CVE-2026-23320

In the Linux kernel, the following vulnerability has been resolved:

usb: gadget: fncm: align netdevice lifecycle with bind/unbind

Currently, the netdevice is allocated in ncmallocinst() and freed in ncmfree_inst(). This ties the network interface's lifetime to the configuration instance rather than the USB connection (bind/unbind).

This decoupling causes issues when the USB gadget is disconnected where the underlying gadget device is removed. The net_device can outlive its parent, leading to dangling sysfs links and NULL pointer dereferences when accessing the freed gadget device.

Problem 1: NULL pointer dereference on disconnect Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: __pistrlen+0x14/0x150 rtnlfill_ifinfo+0x6b4/0x708 rtmsgifinfobuildskb+0xd8/0x13c rtmsgifinfo+0x50/0xa0 _devnotifyflags+0x4c/0x1f0 devchangeflags+0x54/0x70 dosetlink+0x390/0xebc rtnlnewlink+0x7d0/0xac8 rtnetlinkrcvmsg+0x27c/0x410 netlinkrcvskb+0x134/0x150 rtnetlinkrcv+0x18/0x28 netlinkunicast+0x254/0x3f0 netlinksendmsg+0x2e0/0x3d4

Problem 2: Dangling sysfs symlinks console:/ # ls -l /sys/class/net/ncm0 lrwxrwxrwx ... /sys/class/net/ncm0 -> /sys/devices/platform/.../gadget.0/net/ncm0 console:/ # ls -l /sys/devices/platform/.../gadget.0/net/ncm0 ls: .../gadget.0/net/ncm0: No such file or directory

Move the netdevice allocation to ncmbind() and deallocation to ncm_unbind(). This ensures the network interface exists only when the gadget function is actually bound to a configuration.

To support pre-bind configuration (e.g., setting interface name or MAC address via configfs), cache user-provided options in fncmopts using the getheropts structure. Apply these cached settings to the netdevice upon creation in ncm_bind().

Preserve the use-after-free fix from commit 6334b8e4553c ("usb: gadget: fncm: Fix UAF ncm object at re-bind after usb ep transport error"). Check opts->net in ncmsetalt() and ncmdisable() to ensure gether_disconnect() runs only if a connection was established.