From nobody Fri Apr 3 07:55:41 2026 Received: from mail-oo1-f42.google.com (mail-oo1-f42.google.com [209.85.161.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CA4AB22B8AB for ; Thu, 19 Feb 2026 02:18:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.42 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771467505; cv=none; b=eNezoNiv4aQq60M+o9FPjY/0nrktw5OxItoGnSwDWFjfaTE9MEI2Bq2F0ihIUKVi/wZzRKKK3AzYG8xrNk4eO1PJvI/uuURpDi338dRvc6DssgEz7SmYplk4yo09R/Y3pn5bufInHSVC4ALjZePAWsKwx1LWTxj7J2ivl/LoMcM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771467505; c=relaxed/simple; bh=zBPh7pVBs/+aelEAMVoNdaIJSE5g+dOBuOUGOKVr63k=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=S6Inwcr8Pql2q17hz5vEwSEeALjmA0xZiPm74zSX32UEbVx5AgAmnE74WYhJKcQ8f52u6PFKSnkEzqhaGiDPOeZwM6JSM0wQ98/HQpOxRNM0UYrRKwVBlUpB68PYW5/vQuLYVd8q9AaxSJJZsbssM4WHcS4/MlMnswQy42/3z+0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AjZ04iOM; arc=none smtp.client-ip=209.85.161.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AjZ04iOM" Received: by mail-oo1-f42.google.com with SMTP id 006d021491bc7-677a11d11e0so195140eaf.2 for ; Wed, 18 Feb 2026 18:18:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771467503; x=1772072303; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=NtXxCEC+7SXjdXl/ryO2zULVRaIn8cU2u3ECa1xYY94=; b=AjZ04iOMQHwW9axbB0PcC1qPIvX08sQxBumu6DpsR3Gg+4DvdR/pafsObHuDAEbWQt FUVH3GVy2VhzRxA3Nd+F/jRqptuNMapkcrA1MIX6b8Cp+Ryv2tixR5wZsYR6pRKci77F HoJulB46FUI/yIbmdeJFZoSGrGLGbeYZmJDxUrnrwZff9WXdmCCc7j+rogxFyY0qIPin w3gOl5nG9fVDmSsy68lbJOHad6dg5I3Hip5KDBoyhmjG98PXjOlaoVf3zen0pI5EnjAt bBsSEiKaRY6h7wVCgQm0Ta2CZSMzQn176oGfVh1u9UgpC1JLEZtq2colj+HgrbRVZWQy 9bmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771467503; x=1772072303; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=NtXxCEC+7SXjdXl/ryO2zULVRaIn8cU2u3ECa1xYY94=; b=ksf7ijIc7aTqJe7hX3p3ZesOuuPSvjyRCUMXgA/fRYd+lRsRewzxab0pFo/uvZVeDx nP8X0JE6jI0wqTf6jEfvjO3E0db2ov8UTXbJf9aPkaXUY0arKPTR+WDSvPF5CAczalG+ Pg4uQqQE9PDXq/s/sOxC3Zf7fbp+zBIHFkmEbx35doC0Re3o5tgTzXZEE8sCxi5cnRPT 5u2WvHyAxSF+8vaiORM/MKzyicaVsMP12pbXwQtnFycHppPdREhw1Aaw+zpLD2KOt2Lm S+qC5y4oAaABW1P+83lheepjz5MYOPwoI7uNIruWBENFERt453t5F0mtFncwGD/38eYI Q1pA== X-Forwarded-Encrypted: i=1; AJvYcCV6qrW7T34cRSIxMb+mH65dWMkwgkm8pOtmqdQ0h+aB9Zx6kzZs9gj/nCaDMQN/75idRK3YnRIjEZOH++I=@vger.kernel.org X-Gm-Message-State: AOJu0YwqGIB2Y035wHEvaVp50kep8E+L4tyqv1V5zvEUGcBOdHF7taH1 VYgReGoMO3H2BUEKJLso79q0CpuOwRtX4zdSk6TjKMXk41vBgei7XRAo X-Gm-Gg: AZuq6aKXS3v/C1I2oI+F1ZgxxO34BWuaPS1miFzH12uwtKqUjEvRRvXyGnNoAaX4c7R YkeygH4a9iUUcqTdtcroM2FKjI3tBybdAlRtBIFK/a3u/6MZeU0KvrE//3UC+Rgc3OgrBXh8t0k U+eaFAKW7sL85IW4aT/JPAqj3KKiw1ZOwV2UgM0DTbVaQzXy9DklsmWiPTXpbhhCpRucEIZL1KA hrRdJEikqLYi1a+9d8ZqIn/kHy6GEZgV7teKKdsV/krmHZpyCstCO/rRuUfrnHUgagjc1UetjHt 5V1MPvoA5nOepGcOBP9JZqBjr+/ygWcSwbQrEfSY1SRkRXUs5dPAlZnLWxOUQdnJAIf6kJjNlXn 8RSlHeEMbOOkOMVQaagLml3oCtlmPjP1G/PmgH8RuvlG6YH27tE+QSepPE5y8E4v8A60EAU04Qa xyuJe6sCiKFPinCL9x9ppc+2vVyzdleYPslqQe+OPNJl4x X-Received: by 2002:a4a:e842:0:b0:676:f8f6:3f67 with SMTP id 006d021491bc7-677696920famr8891781eaf.59.1771467502640; Wed, 18 Feb 2026 18:18:22 -0800 (PST) Received: from newman.cs.purdue.edu ([128.10.127.250]) by smtp.gmail.com with ESMTPSA id 006d021491bc7-6782ac0f181sm10799639eaf.3.2026.02.18.18.18.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Feb 2026 18:18:22 -0800 (PST) From: Jiasheng Jiang To: thinh.nguyen@synopsys.com Cc: andrzej.p@samsung.com, bigeasy@linutronix.de, chenyufeng@iie.ac.cn, gregkh@linuxfoundation.org, jiashengjiangcool@gmail.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, nab@linux-iscsi.org, stable@vger.kernel.org Subject: [PATCH v2] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling Date: Thu, 19 Feb 2026 02:18:18 +0000 Message-Id: <20260219021818.15196-1-jiashengjiangcool@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20260219021310.e5aycj3h5rijq45w@synopsys.com> References: <20260219021310.e5aycj3h5rijq45w@synopsys.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus =3D tpg->tpg_nexus` and immediately dereference `tv_nexus->tvn_se_sess` without any validation. If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS). This exposes an inconsistent API usage within the module, as peer functions like `usbg_submit_command()` and `bot_send_bad_response()` correctly implement a NULL check for `tv_nexus` before proceeding. Fix this by bringing consistency to the nexus handling. Add the missing `if (!tv_nexus)` checks to the vulnerable BOT command and request processing paths, aborting the command gracefully with an error instead of crashing the system. Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP += BOT") Cc: stable@vger.kernel.org Signed-off-by: Jiasheng Jiang --- Changelog: v1 -> v2: 1. Update Fixes tag. 2. Add Cc: stable@vger.kernel.org. --- drivers/usb/gadget/function/f_tcm.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/funct= ion/f_tcm.c index 6e8804f04baa..9554ddd9b4b8 100644 --- a/drivers/usb/gadget/function/f_tcm.c +++ b/drivers/usb/gadget/function/f_tcm.c @@ -1222,6 +1222,11 @@ static void usbg_submit_cmd(struct usbg_cmd *cmd) se_cmd =3D &cmd->se_cmd; tpg =3D cmd->fu->tpg; tv_nexus =3D tpg->tpg_nexus; + if (!tv_nexus) { + pr_err("Missing nexus, ignoring command\n"); + return; + } + dir =3D get_cmd_dir(cmd->cmd_buf); if (dir < 0) goto out; @@ -1482,6 +1487,11 @@ static void bot_cmd_work(struct work_struct *work) se_cmd =3D &cmd->se_cmd; tpg =3D cmd->fu->tpg; tv_nexus =3D tpg->tpg_nexus; + if (!tv_nexus) { + pr_err("Missing nexus, ignoring command\n"); + return; + } + dir =3D get_cmd_dir(cmd->cmd_buf); if (dir < 0) goto out; --=20 2.25.1