/0xac8
>     rtnetlink_rcv_msg+0x27c/0x410
>     netlink_rcv_skb+0x134/0x150
>     rtnetlink_rcv+0x18/0x28
>     netlink_unicast+0x254/0x3f0
>     netlink_sendmsg+0x2e0/0x3d4
>
> Problem 2: Dangling sysfs symlinks
>   console:/ # ls -l /sys/class/net/ncm0
>   lrwxrwxrwx ... /sys/class/net/ncm0 ->
>   /sys/devices/platform/.../gadget.0/net/ncm0
>   console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0
>   ls: .../gadget.0/net/ncm0: No such file or directory
>
> Move the net_device allocation to ncm_bind() and deallocation to
> ncm_unbind(). This ensures the network interface exists only when the
> gadget function is actually bound to a configuration.
>
> To support pre-bind configuration (e.g., setting interface name or MAC
> address via configfs), cache user-provided options in f_ncm_opts
> using the gether_opts structure. Apply these cached settings to the
> net_device upon creation in ncm_bind().
>
> Preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget:
> f_ncm: Fix UAF ncm object at re-bind after usb ep transport error").
> Check opts->net in ncm_set_alt() and ncm_disable() to ensure
> gether_disconnect() runs only if a connection was established.
>
> Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
> Cc: stable@xxxxxxxxxx
> Signed-off-by: Kuen-Han Tsai <khtsai@xxxxxxxxxx>
> ---
>   drivers/usb/gadget/function/f_ncm.c | 128 ++++++++++++++++++------------------
>   drivers/usb/gadget/function/u_ncm.h |   4 +-
>   2 files changed, 66 insertions(+), 66 deletions(-)

Just for sure writing here too, this patch (even including fixes from 
next-20260227) breaks Snapdragon 845 USB, and also I seen someone from 
MSM8960, so likely it applies on bigger variety of Qualcomm generations.

Ref:
https://lore.kernel.org/all/70b558ea-a12e-4170-9b8e/c951131249af@xxxxxxx/

David

--
David Heidelberg