From nobody Thu Apr  2 22:25:44 2026
Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com
 [209.85.214.202])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id BBF3F1DF75D
	for <linux-kernel@vger.kernel.org>; Sat, 14 Feb 2026 07:00:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.202
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771052460; cv=none;
 b=ZKh9cBt/ywzzd+BkpIRR1RLP2YxmbibIHVyxOSKI7HFZbrJrV1waZxhYNfBNbqWh2Kz0rDpoCQaW9vCfAemURlwtvuFVxEKFL208Mq4wtLKArWwTXU4txyAob+vlP55Sp4zTB6P3LrlScQ4gxZggGwE4IApdEdsHxlXVbjqA/8I=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771052460; c=relaxed/simple;
	bh=AnbT0U37D83jSLu4Un+2F+/QkXprltoeWqgd9K5QuJk=;
	h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type;
 b=slF1Ihs/A00icywbXsqsmHAsS38DfNYrp/AW+9Mp84fibr0nLmjwvFr35nun/A49/xN4p+GAoIObtFZkwjhRN+DHNuryvchKXAw8EPEazsnQJYgEg6GVwV6MR98lS/FFZYNaO68NUBrUC4gMXiiTjgqkIhae551IahrOe3HFENg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com;
 spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com;
 dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b=y4lrz9af; arc=none smtp.client-ip=209.85.214.202
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=google.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=google.com header.i=@google.com
 header.b="y4lrz9af"
Received: by mail-pl1-f202.google.com with SMTP id
 d9443c01a7336-2a7b7f04a11so74492445ad.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 13 Feb 2026 23:00:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20230601; t=1771052457; x=1771657257;
 darn=vger.kernel.org;
        h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject
         :date:message-id:reply-to;
        bh=OC/cAc5yXN5JpYjUFx0KpLCrFKcXhoVWogme4uCdNzM=;
        b=y4lrz9af5xRl45/4fjAglGlp61YsbFb5lRnNwBGxAh6zRupPhuwGH5/ixlD1F9gVUJ
         +2Ms5x4K6695J+TIDijr+RA4LEoa/JjvNL1XSoqUrh5ubEy+OZ+dOVKpTcoEPVF3eHS4
         XGsB7f0o5oQ3hewWd0+hQIuzhhyYttnNV/lDo6xylCax5smvR/o9pqZQJfvlcHCU1yQt
         JmzqDh20SbDBvtXfLiuP3upwLcSfO/sQdY7ZM9eHChwhHEtf8DxGEwtVTH5HImBT90o/
         XuZolB1/f/3+MYJELhMQc4Oli2mSGMWWxbj1ZrdbkDzUk7NF3k1qbaPGEs2HqcGXGfw8
         MdqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771052457; x=1771657257;
        h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=OC/cAc5yXN5JpYjUFx0KpLCrFKcXhoVWogme4uCdNzM=;
        b=OKahQGySmLZtBkPavlWx+cC/iJcc2E6cN9EvpsnM0xjaEolNuTeMmO+wMSpYXhgvUJ
         Z2PmHEV5/J1Nf962YZ+iMEvL18chaQruNOI0yrTJUCJ5aR1FQw1X1sbAcWZCt8Lt6cb9
         LdcIv9ZaCN2KRO34EbzJoVw9361oEUceEoJE7d4gH97a/M7U3SE9Dr87lQbzJW8qGx/A
         MEla86kU2d9rubKpDn3fO2X55qoCJ2cLCNLlnhX6He2BaxSKMoARlG3p2IwGwUCy4Sll
         PgSc73YN3yE0deg5vdF9GJcpUUq1KA3np5M/VLA7FuRyGUmE1+tnOTfwrpb5OjqT4tp3
         CcVw==
X-Forwarded-Encrypted: i=1;
 AJvYcCVy+HW3OxcKKvkFE2axhtf4df1Ip3KmFK+SX6JnfjQwhKgoI3e33+yO+leX5R1sZNVXWlYO6D/uBpPq3Ig=@vger.kernel.org
X-Gm-Message-State: AOJu0YxEFBUa+iDxthLAzuhvL+ipRbmgz9vMNk+vbP8Du9jmcJfmaxbt
	qx/N1cW+3FuyAKA805GkZRw9wckw7ANcl0ElECWRTgL/VEifRNot39luBTOPXXD0WOaRsuL1IgW
	PxTt0LA==
X-Received: from plbmi8.prod.google.com ([2002:a17:902:fcc8:b0:29f:1bbb:de14])
 (user=khtsai job=prod-delivery.src-stubby-dispatcher) by
 2002:a17:903:19c5:b0:2a9:30d4:2b07
 with SMTP id d9443c01a7336-2ab5059ae3dmr45737075ad.32.1771052456782; Fri, 13
 Feb 2026 23:00:56 -0800 (PST)
Date: Sat, 14 Feb 2026 15:00:40 +0800
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
Mime-Version: 1.0
X-B4-Tracking: v=1; b=H4sIAJcdkGkC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE
 vPSU3UzU4B8JSMDIzMDI0MT3ZzU9MTkSt285Fxdi2QDA0MjS9MkYxNjJaCGgqLUtMwKsGHRSkF
 uzkqxtbUACtTaTGEAAAA=
X-Change-Id: 20260214-legacy-ncm-8c001295b343
X-Developer-Key: i=khtsai@google.com; a=ed25519;
 pk=abA4Pw6dY2ZufSbSXW9mtp7xiv1AVPtgRhCFWJSEqLE=
X-Developer-Signature: v=1; a=ed25519-sha256; t=1771052455; l=4352;
 i=khtsai@google.com; s=20250916; h=from:subject:message-id;
 bh=AnbT0U37D83jSLu4Un+2F+/QkXprltoeWqgd9K5QuJk=;
 b=3jt7gPvU+q6C4Zmo1wUqkp9chImkiK7dDJk8sAcoSdn6aBE7U3MKD6hzVwvyapVFksQbzXETk
 BTfuUtIvH/JAtfYWwOKb8nlWVxcFaF+k2G6GOGWi4Fhoclj8l/1SOJk
X-Mailer: b4 0.14.2
Message-ID: <20260214-legacy-ncm-v1-1-139c5bcc6636@google.com>
Subject: [PATCH RFC] usb: legacy: ncm: Fix potential NPE in gncm_bind
From: Kuen-Han Tsai <khtsai@google.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
 stable@kernel.org,
	Kuen-Han Tsai <khtsai@google.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle
with bind/unbind") deferred the allocation of the net_device. This
change can lead to a NULL pointer dereference in the legacy NCM driver
as it attempts to access the net_device before it's fully initialized.

Store the provided qmult, host_addr, and dev_addr into the struct
ncm_opts->net_opts during gncm_bind(). These values will be properly
applied to the net_device when it is allocated and configured later in
the binding process by the NCM function driver.

Fixes: 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with b=
ind/unbind")
Cc: stable@kernel.org
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
---
Hi Greg,

I have been working on a series of changes to align the net_device
lifecycle with the bind/unbind process across various USB gadget=20
function drivers. The goal is to solve the long-standing "lifetime
mismatch" problem where the network interface could outlive its parent
gadget device, leading to dangling symbolic links.

Recently, Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device
lifecycle with bind/unbind") was accepted to address this for the NCM
driver. However, during the process of adapting this same architecture
to f_subset, f_eem, f_ecm, and f_rndis, I discovered that this approach
regresses the legacy NCM driver (g_ncm).

Specifically, the legacy driver attempts to access the net_device during
its own binding process before the NCM function driver has been fully
bound. This can result in a NULL pointer dereference.

I am submitting the following patch as a fix for the g_ncm regression by
caching the configuration (qmult, host_addr, dev_addr) in opts_net until
the network device is ready. Please note that while I have verified the
logic and ensured the code builds, I do not have the physical hardware
required to perform a full functional test with the legacy g_ncm driver.

Beyond this specific fix, I would like to request the guidance on how to
proceed with the remaining network function drivers:

1. Deprecation: Can we consider the legacy drivers obsolete?  If so,
  we could prioritize the lifecycle fix for the configfs framework.

2. Compatibility: Should we continue to adapt the lifecycle concept to
  all drivers while strictly maintaining backward compatibility for=20
  legacy function drivers?

I would appreciate your feedback on the preferred direction before I
proceed with the patchsets for the other USB function drivers.
---
 drivers/usb/gadget/legacy/ncm.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/gadget/legacy/ncm.c b/drivers/usb/gadget/legacy/nc=
m.c
index 0f1b45e3abd1a1ead7b2776be10a2a5747960136..bf00f9d76a5323b298869b4210c=
5bf99b1ab7f9c 100644
--- a/drivers/usb/gadget/legacy/ncm.c
+++ b/drivers/usb/gadget/legacy/ncm.c
@@ -15,8 +15,10 @@
 /* #define DEBUG */
 /* #define VERBOSE_DEBUG */
=20
+#include <linux/hex.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
+#include <linux/string.h>
 #include <linux/usb/composite.h>
=20
 #include "u_ether.h"
@@ -129,6 +131,7 @@ static int gncm_bind(struct usb_composite_dev *cdev)
 	struct usb_gadget	*gadget =3D cdev->gadget;
 	struct f_ncm_opts	*ncm_opts;
 	int			status;
+	u8			mac[ETH_ALEN];
=20
 	f_ncm_inst =3D usb_get_function_instance("ncm");
 	if (IS_ERR(f_ncm_inst))
@@ -136,11 +139,15 @@ static int gncm_bind(struct usb_composite_dev *cdev)
=20
 	ncm_opts =3D container_of(f_ncm_inst, struct f_ncm_opts, func_inst);
=20
-	gether_set_qmult(ncm_opts->net, qmult);
-	if (!gether_set_host_addr(ncm_opts->net, host_addr))
+	ncm_opts->net_opts.qmult =3D qmult;
+	if (mac_pton(host_addr, mac)) {
+		memcpy(&ncm_opts->net_opts.host_mac, mac, ETH_ALEN);
 		pr_info("using host ethernet address: %s", host_addr);
-	if (!gether_set_dev_addr(ncm_opts->net, dev_addr))
+	}
+	if (mac_pton(dev_addr, mac)) {
+		memcpy(&ncm_opts->net_opts.dev_mac, mac, ETH_ALEN);
 		pr_info("using self ethernet address: %s", dev_addr);
+	}
=20
 	/* Allocate string descriptor numbers ... note that string
 	 * contents can be overridden by the composite_dev glue.

---
base-commit: da87d45b195148d670ab995367d52aa9e8a9a1fa
change-id: 20260214-legacy-ncm-8c001295b343

Best regards,
--=20
Kuen-Han Tsai <khtsai@google.com>