From nobody Thu Mar  5 06:32:14 2026
Received: from mail-ot1-f47.google.com (mail-ot1-f47.google.com
 [209.85.210.47])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7E6532E03F1
	for <linux-kernel@vger.kernel.org>; Mon, 16 Feb 2026 20:48:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.47
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771274934; cv=none;
 b=h4KUmOsIk/gt0ua4pA0BbLQd+PR6w3omMQU97mBYBZ/Lem120GT6f8EnGf9NWgG6rh2PXbI6mMCr5lXp7rEcNtkG70RT6w+Qp+C8wDv9dzFUEyhDO7hUL84LzqwHZ2/1qB7GxY8Ceo3Gpq9hUn233Q3c0zCWaFEQeaC6aPdVT5E=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771274934; c=relaxed/simple;
	bh=LazXte4Q3n3HwsA/+3rA7QkdyYAivG4VCyKhOfy/PJ0=;
	h=From:To:Subject:Date:Message-Id:MIME-Version;
 b=HhDmIlxJRS2oXOhA3JvN29/mDO6ukg983ZMu+TKvJDP/7R1DrATB9Dg2ZSf0YSdQVTgH3Gu59rYN5bZDKegcgAp4GKamknz5+5bOD5TvIocYbm/zX35Fsj5aCYMmZmsxnLj1jFid7oHbfyTfMgnQP1LzGYl5Ou1oh2chyv82qns=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=JEn5fVvj; arc=none smtp.client-ip=209.85.210.47
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="JEn5fVvj"
Received: by mail-ot1-f47.google.com with SMTP id
 46e09a7af769-7d195166b2cso2360319a34.3
        for <linux-kernel@vger.kernel.org>;
 Mon, 16 Feb 2026 12:48:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1771274932; x=1771879732;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=Mtky+PkRb/nUBU1TXDE4w2kW45/R3mhufFmOjUKb6g4=;
        b=JEn5fVvjbbD+9WIXGvvCukjVDEwBz4YfV/le9PbzPbVSN1sFY8tCQeRq3Ebl6DcIez
         GR7H3tJjgVmkLn511j+4SkxmdT027qcwazSU30af1UOsDq/PU3JFtnQSGOdF7MtXlKs1
         18LVRdoizeWQJCqMg8yt3B6GhOgNFJCTlvMzungHEIPfNBEIkW9VVV4obwQO3GJglrr7
         MvTmgPTTmL2TIId960oa7XDl1S4D+hOZcvh6VSQ/+W0lTipd+EOobELFb3jHQHrlF6lD
         ONLokS6tWzCtcTNhNZnG8tLnsqYhlqhj9q9nrhflD0JYAoBCArOeIgNS58we9MWq3cjQ
         UIAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771274932; x=1771879732;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Mtky+PkRb/nUBU1TXDE4w2kW45/R3mhufFmOjUKb6g4=;
        b=Hx6q1t3whSGbj6SKv5z+K4nzTq0K89g7p1nV0sq24yHYmIfArCulcn8rylmU8OfeeQ
         4QF+B1J+fu+q4HvHcBDj7q8w5RxEh0WingWHqWXyJ9hBkNwVjxoDevbFfY7SmpqCak1u
         H90eBx4TU0C5qzs95KOLZ3p2jQwccQPeJ8XJkzJ0+GjbPoMyEcTD8vzn24960MOuy3KN
         /ekZN0Q+lpdcTH/IfJCoxE/lv2qhUo5z7SeO1DbiYVaKimUQ+apPm3c/g4CahxZBCB/E
         T8RFLZ3X5sZpkCcDKhpquATCkZ9dYeArBEr+/hTLyu/uERWb/ibIAPhXAI6i/rcauhcz
         KNuQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCU73WOSt2CtM4vRa1dvJDZ5QMNaEx9guajE5pO9385/HHLboZrNJhI+MMNSBLtKrlxRIUme+3/37YHgiO8=@vger.kernel.org
X-Gm-Message-State: AOJu0YyXaEMhhL2butEATM8aI5FyM92irTq7/OOidmj4haMLBcbFTmwJ
	/5JFtQhFBo8WiTte60XcbkIFAYQyAoZm3r8nGDkNfPXLnKXrMPqzYBNC
X-Gm-Gg: AZuq6aKlDWDTU3J4AtAkaNvrfnuZ7gzlYRJ91bGruQd9zmLo3fjoasSpdtB4y5R92zT
	no1bnfbBNnoIuwPEHNEmEh0uuBVZtA2xozQ1ZYCYslpLcrhWWx1Z+ICZc5WE+MhdFOyWRh4MDJy
	CdxfkhutbGRM4lnIcdIgGGDu9GlC6BnKwwkmwdP7RaJzhTvmM10UZ44ALAq74LBqQgliAKVpSlv
	farKwYX5B5EQVnpBWf4j5pllZUIGcTWCET/X8fY/zY1jY07vVrlkUzXJgolO5XWmtM2VAFDQkUh
	CZO+ff9VtEvkHW97yNWlBSmunHrV1WIyUFndNnbqtshP1RmSMmUz2VyupGbulBYFiyCoNGyhkCl
	dRRsnU/BkIomgccsM7sMtRUukxD60YG1M18N0d/K27aj6q3ZCUUXgGrhQnxnT4a4SjH+nabipF5
	irCdas7DfW1YtDSLbjOmbEDRTfk8nqxz0+EcYX8VeEKzFB
X-Received: by 2002:a05:6830:2a8c:b0:7ca:c7b0:17eb with SMTP id
 46e09a7af769-7d4c300277amr7000372a34.10.1771274931522;
        Mon, 16 Feb 2026 12:48:51 -0800 (PST)
Received: from newman.cs.purdue.edu ([128.10.127.250])
        by smtp.gmail.com with ESMTPSA id
 46e09a7af769-7d4a754b162sm13348859a34.12.2026.02.16.12.48.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 16 Feb 2026 12:48:51 -0800 (PST)
From: Jiasheng Jiang <jiashengjiangcool@gmail.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Jiasheng Jiang <jiashengjiangcool@gmail.com>,
	Chen Yufeng <chenyufeng@iie.ac.cn>,
	Nicholas Bellinger <nab@linux-iscsi.org>,
	Andrzej Pietrasiewicz <andrzej.p@samsung.com>,
	Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
	linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus
 handling
Date: Mon, 16 Feb 2026 20:48:48 +0000
Message-Id: <20260216204848.10748-1-jiashengjiangcool@gmail.com>
X-Mailer: git-send-email 2.25.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically
managed and tied to userspace configuration via ConfigFS. It can be
NULL if the USB host sends requests before the nexus is fully
established or immediately after it is dropped.

Currently, functions like `bot_submit_command()` and the data
transfer paths retrieve `tv_nexus =3D tpg->tpg_nexus` and immediately
dereference `tv_nexus->tvn_se_sess` without any validation. If a
malicious or misconfigured USB host sends a BOT (Bulk-Only Transport)
command during this race window, it triggers a NULL pointer
dereference, leading to a kernel panic (local DoS).

This exposes an inconsistent API usage within the module, as peer
functions like `usbg_submit_command()` and `bot_send_bad_response()`
correctly implement a NULL check for `tv_nexus` before proceeding.

Fix this by bringing consistency to the nexus handling. Add the
missing `if (!tv_nexus)` checks to the vulnerable BOT command and
request processing paths, aborting the command gracefully with an
error instead of crashing the system.

Fixes: 08a1cb0f65fd ("usb: gadget: tcm: factor out f_tcm")
Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
---
 drivers/usb/gadget/function/f_tcm.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/funct=
ion/f_tcm.c
index 6e8804f04baa..9554ddd9b4b8 100644
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -1222,6 +1222,11 @@ static void usbg_submit_cmd(struct usbg_cmd *cmd)
 	se_cmd =3D &cmd->se_cmd;
 	tpg =3D cmd->fu->tpg;
 	tv_nexus =3D tpg->tpg_nexus;
+	if (!tv_nexus) {
+		pr_err("Missing nexus, ignoring command\n");
+		return;
+	}
+
 	dir =3D get_cmd_dir(cmd->cmd_buf);
 	if (dir < 0)
 		goto out;
@@ -1482,6 +1487,11 @@ static void bot_cmd_work(struct work_struct *work)
 	se_cmd =3D &cmd->se_cmd;
 	tpg =3D cmd->fu->tpg;
 	tv_nexus =3D tpg->tpg_nexus;
+	if (!tv_nexus) {
+		pr_err("Missing nexus, ignoring command\n");
+		return;
+	}
+
 	dir =3D get_cmd_dir(cmd->cmd_buf);
 	if (dir < 0)
 		goto out;
--=20
2.25.1