Re: [PATCH v2 0/7] usb: gadget: Fix net_device lifecycle with device_move

public inbox for linux-usb@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Kuen-Han Tsai <khtsai@google.com>
Cc: Luca Weiss <luca.weiss@fairphone.com>,
	Felipe Balbi <balbi@ti.com>,
	Kyungmin Park <kyungmin.park@samsung.com>,
	David Heidelberg <david@ixit.cz>,
	Ernest Van Hoecke <ernest.vanhoecke@toradex.com>,
	Jon Hunter <jonathanh@nvidia.com>,
	LI Qingwu <Qing-wu.Li@leica-geosystems.com.cn>,
	linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	stable@kernel.org
Subject: Re: [PATCH v2 0/7] usb: gadget: Fix net_device lifecycle with device_move
Date: Mon, 16 Mar 2026 07:35:45 +0100	[thread overview]
Message-ID: <2026031632-catwalk-reshuffle-c819@gregkh> (raw)
In-Reply-To: <CAKzKK0pEgC683icYco8YqPDSMWh47SKiZf_g1TX8N3syB2FhBw@mail.gmail.com>

On Mon, Mar 16, 2026 at 02:17:09PM +0800, Kuen-Han Tsai wrote:
> Hi Luca,
> 
> On Fri, Mar 13, 2026 at 8:40 PM Luca Weiss <luca.weiss@fairphone.com> wrote:
> >
> > Hi Kuen-Han,
> >
> > On Mon Mar 9, 2026 at 1:04 PM CET, Kuen-Han Tsai wrote:
> > > PROBLEMS
> > > --------
> > > The net_device in f_ncm is allocated at function instance creation
> > > and registered at bind time with the gadget device as its sysfs parent.
> > > When the gadget unbinds, the parent device is destroyed but the
> > > net_device survives, leaving dangling sysfs symlinks and a NULL pointer
> > > dereference when userspace accesses the orphaned interface:
> > >
> > > Problem 1: Unable to handle kernel NULL pointer dereference
> > >  Call trace:
> > >    __pi_strlen+0x14/0x150
> > >    rtnl_fill_ifinfo+0x6b4/0x708
> > >    rtmsg_ifinfo_build_skb+0xd8/0x13c
> > >    ...
> > >    netlink_sendmsg+0x2e0/0x3d4
> > >
> > > Problem 2: Dangling sysfs symlinks
> > >  console:/ # ls -l /sys/class/net/ncm0
> > >  lrwxrwxrwx ... /sys/class/net/ncm0 ->
> > >  /sys/devices/platform/.../gadget.0/net/ncm0
> > >  console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0
> > >  ls: .../gadget.0/net/ncm0: No such file or directory
> > >
> > > BACKGROUND & THE REVERTS
> > > ------------------------
> > > The deferred allocation causes a regression for userspace tools during
> > > network setup (such as the postmarketOS DHCP daemon). By moving the
> > > allocation out of alloc_inst, configfs returns the name pattern "usb%d"
> > > instead of the actual interface name (e.g., "usb0") when userspace reads
> > > the 'ifname' attribute.
> > >
> > > Investigating a fix for this naming issue revealed a deeper
> > > architectural flaw introduced by the series. Deferring the allocation to
> > > bind() means that a single function instance will spawn multiple network
> > > devices if it is symlinked to multiple USB configurations.
> > >
> > > Because all configurations tied to the same function instance are
> > > architecturally designed to share a single network device, and configfs
> > > only exposes a single 'ifname' attribute per instance, this 1-to-many
> > > bug cannot be safely patched.
> > >
> > > To restore the correct 1:1 mapping and resolve the userspace
> > > regressions, this series reverts the changes in reverse order, returning
> > > the net_device allocation back to the instance level (alloc_inst).
> > >
> > > THE NEW SOLUTION
> > > ----------------
> > > Use device_move() to reparent the net_device between the gadget device
> > > tree and /sys/devices/virtual across bind/unbind cycles. On the last
> > > unbind, device_move(NULL) moves the net_device to the virtual device
> > > tree before the gadget device is destroyed. On rebind, device_move()
> > > reparents it back under the new gadget, restoring proper sysfs topology
> > > and power management ordering.
> > >
> > > The 1:1 mapping between function instance and net_device is maintained,
> > > and configfs always reports the resolved interface name.
> > >
> > > A bind_count tracks how many configurations reference the function
> > > instance, ensuring device_move fires only on the first bind.
> > > __free(detach_gadget) ensures the net_device is moved back to virtual
> > > if bind fails after a successful device_move, preventing dangling
> > > sysfs on partial bind failure.
> >
> > Applying this series on v7.0-rc3 fixes the reported issues for me on
> > Qualcomm-based Fairphone (Gen. 6). For v7.0-rc3 the first two commits
> > need to be skipped, looks like the original commits are only in -next
> > and not in v7.0-rc?
> >
> > Tested-by: Luca Weiss <luca.weiss@fairphone.com> # milos-fairphone-fp6
> >
> > Thanks for fixing this!
> >
> > Regards
> > Luca
> 
> Thanks for testing.
> 
> That is correct. The first two commits:
> 
> - [Patch v2 1/7] Revert "usb: gadget: f_ncm: Fix atomic context locking issue"
> - [Patch v2 2/7] Revert "usb: legacy: ncm: Fix NPE in gncm_bind"
> 
> have not been merged into the mainline yet, so skipping them for your
> test was the right move. This series is based on Greg's usb-linus
> branch rather than the Linux's master branch.

These should all now be in 7.0-rc4, right?

thanks,

greg k-h

next prev parent reply	other threads:[~2026-03-16  6:36 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-09 12:04 [PATCH v2 0/7] usb: gadget: Fix net_device lifecycle with device_move Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 1/7] Revert "usb: gadget: f_ncm: Fix atomic context locking issue" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 2/7] Revert "usb: legacy: ncm: Fix NPE in gncm_bind" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 3/7] Revert "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 4/7] Revert "usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 5/7] Revert "usb: gadget: u_ether: use <linux/hex.h> header file" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 6/7] Revert "usb: gadget: u_ether: add gether_opts for config caching" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 7/7] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Kuen-Han Tsai
2026-03-15  5:21   ` Val Packett
2026-03-16  6:03     ` Kuen-Han Tsai
2026-03-13 12:40 ` [PATCH v2 0/7] usb: gadget: " Luca Weiss
2026-03-16  6:17   ` Kuen-Han Tsai
2026-03-16  6:35     ` Greg Kroah-Hartman [this message]
2026-03-16  6:47       ` Kuen-Han Tsai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2026031632-catwalk-reshuffle-c819@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=Qing-wu.Li@leica-geosystems.com.cn \
    --cc=balbi@ti.com \
    --cc=david@ixit.cz \
    --cc=ernest.vanhoecke@toradex.com \
    --cc=jonathanh@nvidia.com \
    --cc=khtsai@google.com \
    --cc=kyungmin.park@samsung.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=luca.weiss@fairphone.com \
    --cc=stable@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox