| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKzKK0orWhSqumubp+hWYDzVHvztDn3Wr3Zrhd5Pz0MmRa6egw@mail.gmail.com>
Date: Fri, 9 Jan 2026 18:47:43 +0800
From: Kuen-Han Tsai <khtsai@...gle.com>
To: Ernest Van Hoecke <ernestvanhoecke@...il.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Felipe Balbi <balbi@...com>,
Prashanth K <prashanth.k@....qualcomm.com>, Kyungmin Park <kyungmin.park@...sung.com>,
linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org, stable@...nel.org
Subject: Re: [PATCH 3/3] usb: gadget: f_ncm: align net_device lifecycle with bind/unbind
On Fri, Jan 9, 2026 at 6:25 PM Ernest Van Hoecke
<ernestvanhoecke@...il.com> wrote:
>
> On Tue, Dec 30, 2025 at 06:13:16PM +0800, Kuen-Han Tsai wrote:
> > Currently, the net_device is allocated in ncm_alloc_inst() and freed in
> > ncm_free_inst(). This ties the network interface's lifetime to the
> > configuration instance rather than the USB connection (bind/unbind).
> >
> > This decoupling causes issues when the USB gadget is disconnected where
> > the underlying gadget device is removed. The net_device can outlive its
> > parent, leading to dangling sysfs links and NULL pointer dereferences
> > when accessing the freed gadget device.
> >
> > Problem 1: NULL pointer dereference on disconnect
> > Unable to handle kernel NULL pointer dereference at virtual address
> > 0000000000000000
> > Call trace:
> > __pi_strlen+0x14/0x150
> > rtnl_fill_ifinfo+0x6b4/0x708
> > rtmsg_ifinfo_build_skb+0xd8/0x13c
> > rtmsg_ifinfo+0x50/0xa0
> > __dev_notify_flags+0x4c/0x1f0
> > dev_change_flags+0x54/0x70
> > do_setlink+0x390/0xebc
> > rtnl_newlink+0x7d0/0xac8
> > rtnetlink_rcv_msg+0x27c/0x410
> > netlink_rcv_skb+0x134/0x150
> > rtnetlink_rcv+0x18/0x28
> > netlink_unicast+0x254/0x3f0
> > netlink_sendmsg+0x2e0/0x3d4
> >
> > Problem 2: Dangling sysfs symlinks
> > console:/ # ls -l /sys/class/net/ncm0
> > lrwxrwxrwx ... /sys/class/net/ncm0 ->
> > /sys/devices/platform/.../gadget.0/net/ncm0
> > console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0
> > ls: .../gadget.0/net/ncm0: No such file or directory
> >
> > Move the net_device allocation to ncm_bind() and deallocation to
> > ncm_unbind(). This ensures the network interface exists only when the
> > gadget function is actually bound to a configuration.
> >
> > To support pre-bind configuration (e.g., setting interface name or MAC
> > address via configfs), cache user-provided options in f_ncm_opts
> > using the gether_opts structure. Apply these cached settings to the
> > net_device upon creation in ncm_bind().
> >
> > Preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget:
> > f_ncm: Fix UAF ncm object at re-bind after usb ep transport error").
> > Check opts->net in ncm_set_alt() and ncm_disable() to ensure
> > gether_disconnect() runs only if a connection was established.
> >
> > Fixes: 40d133d7f542 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
> > Cc: stable@...nel.org
> > Signed-off-by: Kuen-Han Tsai <khtsai@...gle.com>
>
> Hi Kuen-Han,
>
> Thank you for all your work on this.
>
> When using the DWC3 IP for USB OTG on an iMX95 with our Aquila iMX95
> SoM, USB NCM does not function properly when booting the board with this
> USB in host mode.
>
> Your patch series completely solves this issue, I was debugging it
> before and saw that there were indeed issues with the relation between
> the net device and the gadget.
>
> Tested-by: Ernest Van Hoecke <ernest.vanhoecke@...adex.com> # Aquila iMX95
>
> Kind regards,
> Ernest
Hi Ernest,
Thank you for the testing and the confirmation on iMX95! I'm glad to
hear the fix is working well for you.
Regards,
Kuen-Han
Powered by blists - more mailing lists