usb: legacy: ncm: Fix NPE in gncm_bind

Commit 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle
with bind/unbind") deferred the allocation of the net_device. This
change leads to a NULL pointer dereference in the legacy NCM driver as
it attempts to access the net_device before it's fully instantiated.

Store the provided qmult, host_addr, and dev_addr into the struct
ncm_opts->net_opts during gncm_bind(). These values will be properly
applied to the net_device when it is allocated and configured later in
the binding process by the NCM function driver.

Fixes: 56a512a9b410 ("usb: gadget: f_ncm: align net_device lifecycle with bind/unbind")
Cc: stable@kernel.org
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202602181727.fd76c561-lkp@intel.com
Signed-off-by: Kuen-Han Tsai <khtsai@google.com>
Link: https://patch.msgid.link/20260221-legacy-ncm-v2-1-dfb891d76507@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/gadget/legacy/ncm.c b/drivers/usb/gadget/legacy/ncm.c
index 0f1b45e3abd1a1ead7b2776be10a2a5747960136..e8d5655340530aa38fde698f876e785122f0cce8 100644 (file)
--- a/drivers/usb/gadget/legacy/ncm.c
+++ b/drivers/usb/gadget/legacy/ncm.c
@@ -15,8 +15,10 @@
 /* #define DEBUG */
 /* #define VERBOSE_DEBUG */
 
+#include <linux/hex.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
+#include <linux/string.h>
 #include <linux/usb/composite.h>
 
 #include "u_ether.h"
@@ -129,6 +131,7 @@ static int gncm_bind(struct usb_composite_dev *cdev)
        struct usb_gadget       *gadget = cdev->gadget;
        struct f_ncm_opts       *ncm_opts;
        int                     status;
+       u8                      mac[ETH_ALEN];
 
        f_ncm_inst = usb_get_function_instance("ncm");
        if (IS_ERR(f_ncm_inst))
@@ -136,11 +139,15 @@ static int gncm_bind(struct usb_composite_dev *cdev)
 
        ncm_opts = container_of(f_ncm_inst, struct f_ncm_opts, func_inst);
 
-       gether_set_qmult(ncm_opts->net, qmult);
-       if (!gether_set_host_addr(ncm_opts->net, host_addr))
+       ncm_opts->net_opts.qmult = qmult;
+       if (host_addr && mac_pton(host_addr, mac)) {
+               memcpy(&ncm_opts->net_opts.host_mac, mac, ETH_ALEN);
                pr_info("using host ethernet address: %s", host_addr);
-       if (!gether_set_dev_addr(ncm_opts->net, dev_addr))
+       }
+       if (dev_addr && mac_pton(dev_addr, mac)) {
+               memcpy(&ncm_opts->net_opts.dev_mac, mac, ETH_ALEN);
                pr_info("using self ethernet address: %s", dev_addr);
+       }
 
        /* Allocate string descriptor numbers ... note that string
         * contents can be overridden by the composite_dev glue.