From: "Luca Weiss" <luca.weiss@fairphone.com>
To: "Kuen-Han Tsai" <khtsai@google.com>,
"Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
"Felipe Balbi" <balbi@ti.com>,
"Kyungmin Park" <kyungmin.park@samsung.com>
Cc: "David Heidelberg" <david@ixit.cz>,
"Ernest Van Hoecke" <ernest.vanhoecke@toradex.com>,
"Jon Hunter" <jonathanh@nvidia.com>,
"LI Qingwu" <Qing-wu.Li@leica-geosystems.com.cn>,
<linux-usb@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<stable@kernel.org>
Subject: Re: [PATCH v2 0/7] usb: gadget: Fix net_device lifecycle with device_move
Date: Fri, 13 Mar 2026 13:40:56 +0100 [thread overview]
Message-ID: <DH1NU7GOPTJY.149SPB0645W7G@fairphone.com> (raw)
In-Reply-To: <20260309-f-ncm-revert-v2-0-ea2afbc7d9b2@google.com>
Hi Kuen-Han,
On Mon Mar 9, 2026 at 1:04 PM CET, Kuen-Han Tsai wrote:
> PROBLEMS
> --------
> The net_device in f_ncm is allocated at function instance creation
> and registered at bind time with the gadget device as its sysfs parent.
> When the gadget unbinds, the parent device is destroyed but the
> net_device survives, leaving dangling sysfs symlinks and a NULL pointer
> dereference when userspace accesses the orphaned interface:
>
> Problem 1: Unable to handle kernel NULL pointer dereference
> Call trace:
> __pi_strlen+0x14/0x150
> rtnl_fill_ifinfo+0x6b4/0x708
> rtmsg_ifinfo_build_skb+0xd8/0x13c
> ...
> netlink_sendmsg+0x2e0/0x3d4
>
> Problem 2: Dangling sysfs symlinks
> console:/ # ls -l /sys/class/net/ncm0
> lrwxrwxrwx ... /sys/class/net/ncm0 ->
> /sys/devices/platform/.../gadget.0/net/ncm0
> console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0
> ls: .../gadget.0/net/ncm0: No such file or directory
>
> BACKGROUND & THE REVERTS
> ------------------------
> The deferred allocation causes a regression for userspace tools during
> network setup (such as the postmarketOS DHCP daemon). By moving the
> allocation out of alloc_inst, configfs returns the name pattern "usb%d"
> instead of the actual interface name (e.g., "usb0") when userspace reads
> the 'ifname' attribute.
>
> Investigating a fix for this naming issue revealed a deeper
> architectural flaw introduced by the series. Deferring the allocation to
> bind() means that a single function instance will spawn multiple network
> devices if it is symlinked to multiple USB configurations.
>
> Because all configurations tied to the same function instance are
> architecturally designed to share a single network device, and configfs
> only exposes a single 'ifname' attribute per instance, this 1-to-many
> bug cannot be safely patched.
>
> To restore the correct 1:1 mapping and resolve the userspace
> regressions, this series reverts the changes in reverse order, returning
> the net_device allocation back to the instance level (alloc_inst).
>
> THE NEW SOLUTION
> ----------------
> Use device_move() to reparent the net_device between the gadget device
> tree and /sys/devices/virtual across bind/unbind cycles. On the last
> unbind, device_move(NULL) moves the net_device to the virtual device
> tree before the gadget device is destroyed. On rebind, device_move()
> reparents it back under the new gadget, restoring proper sysfs topology
> and power management ordering.
>
> The 1:1 mapping between function instance and net_device is maintained,
> and configfs always reports the resolved interface name.
>
> A bind_count tracks how many configurations reference the function
> instance, ensuring device_move fires only on the first bind.
> __free(detach_gadget) ensures the net_device is moved back to virtual
> if bind fails after a successful device_move, preventing dangling
> sysfs on partial bind failure.
Applying this series on v7.0-rc3 fixes the reported issues for me on
Qualcomm-based Fairphone (Gen. 6). For v7.0-rc3 the first two commits
need to be skipped, looks like the original commits are only in -next
and not in v7.0-rc?
Tested-by: Luca Weiss <luca.weiss@fairphone.com> # milos-fairphone-fp6
Thanks for fixing this!
Regards
Luca
>
> Reported-by: David Heidelberg <david@ixit.cz>
> Link: https://lore.kernel.org/linux-usb/70b558ea-a12e-4170-9b8e-c951131249af@ixit.cz/
> Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
> ---
> Changes in v2:
> - Introduce a new solution
> - Link to v1: https://lore.kernel.org/r/20260304-f-ncm-revert-v1-0-57c9157b58af@google.com
>
> ---
> Kuen-Han Tsai (7):
> Revert "usb: gadget: f_ncm: Fix atomic context locking issue"
> Revert "usb: legacy: ncm: Fix NPE in gncm_bind"
> Revert "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind"
> Revert "usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device"
> Revert "usb: gadget: u_ether: use <linux/hex.h> header file"
> Revert "usb: gadget: u_ether: add gether_opts for config caching"
> usb: gadget: f_ncm: Fix net_device lifecycle with device_move
>
> drivers/usb/gadget/function/f_ncm.c | 129 +++++++++++--------
> drivers/usb/gadget/function/u_ether.c | 67 ++++------
> drivers/usb/gadget/function/u_ether.h | 56 ++++-----
> drivers/usb/gadget/function/u_ether_configfs.h | 168 -------------------------
> drivers/usb/gadget/function/u_ncm.h | 5 +-
> drivers/usb/gadget/legacy/ncm.c | 13 +-
> 6 files changed, 127 insertions(+), 311 deletions(-)
> ---
> base-commit: 1be3b77de4eb89af8ae2fd6610546be778e25589
> change-id: 20260304-f-ncm-revert-490a66ae8da0
>
> Best regards,
next prev parent reply other threads:[~2026-03-13 12:40 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-09 12:04 [PATCH v2 0/7] usb: gadget: Fix net_device lifecycle with device_move Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 1/7] Revert "usb: gadget: f_ncm: Fix atomic context locking issue" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 2/7] Revert "usb: legacy: ncm: Fix NPE in gncm_bind" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 3/7] Revert "usb: gadget: f_ncm: align net_device lifecycle with bind/unbind" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 4/7] Revert "usb: gadget: u_ether: Add auto-cleanup helper for freeing net_device" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 5/7] Revert "usb: gadget: u_ether: use <linux/hex.h> header file" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 6/7] Revert "usb: gadget: u_ether: add gether_opts for config caching" Kuen-Han Tsai
2026-03-09 12:04 ` [PATCH v2 7/7] usb: gadget: f_ncm: Fix net_device lifecycle with device_move Kuen-Han Tsai
2026-03-15 5:21 ` Val Packett
2026-03-16 6:03 ` Kuen-Han Tsai
2026-03-13 12:40 ` Luca Weiss [this message]
2026-03-16 6:17 ` [PATCH v2 0/7] usb: gadget: " Kuen-Han Tsai
2026-03-16 6:35 ` Greg Kroah-Hartman
2026-03-16 6:47 ` Kuen-Han Tsai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DH1NU7GOPTJY.149SPB0645W7G@fairphone.com \
--to=luca.weiss@fairphone.com \
--cc=Qing-wu.Li@leica-geosystems.com.cn \
--cc=balbi@ti.com \
--cc=david@ixit.cz \
--cc=ernest.vanhoecke@toradex.com \
--cc=gregkh@linuxfoundation.org \
--cc=jonathanh@nvidia.com \
--cc=khtsai@google.com \
--cc=kyungmin.park@samsung.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox