mirror of
https://github.com/torvalds/linux.git
synced 2026-03-07 23:24:35 +01:00
56a512a9b4
Currently, the net_device is allocated in ncm_alloc_inst() and freed in ncm_free_inst(). This ties the network interface's lifetime to the configuration instance rather than the USB connection (bind/unbind). This decoupling causes issues when the USB gadget is disconnected where the underlying gadget device is removed. The net_device can outlive its parent, leading to dangling sysfs links and NULL pointer dereferences when accessing the freed gadget device. Problem 1: NULL pointer dereference on disconnect Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: __pi_strlen+0x14/0x150 rtnl_fill_ifinfo+0x6b4/0x708 rtmsg_ifinfo_build_skb+0xd8/0x13c rtmsg_ifinfo+0x50/0xa0 __dev_notify_flags+0x4c/0x1f0 dev_change_flags+0x54/0x70 do_setlink+0x390/0xebc rtnl_newlink+0x7d0/0xac8 rtnetlink_rcv_msg+0x27c/0x410 netlink_rcv_skb+0x134/0x150 rtnetlink_rcv+0x18/0x28 netlink_unicast+0x254/0x3f0 netlink_sendmsg+0x2e0/0x3d4 Problem 2: Dangling sysfs symlinks console:/ # ls -l /sys/class/net/ncm0 lrwxrwxrwx ... /sys/class/net/ncm0 -> /sys/devices/platform/.../gadget.0/net/ncm0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0 ls: .../gadget.0/net/ncm0: No such file or directory Move the net_device allocation to ncm_bind() and deallocation to ncm_unbind(). This ensures the network interface exists only when the gadget function is actually bound to a configuration. To support pre-bind configuration (e.g., setting interface name or MAC address via configfs), cache user-provided options in f_ncm_opts using the gether_opts structure. Apply these cached settings to the net_device upon creation in ncm_bind(). Preserve the use-after-free fix from commit6334b8e455("usb: gadget: f_ncm: Fix UAF ncm object at re-bind after usb ep transport error"). Check opts->net in ncm_set_alt() and ncm_disable() to ensure gether_disconnect() runs only if a connection was established. Fixes:40d133d7f5("usb: gadget: f_ncm: convert to new function interface with backward compatibility") Cc: stable@kernel.org Signed-off-by: Kuen-Han Tsai <khtsai@google.com> Link: https://patch.msgid.link/20251230-ncm-refactor-v1-3-793e347bc7a7@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
40 lines
844 B
C
40 lines
844 B
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* u_ncm.h
|
|
*
|
|
* Utility definitions for the ncm function
|
|
*
|
|
* Copyright (c) 2013 Samsung Electronics Co., Ltd.
|
|
* http://www.samsung.com
|
|
*
|
|
* Author: Andrzej Pietrasiewicz <andrzejtp2010@gmail.com>
|
|
*/
|
|
|
|
#ifndef U_NCM_H
|
|
#define U_NCM_H
|
|
|
|
#include <linux/usb/composite.h>
|
|
|
|
#include "u_ether.h"
|
|
|
|
struct f_ncm_opts {
|
|
struct usb_function_instance func_inst;
|
|
struct net_device *net;
|
|
|
|
struct gether_opts net_opts;
|
|
struct config_group *ncm_interf_group;
|
|
struct usb_os_desc ncm_os_desc;
|
|
char ncm_ext_compat_id[16];
|
|
/*
|
|
* Read/write access to configfs attributes is handled by configfs.
|
|
*
|
|
* This is to protect the data from concurrent access by read/write
|
|
* and create symlink/remove symlink.
|
|
*/
|
|
struct mutex lock;
|
|
int refcnt;
|
|
|
|
u16 max_segment_size;
|
|
};
|
|
|
|
#endif /* U_NCM_H */
|