Re: [PATCH v2 0/7] usb: gadget: Fix net_device lifecycle with device_move

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Kuen-Han Tsai <khtsai@google.com>
Cc: Luca Weiss <luca.weiss@fairphone.com>,
	Felipe Balbi <balbi@ti.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Heidelberg <david@ixit.cz>,
	Ernest Van Hoecke <ernest.vanhoecke@toradex.com>,
	Jon Hunter <jonathanh@nvidia.com>,
	LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>,
	linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	stable@kernel.org
Subject: Re: [PATCH v2 0/7] usb: gadget: Fix net_device lifecycle with device_move
Date: Mon, 16 Mar 2026 07:35:45 +0100	[thread overview]
Message-ID: <2026031632-catwalk-reshuffle-c819@gregkh> (raw)
In-Reply-To: <CAKzKK0pEgC683icYco8YqPDSMWh47SKiZf_g1TX8N3syB2FhBw@mail.gmail.com>

On Mon, Mar 16, 2026 at 02:17:09PM +0800, Kuen-Han Tsai wrote:
> Hi Luca,
> 
> On Fri, Mar 13, 2026 at 8:40 PM Luca Weiss <luca.weiss@fairphone.com> wrote:
> >
> > Hi Kuen-Han,
> >
> > On Mon Mar 9, 2026 at 1:04 PM CET, Kuen-Han Tsai wrote:
> > > PROBLEMS
> > > --------
> > > The net_device in f_ncm is allocated at function instance creation
> > > and registered at bind time with the gadget device as its sysfs parent.
> > > When the gadget unbinds, the parent device is destroyed but the
> > > net_device survives, leaving dangling sysfs symlinks and a NULL pointer
> > > dereference when userspace accesses the orphaned interface:
> > >
> > > Problem 1: Unable to handle kernel NULL pointer dereference
> > >  Call trace:
> > >    __pi_strlen+0x14/0x150
> > >    rtnl_fill_ifinfo+0x6b4/0x708
> > >    rtmsg_ifinfo_build_skb+0xd8/0x13c
> > >    ...
> > >    netlink_sendmsg+0x2e0/0x3d4
> > >
> > > Problem 2: Dangling sysfs symlinks
> > >  console:/ # ls -l /sys/class/net/ncm0
> > >  lrwxrwxrwx ... /sys/class/net/ncm0 ->
> > >  /sys/devices/platform/.../gadget.0/net/ncm0
> > >  console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0
> > >  ls: .../gadget.0/net/ncm0: No such file or directory
> > >
> > > BACKGROUND & THE REVERTS
> > > ------------------------
> > > The deferred allocation causes a regression for userspace tools during
> > > network setup (such as the postmarketOS DHCP daemon). By moving the
> > > allocation out of alloc_inst, configfs returns the name pattern "usb%d"
> > > instead of the actual interface name (e.g., "usb0") when userspace reads
> > > the 'ifname' attribute.
> > >
> > > Investigating a fix for this naming issue revealed a deeper
> > > architectural flaw introduced by the series. Deferring the allocation to
> > > bind() means that a single function instance will spawn multiple network
> > > devices if it is symlinked to multiple USB configurations.
> > >
> > > Because all configurations tied to the same function instance are
> > > architecturally designed to share a single network device, and configfs
> > > only exposes a single 'ifname' attribute per instance, this 1-to-many
> > > bug cannot be safely patched.
> > >
> > > To restore the correct 1:1 mapping and resolve the userspace
> > > regressions, this series reverts the changes in reverse order, returning
> > > the net_device allocation back to the instance level (alloc_inst).
> > >
> > > THE NEW SOLUTION
> > > ----------------
> > > Use device_move() to reparent the net_device between the gadget device
> > > tree and /sys/devices/virtual across bind/unbind cycles. On the last
> > > unbind, device_move(NULL) moves the net_device to the virtual device
> > > tree before the gadget device is destroyed. On rebind, device_move()
> > > reparents it back under the new gadget, restoring proper sysfs topology
> > > and power management ordering.
> > >
> > > The 1:1 mapping between function instance and net_device is maintained,
> > > and configfs always reports the resolved interface name.
> > >
> > > A bind_count tracks how many configurations reference the function
> > > instance, ensuring device_move fires only on the first bind.
> > > __free(detach_gadget) ensures the net_device is moved back to virtual
> > > if bind fails after a successful device_move, preventing dangling
> > > sysfs on partial bind failure.
> >
> > Applying this series on v7.0-rc3 fixes the reported issues for me on
> > Qualcomm-based Fairphone (Gen. 6). For v7.0-rc3 the first two commits
> > need to be skipped, looks like the original commits are only in -next
> > and not in v7.0-rc?
> >
> > Tested-by: Luca Weiss <luca.weiss@fairphone.com> # milos-fairphone-fp6
> >
> > Thanks for fixing this!
> >
> > Regards
> > Luca
> 
> Thanks for testing.
> 
> That is correct. The first two commits:
> 
> - [Patch v2 1/7] Revert "usb: gadget: f_ncm: Fix atomic context locking issue"
> - [Patch v2 2/7] Revert "usb: legacy: ncm: Fix NPE in gncm_bind"
> 
> have not been merged into the mainline yet, so skipping them for your
> test was the right move. This series is based on Greg's usb-linus
> branch rather than the Linux's master branch.

These should all now be in 7.0-rc4, right?

thanks,

greg k-h

next prev parent reply	other threads:[~2026-03-16  6:36 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-09 12:04 [PATCH v2 0/7] usb: gadget: Fix net_device lifecycle with device_move Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 1/7] Revert "usb: gadget: f_ncm: Fix atomic context locking issue" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 2/7] Revert "usb: legacy: ncm: Fix NPE in gncm_bind" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 3/7] Revert "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 4/7] Revert "usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 5/7] Revert "usb: gadget: u_ether: use <linux/hex.h> header file" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 6/7] Revert "usb: gadget: u_ether: add gether_opts for config caching" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 7/7] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Kuen-Han Tsai
2026-03-15  5:21   ` Val Packett
2026-03-16  6:03     ` Kuen-Han Tsai
2026-03-13 12:40 ` [PATCH v2 0/7] usb: gadget: " Luca Weiss
2026-03-16  6:17   ` Kuen-Han Tsai
2026-03-16  6:35     ` Greg Kroah-Hartman [this message]
2026-03-16  6:47       ` Kuen-Han Tsai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026031632-catwalk-reshuffle-c819@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=Qing-wu.Li@leica-geosystems.com.cn \
    --cc=balbi@ti.com \
    --cc=david@ixit.cz \
    --cc=ernest.vanhoecke@toradex.com \
    --cc=jonathanh@nvidia.com \
    --cc=khtsai@google.com \
    --cc=kyungmin.park@samsung.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=luca.weiss@fairphone.com \
    --cc=stable@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.