From nobody Thu Mar 5 08:13:33 2026 Received: from mail-oi1-f177.google.com (mail-oi1-f177.google.com [209.85.167.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 650C31EEA49 for ; Thu, 19 Feb 2026 02:38:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771468720; cv=none; b=BgwJlvnmN1behkkSqXwPahnq5QpYUgW6at8EGESKj1HKVS3H/v9cVjzc6nSZM9yyKmZD9nIsBkLJK5tpoXFoe+ra3KuRwWXNptDAzHuyqsc1g8KHsySV6doXolobJ/1a7f1YQl3u3mf7OcuYem8dJ+x1LUW+Itc2Kb1v/PSQIMY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1771468720; c=relaxed/simple; bh=UsuudlMVw9TdWP0KxRZPMcXmh6yiz2Nuu2hTtp6LbDA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=EMYrsrEnNx2fOmN4ysE7L19Mg6Zfl24ajbz2STb5PgjmQsqoJU3TOa6TSqA9ZK3mCOKZqabQLnu0i74X7j1wftUKIY7ckPn6kFPY17X6LEfZfSA1URJnAqxULONAHii3nLCN/p05JOgM22cXL1qrWbwGnbUgAfWkPVNxfu6xM7c= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=l/FhfKsp; arc=none smtp.client-ip=209.85.167.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="l/FhfKsp" Received: by mail-oi1-f177.google.com with SMTP id 5614622812f47-45f004e7d71so977988b6e.1 for ; Wed, 18 Feb 2026 18:38:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1771468718; x=1772073518; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MOasyN1a2WZJAy9nJuEJoljjWUcMt5PcJQs4Ux5sSOs=; b=l/FhfKspInbF0xeisIYLB8z6efVYl/Q9QV3jVNeouGq1yXzGq0lxBAP+dSE6HBymHg i7iTqYLZ9ES6Opl8F5KST0FBP7A5lfQY9cL1XCV94S4g8TrBiN9PHtC7Gi7vVForSVQ3 RW47MA5gTvRo9aOxhwRNgIFAyixHl2l0ngwrlQ5fLMRX7XnQJwoGJ3VA4iBTEfz1Fox3 KjAB+qPPiN4ZxrA3u2n+RLu8AEKWdFRgGSz0Xvm/p/af2v7jAavvCKVEZDhxfeSzR91U /TxytrILKI5OXgi+4dEqJCnUinfTVEgzKa/xhng952o7nzn6UOqemWltEM9RVQWL1nUZ NTIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771468718; x=1772073518; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=MOasyN1a2WZJAy9nJuEJoljjWUcMt5PcJQs4Ux5sSOs=; b=mbDgE6AWnU3iBXe3CXP2IlbN2kGpu92VRf+hC1+2t4I3y0aQB3NbJMTSKiYSVZXdbu NqGIaYE7IgwWybmKjujmaZJLrqGRqqBCsoiykXRZ0w782Xq2JDD4lw4gdp4kEmrWtlnz ES826lN5dLoc37vp/cZxgpuuB6p60rAy9rStIQoOtJLsN4vJ1/g+lkuv10+PwCk0u9I2 +Z7Yx9t0cAv6I9H+nJnDVMKbvDT4A1TfiTWKdhN0ft+lEp94xcCwEDjmaBaq78QnRBWc 6W/6ikZIislUjDeQcvRxiqYylIzIjHP+ToFQhrLirQk8WsQ8TYTTx5HxR6u+JPPFM3CU Okxg== X-Forwarded-Encrypted: i=1; AJvYcCXEomyiN6XhKcQZo2hFg5hRCWjmq2wA/vE3G8dSKjsHCf5CcZBDTqoADwzC3h7AdVC1j3kIPll4ajn9Qkg=@vger.kernel.org X-Gm-Message-State: AOJu0YzrWR8N5+bD3NQ0K9B4k/adn9kuI3yc4W6zhKNH5B5GKvAjYF+o HNrXTbMQADRZm5x4+rWygbDzYhZFjzqW91abddGdqK30C3sJH5tFdEJx X-Gm-Gg: AZuq6aILGTFdX8w5zCi6aQrFSSmv9Wa06alxnwR6svI/8zXUN2v4oYCrLukc4N8ZE5A 1DShPw/Q2dPH6X4RgX8xeCXGyox0sQkJB/tjm3LhqW25ttQ5Z5C5xm75XFf/P0ZCDTJI0W/H/vE /lwVbwz5w7HJ52/zRkdEQLQgWTxvZS0zSRkvfjEwoxtk9ExMDCJpafQpZ4RK4Fnacz795/NfL/4 5X3thRMF/dFqihVZ9zsyV0cLtupSLN+oM7IkJtpvRfuTSllCcHR1WFXetbSya+ZowdHZMjfc8y4 d3buXyYuAGIoSOCzjaG86Prj5Xvfql6s9zpNam5DtOSSTt78mweOs1woNszMk7UxvLy+W/oJA/l sFhox14Vrh9Mfd9WfnXV64MpQxFZDlQLZhQVcV5yGrB48BmaYvIwd0S/2I+szrk8A8DdKAS7+df +wi5yKB1z+td6bkCjLXJX7n0varJ99X39lxZ2OnDLdqa/0 X-Received: by 2002:a05:6808:1a24:b0:45f:1f4:f522 with SMTP id 5614622812f47-46427b55320mr154127b6e.25.1771468718356; Wed, 18 Feb 2026 18:38:38 -0800 (PST) Received: from newman.cs.purdue.edu ([128.10.127.250]) by smtp.gmail.com with ESMTPSA id 5614622812f47-463ee1f67f7sm5985918b6e.12.2026.02.18.18.38.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Feb 2026 18:38:37 -0800 (PST) From: Jiasheng Jiang To: thinh.nguyen@synopsys.com Cc: andrzej.p@samsung.com, bigeasy@linutronix.de, chenyufeng@iie.ac.cn, gregkh@linuxfoundation.org, jiashengjiangcool@gmail.com, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, nab@linux-iscsi.org, stable@vger.kernel.org Subject: [PATCH v3] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling Date: Thu, 19 Feb 2026 02:38:34 +0000 Message-Id: <20260219023834.17976-1-jiashengjiangcool@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20260219021757.eeq35yd7jumpk42n@synopsys.com> References: <20260219021757.eeq35yd7jumpk42n@synopsys.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus =3D tpg->tpg_nexus` and immediately dereference `tv_nexus->tvn_se_sess` without any validation. If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS). This exposes an inconsistent API usage within the module, as peer functions like `usbg_submit_command()` and `bot_send_bad_response()` correctly implement a NULL check for `tv_nexus` before proceeding. Fix this by bringing consistency to the nexus handling. Add the missing `if (!tv_nexus)` checks to the vulnerable BOT command and request processing paths, aborting the command gracefully with an error instead of crashing the system. Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP += BOT") Cc: stable@vger.kernel.org Signed-off-by: Jiasheng Jiang Reviewed-by: Thinh Nguyen --- Changelog: v2 -> v3: 1. Use dev_err. v1 -> v2: 1. Update Fixes tag. 2. Add Cc: stable@vger.kernel.org. --- drivers/usb/gadget/function/f_tcm.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/funct= ion/f_tcm.c index 6e8804f04baa..7b27f8082ace 100644 --- a/drivers/usb/gadget/function/f_tcm.c +++ b/drivers/usb/gadget/function/f_tcm.c @@ -1222,6 +1222,13 @@ static void usbg_submit_cmd(struct usbg_cmd *cmd) se_cmd =3D &cmd->se_cmd; tpg =3D cmd->fu->tpg; tv_nexus =3D tpg->tpg_nexus; + if (!tv_nexus) { + struct usb_gadget *gadget =3D fuas_to_gadget(cmd->fu); + + dev_err(&gadget->dev, "Missing nexus, ignoring command\n"); + return; + } + dir =3D get_cmd_dir(cmd->cmd_buf); if (dir < 0) goto out; @@ -1482,6 +1489,13 @@ static void bot_cmd_work(struct work_struct *work) se_cmd =3D &cmd->se_cmd; tpg =3D cmd->fu->tpg; tv_nexus =3D tpg->tpg_nexus; + if (!tv_nexus) { + struct usb_gadget *gadget =3D fuas_to_gadget(cmd->fu); + + dev_err(&gadget->dev, "Missing nexus, ignoring command\n"); + return; + } + dir =3D get_cmd_dir(cmd->cmd_buf); if (dir < 0) goto out; --=20 2.25.1