lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <52usixapyb5hqtek4qlmiuzwvoz6xgzh3sxspn2ueetd5orfz2@qdoqxnuydbwb>
Date: Fri, 9 Jan 2026 11:25:48 +0100
From: Ernest Van Hoecke <ernestvanhoecke@...il.com>
To: Kuen-Han Tsai <khtsai@...gle.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, 
	Felipe Balbi <balbi@...com>, Prashanth K <prashanth.k@....qualcomm.com>, 
	Kyungmin Park <kyungmin.park@...sung.com>, Andrzej Pietrasiewicz <andrzej.p@...sung.com>, 
	linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org, stable@...nel.org
Subject: Re: [PATCH 3/3] usb: gadget: f_ncm: align net_device lifecycle with
 bind/unbind

On Tue, Dec 30, 2025 at 06:13:16PM +0800, Kuen-Han Tsai wrote:
> Currently, the net_device is allocated in ncm_alloc_inst() and freed in
> ncm_free_inst(). This ties the network interface's lifetime to the
> configuration instance rather than the USB connection (bind/unbind).
> 
> This decoupling causes issues when the USB gadget is disconnected where
> the underlying gadget device is removed. The net_device can outlive its
> parent, leading to dangling sysfs links and NULL pointer dereferences
> when accessing the freed gadget device.
> 
> Problem 1: NULL pointer dereference on disconnect
>  Unable to handle kernel NULL pointer dereference at virtual address
>  0000000000000000
>  Call trace:
>    __pi_strlen+0x14/0x150
>    rtnl_fill_ifinfo+0x6b4/0x708
>    rtmsg_ifinfo_build_skb+0xd8/0x13c
>    rtmsg_ifinfo+0x50/0xa0
>    __dev_notify_flags+0x4c/0x1f0
>    dev_change_flags+0x54/0x70
>    do_setlink+0x390/0xebc
>    rtnl_newlink+0x7d0/0xac8
>    rtnetlink_rcv_msg+0x27c/0x410
>    netlink_rcv_skb+0x134/0x150
>    rtnetlink_rcv+0x18/0x28
>    netlink_unicast+0x254/0x3f0
>    netlink_sendmsg+0x2e0/0x3d4
> 
> Problem 2: Dangling sysfs symlinks
>  console:/ # ls -l /sys/class/net/ncm0
>  lrwxrwxrwx ... /sys/class/net/ncm0 ->
>  /sys/devices/platform/.../gadget.0/net/ncm0
>  console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0
>  ls: .../gadget.0/net/ncm0: No such file or directory
> 
> Move the net_device allocation to ncm_bind() and deallocation to
> ncm_unbind(). This ensures the network interface exists only when the
> gadget function is actually bound to a configuration.
> 
> To support pre-bind configuration (e.g., setting interface name or MAC
> address via configfs), cache user-provided options in f_ncm_opts
> using the gether_opts structure. Apply these cached settings to the
> net_device upon creation in ncm_bind().
> 
> Preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget:
> f_ncm: Fix UAF ncm object at re-bind after usb ep transport error").
> Check opts->net in ncm_set_alt() and ncm_disable() to ensure
> gether_disconnect() runs only if a connection was established.
> 
> Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
> Cc: stable@...nel.org
> Signed-off-by: Kuen-Han Tsai <khtsai@...gle.com>

Hi Kuen-Han,

Thank you for all your work on this.

When using the DWC3 IP for USB OTG on an iMX95 with our Aquila iMX95
SoM, USB NCM does not function properly when booting the board with this
USB in host mode.

Your patch series completely solves this issue, I was debugging it
before and saw that there were indeed issues with the relation between
the net device and the gadget.

Tested-by: Ernest Van Hoecke <ernest.vanhoecke@...adex.com> # Aquila iMX95

Kind regards,
Ernest

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ