Received: by 2002:ab2:3319:0:b0:1ef:7a0f:c32d with SMTP id i25csp14339lqc;
        Thu, 7 Mar 2024 09:00:51 -0800 (PST)
X-Forwarded-Encrypted: i=3; AJvYcCW8YovbXA5C010xpJbTr3vIqDIpspjAWqUYGykpRGw5fA3fAi4cp84WePoVnYOq+UQiaWt4G8FMAa4B4xVUDga+IPRwUXC6weYJpJ0cWw==
X-Google-Smtp-Source: AGHT+IEdBOQoDV7x0aL/D55afTSc/kIn7EhisCrnHGE81w5ENLsc15UKXSERPZyTKudflz+0syvf
X-Received: by 2002:a05:6a21:9212:b0:1a1:4d7a:111 with SMTP id tl18-20020a056a21921200b001a14d7a0111mr9673494pzb.26.1709830851078;
        Thu, 07 Mar 2024 09:00:51 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1709830851; cv=pass;
        d=google.com; s=arc-20160816;
        b=0gDDA6t1sj3q2HSKfV0PDwgJ2VDnUgCy4Emdg0rjvZbv2vd5sSMoDIEEEhV1FCLMiF
         iiIpD0VgUjN7VALVZ+4d7u9eWyI40Qv5bJWVd7n4RDtHZSmPsR+of4fbjJoM4xZMFyMT
         4YfEib9/Cb5XJqEKY2VeBP2yJ8JyCXoQl60RO5jA39VgKr5Ff/rqRoD6O6HMyz8IfAh7
         pdP5GYTuje9yIlZ3dtCjxrTs3lbP3FJT/eC92M8GqMC0sL47uPTlVL89nW4SApzmHLrA
         RktRaoeVhuUT5FF0bGw8vZiIUJZkbD5/lPIlm/3WIwpikSL7Exzl3EjXmxhb+hV8WWiE
         djag==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=enTfiXoUvEeTaw+ERUHF45Ao8NfnaDvKQk4aAiqPQ+o=;
        fh=jTycQeDSLAMAGoV4fpqp+rF5OO7bvpOln2Uiv3uOnRQ=;
        b=TpsSpt+E0tY0evPz6TaMDzIXEO5/vvD1CYuQDK4oUt31T70YjlrvfJDY6cizgoMoNz
         ezfqYA0oklLuV976cxf/yr8zADTY6HMwBgag7EmEEuY1hL0vHDGNE+53PVGH8GPXZoXB
         rkZCaHpKm+Y+vjkuKzvhEbzHiIyrx838GEavyFPken1Gzfm7APr09lk/t47JCbVf6LkG
         7Ucdo1XwGZe48Q7v52mArBMSN+THsxifY6Ns2Yk0ArqH8PsmOz/FfWjrGjNyH87lPLK4
         /vUHtGMJOcOqbIPjCwj0xEyKWY8mH1JHUJWXCOeHBgya00JHHbn0xEFwscECpKkJ6DAq
         eSPg==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=e3FRSlb8;
       arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org);
       spf=pass (google.com: domain of linux-kernel+bounces-95879-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-95879-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel+bounces-95879-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1])
        by mx.google.com with ESMTPS id z23-20020a63c057000000b005e43cb270e3si14062492pgi.610.2024.03.07.09.00.50
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 07 Mar 2024 09:00:51 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-95879-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=e3FRSlb8;
       arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org);
       spf=pass (google.com: domain of linux-kernel+bounces-95879-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-95879-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sy.mirrors.kernel.org (Postfix) with ESMTPS id 66E8DB253D5
	for <linux.lists.archive@gmail.com>; Thu,  7 Mar 2024 16:45:25 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 2F97B12FF70;
	Thu,  7 Mar 2024 16:45:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="e3FRSlb8"
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 217627AE43;
	Thu,  7 Mar 2024 16:45:15 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1709829916; cv=none; b=iYogCMliURU6ChtX3Po2JTAGIlxVHOvGwMWFEw5422jfodiWSHpih7bTijhYNDH9IT6X00S1/HCbNH1EMTG2jZL4oGgVzX+mIIn6IglImFFFgQbpEVDFYvUomRUptS3qAefLvp55x1ECnFKPDoBAHl2voVHfeGCRp9HmpL9nvTM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1709829916; c=relaxed/simple;
	bh=jxxknMt2uyiAxMDOvBrYg92hTC4bK3O5IyG3V1Kaq/c=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=NYa9xgdSG3ZMf2wqEG2/rHJPF4j91B/oIJ9KRSPAvCGejbfeVafopCQhJXkpfAPNX68Dku34a7i4h9EJKwuvXVMBjeAkeQk4udVNsD/PT5sspqeMsez/XZHWoI89wOD5GJ1UB6sfTCxaJIdtvAwSd5Gy3fj+TLtzTboeQeWvJOo=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=e3FRSlb8; arc=none smtp.client-ip=10.30.226.201
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 66AA4C433F1;
	Thu,  7 Mar 2024 16:45:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
	s=korg; t=1709829915;
	bh=jxxknMt2uyiAxMDOvBrYg92hTC4bK3O5IyG3V1Kaq/c=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=e3FRSlb8M1qg21a1FOKSGlsVk/ZW7Ea+ktipGMWT2MGPoCYmAoSu0eEcQOHv7580v
	 gyLuzNXAzBpOgw58Fv8b3nq0c4AGUP6KzgFn9gaWI0VLIqJlWnXGbTD5PPCEQw8O3q
	 KUZXold7/UyL2smD4mZS/dVM2Q5mEKtqQg/g+h9k=
Date: Thu, 7 Mar 2024 16:45:13 +0000
From: Greg KH <gregkh@linuxfoundation.org>
To: Hardik Gajjar <hgajjar@de.adit-jv.com>
Cc: quic_kriskura@quicinc.com, maze@google.com, quic_linyyuan@quicinc.com,
	linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	guofeng.li@gm.com, hardik.gajjar@bosch.com, eugeniu.rosca@bosch.com
Subject: Re: [PATCH] usb: gadget: f_ncm: Fix Kernel Panic due to access of
 invalid gadget ptr
Message-ID: <2024030736-racism-cornflake-63e9@gregkh>
References: <20240307161849.9145-1-hgajjar@de.adit-jv.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20240307161849.9145-1-hgajjar@de.adit-jv.com>

On Thu, Mar 07, 2024 at 05:18:49PM +0100, Hardik Gajjar wrote:
> In the scenario where the system enters suspend to RAM mode (STR) triggers
> the disconnection of Dual Role USB Hub, and the UDC platform driver calls
> usb_del_gadget_udc() to cleanup and delete the associated gadget.
> 
> However, at this point, the usb0 interface is not yet deleted, leading to
> a race condition with the TCP/IP stack attempting to access the network
> device parent (gadget pointer), through operations like the GETLINK net
> message.
> 
> This patch addresses the issue by clearing the netdevice's parent device
> pointer when the ncm unbinds, effectively preventing the race condition
> during this critical phase.
> 
> Followinfg is the backtrace of such race condition
> [ 3566.105792] Call trace:
> [ 3566.105984] if_nlmsg_size+0x48/0x3b0
> [ 3566.107497] rtnetlink_rcv_msg+0x1cc/0x408
> [ 3566.107905] netlink_rcv_skb+0x12c/0x164
> [ 3566.108264] rtnetlink_rcv+0x18/0x24
> [ 3566.108851] netlink_unicast_kernel+0xc4/0x14c
> [ 3566.109192] netlink_unicast+0x210/0x2b0
> [ 3566.109606] netlink_sendmsg+0x2ec/0x360
> [ 3566.110046] __sys_sendto+0x1b8/0x25c
> [ 3566.111594] __arm64_sys_sendto+0x28/0x38
> [ 3566.112599] el0_svc_common+0xb4/0x19c
> [ 3566.112978] el0_svc_handler+0x74/0x98
> [ 3566.113269] el0_svc+0x8/0xc
> 
> - code: if_nlmsg_size call the following function
> 
> static inline int rtnl_vfinfo_size(const struct net_device *dev,
> 				   u32 ext_filter_mask)
> {
> 	// dev->dev.parent is not NULL
> 	if (dev->dev.parent && (ext_filter_mask & RTEXT_FILTER_VF)) {
> 		// dev_num_vf use the dev->dev.parent->bus lead to kernel panic.
> 		int num_vfs = dev_num_vf(dev->dev.parent);
> 		size_t size = nla_total_size(0);
> 		size += num_vfs *
> 			(nla_total_size(0) +
> 			 nla_total_size(sizeof(struct ifla_vf_mac)) +
> 			 nla_total_size(sizeof(struct ifla_vf_vlan)) +
> 			 nla_total_size(0) + /* nest IFLA_VF_VLAN_LIST *
> 
> Signed-off-by: Hardik Gajjar <hgajjar@de.adit-jv.com>
> ---
>  drivers/usb/gadget/function/f_ncm.c | 7 +++++++
>  1 file changed, 7 insertions(+)

What commit id does this fix?

thanks,

greg k-h