Re: [PATCH v2 0/7] usb: gadget: Fix net_device lifecycle with device_move

From: Greg Kroah-Hartman

Date: Mon Mar 16 2026 - 02:36:10 EST

On Mon, Mar 16, 2026 at 02:17:09PM +0800, Kuen-Han Tsai wrote:
> Hi Luca,
>
> On Fri, Mar 13, 2026 at 8:40 PM Luca Weiss <luca.weiss@xxxxxxxxxxxxx> wrote:
> >
> > Hi Kuen-Han,
> >
> > On Mon Mar 9, 2026 at 1:04 PM CET, Kuen-Han Tsai wrote:
> > > PROBLEMS
> > > --------
> > > The net_device in f_ncm is allocated at function instance creation
> > > and registered at bind time with the gadget device as its sysfs parent.
> > > When the gadget unbinds, the parent device is destroyed but the
> > > net_device survives, leaving dangling sysfs symlinks and a NULL pointer
> > > dereference when userspace accesses the orphaned interface:
> > >
> > > Problem 1: Unable to handle kernel NULL pointer dereference
> > > Call trace:
> > > __pi_strlen+0x14/0x150
> > > rtnl_fill_ifinfo+0x6b4/0x708
> > > rtmsg_ifinfo_build_skb+0xd8/0x13c
> > > ...
> > > netlink_sendmsg+0x2e0/0x3d4
> > >
> > > Problem 2: Dangling sysfs symlinks
> > > console:/ # ls -l /sys/class/net/ncm0
> > > lrwxrwxrwx ... /sys/class/net/ncm0 ->
> > > /sys/devices/platform/.../gadget.0/net/ncm0
> > > console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0
> > > ls: .../gadget.0/net/ncm0: No such file or directory
> > >
> > > BACKGROUND & THE REVERTS
> > > ------------------------
> > > The deferred allocation causes a regression for userspace tools during
> > > network setup (such as the postmarketOS DHCP daemon). By moving the
> > > allocation out of alloc_inst, configfs returns the name pattern "usb%d"
> > > instead of the actual interface name (e.g., "usb0") when userspace reads
> > > the 'ifname' attribute.
> > >
> > > Investigating a fix for this naming issue revealed a deeper
> > > architectural flaw introduced by the series. Deferring the allocation to
> > > bind() means that a single function instance will spawn multiple network
> > > devices if it is symlinked to multiple USB configurations.
> > >
> > > Because all configurations tied to the same function instance are
> > > architecturally designed to share a single network device, and configfs
> > > only exposes a single 'ifname' attribute per instance, this 1-to-many
> > > bug cannot be safely patched.
> > >
> > > To restore the correct 1:1 mapping and resolve the userspace
> > > regressions, this series reverts the changes in reverse order, returning
> > > the net_device allocation back to the instance level (alloc_inst).
> > >
> > > THE NEW SOLUTION
> > > ----------------
> > > Use device_move() to reparent the net_device between the gadget device
> > > tree and /sys/devices/virtual across bind/unbind cycles. On the last
> > > unbind, device_move(NULL) moves the net_device to the virtual device
> > > tree before the gadget device is destroyed. On rebind, device_move()
> > > reparents it back under the new gadget, restoring proper sysfs topology
> > > and power management ordering.
> > >
> > > The 1:1 mapping between function instance and net_device is maintained,
> > > and configfs always reports the resolved interface name.
> > >
> > > A bind_count tracks how many configurations reference the function
> > > instance, ensuring device_move fires only on the first bind.
> > > __free(detach_gadget) ensures the net_device is moved back to virtual
> > > if bind fails after a successful device_move, preventing dangling
> > > sysfs on partial bind failure.
> >
> > Applying this series on v7.0-rc3 fixes the reported issues for me on
> > Qualcomm-based Fairphone (Gen. 6). For v7.0-rc3 the first two commits
> > need to be skipped, looks like the original commits are only in -next
> > and not in v7.0-rc?
> >
> > Tested-by: Luca Weiss <luca.weiss@xxxxxxxxxxxxx> # milos-fairphone-fp6
> >
> > Thanks for fixing this!
> >
> > Regards
> > Luca
>
> Thanks for testing.
>
> That is correct. The first two commits:
>
> - [Patch v2 1/7] Revert "usb: gadget: f_ncm: Fix atomic context locking issue"
> - [Patch v2 2/7] Revert "usb: legacy: ncm: Fix NPE in gncm_bind"
>
> have not been merged into the mainline yet, so skipping them for your
> test was the right move. This series is based on Greg's usb-linus
> branch rather than the Linux's master branch.

These should all now be in 7.0-rc4, right?

thanks,

greg k-h