From nobody Mon Jun 8 08:30:46 2026 Received: from mail-pl1-f170.google.com (mail-pl1-f170.google.com [209.85.214.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D3D3477E35 for ; Thu, 4 Jun 2026 12:39:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.170 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780576781; cv=none; b=o152xU085xLdp5sy1i4auzNNKhj00PwjFUUGny3gWeFhd4JEe8gOdfRhjB9JVbjXhygHRirW1ZBoZvnOyRKNtXZdbDX2jTODaNQ8fl4zbm2toPiTdW99JjPXx7Id2gHLVc0VPmRzRqb8oHvAN1TeD7Qdqr2FYla2ksgaHt75268= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780576781; c=relaxed/simple; bh=FP7mukO1CpC1QnxAoCv/QPxuYFUYcoaJHyOEZgnzLHQ=; h=From:To:Subject:Date:Message-ID:MIME-Version; b=o5uFIgOTaz4kb+FU9AJZxcMotV8iDVciWoB7xN9pZKfRwtKBC2YJ66EBBE8RBzn11Tate7FsrSrKaA2m38Xol+3xkxyF3u6RKvdBNlvrVDZ8yYwKlrV+BtA/X4UZDV21PiwVpt19Uka+Aw9AE5W3+tjseBgY+F64BTaUUW6QqXc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gpuKaCPj; arc=none smtp.client-ip=209.85.214.170 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gpuKaCPj" Received: by mail-pl1-f170.google.com with SMTP id d9443c01a7336-2c0c379e8ffso4332245ad.3 for ; Thu, 04 Jun 2026 05:39:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780576778; x=1781181578; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=4FZYJeQ0sH02KrpSH96sChGTnTwSSKIPBt+bgZNmU1Y=; b=gpuKaCPjp2xmgr3S1FypgniUBL2JGCpfyXowt7RkYF3Zt06A5XmkeTgSEF+NAUurmG 7zD2QmGCjPpCvRI/YkN/DqPzFPbc8GnHEda1fpSYj/XZqiS8Lj0dLc9Hp51Trzi2fZud G65h3ps8xTCeBeE2wRaDWu0DobkBKh1RWxKg8Pa4Xa0+jS2UaeBlYKpewt1bSH/HFXv2 eFu4+khC/cl9ObiHufwAd78jMpywrynk65W+zCrRc7qkEid6bZh9W2r8m687RyVslSB5 ruTY6/Ogl/+TiIa5xHo8B1oXPACj1phr1Zr6XmZm5gpI5/6d8EEjnmN7n+oXSnhIiv1Y Msww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780576778; x=1781181578; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4FZYJeQ0sH02KrpSH96sChGTnTwSSKIPBt+bgZNmU1Y=; b=oWHNY7yBIKerljTjFGkdUul7gyOrVY8TJyy/W/u5M7cyXZQi0zIDjvSK8y0TJ3Ihe9 Z7fRqAS0I3dJbqUf+VWm6BfMnyvJsOuUcVmcLrNHv75gGYn5x2wTTyuiqZ6hhsdEzhez sLtoCLtJDyo5O6+86VGGVKyJJYH0GJOwsrF9JsYWUnApKujZtES7prQCwn3UDoj2POql /Jo48Mg4JKhJe4lLHJx1Tb51adwxZ3XX2i5N5Y8962j6Xe/gEL0wUSla1JtT/BXrdF1J VA5Ji6qNDDRO6hZDWkPcxwsYEeRlpM3mKkiFhHPWc0HQcI68aSBBKM9CjImm55dRrTEm ukGw== X-Forwarded-Encrypted: i=1; AFNElJ8PIR+pVm4IDSjutx3AiKng56XL35f1PLGTqBz2w6nP3sM4IM2ed/UhxWiu3kUdLEJgldflYqxncx/wIQE=@vger.kernel.org X-Gm-Message-State: AOJu0Yz24BlgXv7NDgUpoa91IYjLwiSDf60Wi2zfFJVtLjX1rNbg/RvY 5GIRVTphxmSVdqWONYDU4UPL4/8hbaXCDETpOCW+eBxVb4WKpc+xJnJsKGfgKSbMrDg= X-Gm-Gg: Acq92OEWmgwbe8CO0wLFE8vWmsIm+I5O7JUeaq4USQ20ug7rrsvnJWslh8Ef8VNOoU2 uBlw+tgFyGRcwsVVqCCRRXnBJsC7bTi+3/V8ebS+Xgdd6ZsxHngsn8Vkz99Z/i4yugdua7kzfEY BbvFqDR6x1OTHYCW/miZl7tWRoJrK9fX9GwB6w4j46pTHZIS1qtPLyUV75RwYTxsJBp0PDIVfmy pR7YV9DePnXMj6JGe+vliYlBoTgJ6GQaFgbCU14ktRnLSiinuBN6QiIHuIi9BTvrqAA9gXCDpGL yV/X1TwqT97k9npnGrhXAf+r+hX9oPygtB5hr/pzp+QlrOXS/V3MyUx1aOJ8SUR4FqPwbbTp433 bCniVrfFPP+iTmoANuEqgZY8dUNlR3IN7Lqs+anRVugLTdMGcf7QNOCwfud2VuxVF0N5UKO3Abp /rDBOCfeGQCAW9DhiCxQeoBhmdU4itpyU= X-Received: by 2002:a17:902:f78a:b0:2b2:ebed:7af5 with SMTP id d9443c01a7336-2c163a1e038mr88420215ad.13.1780576778566; Thu, 04 Jun 2026 05:39:38 -0700 (PDT) Received: from lgs.. ([101.76.249.46]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2c16649d2d4sm54302925ad.77.2026.06.04.05.39.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Jun 2026 05:39:38 -0700 (PDT) From: Guangshuo Li To: Greg Kroah-Hartman , Jiasheng Jiang , Christophe JAILLET , Guangshuo Li , Thinh Nguyen , Mike Christie , Kees Cook , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] usb: gadget: f_tcm: fix remaining nexus NULL dereferences Date: Thu, 4 Jun 2026 20:39:29 +0800 Message-ID: <20260604123929.1427579-1-lgs201920130244@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" The previous nexus NULL-dereference fix added checks to the normal command submission paths, but two UASP paths still dereference tpg->tpg_nexus without checking it first. A TASK MANAGEMENT request reaches usbg_submit_tmr(), which fetches tvn_se_sess directly from tpg->tpg_nexus. The RC_OVERLAPPED_TAG path in usbg_cmd_work() does the same before walking sess_cmd_map for the active command with the same tag. If userspace drops the nexus after the command is queued, these paths can observe a NULL tpg_nexus and crash before they can ignore the command like the already-fixed command paths do. Check tpg_nexus in both remaining paths and use the checked local nexus before dereferencing tvn_se_sess. Fixes: b9fde5073553 ("usb: gadget: f_tcm: Fix NULL pointer dereferences in = nexus handling") Signed-off-by: Guangshuo Li --- drivers/usb/gadget/function/f_tcm.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/funct= ion/f_tcm.c index 34d9f49e9987..1717fdd1c466 100644 --- a/drivers/usb/gadget/function/f_tcm.c +++ b/drivers/usb/gadget/function/f_tcm.c @@ -1188,12 +1188,21 @@ static void usbg_aborted_task(struct se_cmd *se_cmd= ); =20 static void usbg_submit_tmr(struct usbg_cmd *cmd) { + struct tcm_usbg_nexus *tv_nexus; struct se_session *se_sess; struct se_cmd *se_cmd; int flags =3D TARGET_SCF_ACK_KREF; =20 se_cmd =3D &cmd->se_cmd; - se_sess =3D cmd->fu->tpg->tpg_nexus->tvn_se_sess; + tv_nexus =3D cmd->fu->tpg->tpg_nexus; + if (!tv_nexus) { + struct usb_gadget *gadget =3D fuas_to_gadget(cmd->fu); + + dev_err(&gadget->dev, "Missing nexus for TMR, ignoring command\n"); + return; + } + + se_sess =3D tv_nexus->tvn_se_sess; =20 target_submit_tmr(se_cmd, se_sess, cmd->response_iu.add_response_info, @@ -1271,12 +1280,21 @@ static void usbg_cmd_work(struct work_struct *work) skip: if (cmd->tmr_rsp =3D=3D RC_OVERLAPPED_TAG) { struct f_uas *fu =3D cmd->fu; + struct tcm_usbg_nexus *tv_nexus; struct se_session *se_sess; struct uas_stream *stream =3D NULL; struct hlist_node *tmp; struct usbg_cmd *active_cmd =3D NULL; =20 - se_sess =3D cmd->fu->tpg->tpg_nexus->tvn_se_sess; + tv_nexus =3D fu->tpg->tpg_nexus; + if (!tv_nexus) { + struct usb_gadget *gadget =3D fuas_to_gadget(fu); + + dev_err(&gadget->dev, "Missing nexus for overlapped tag, ignoring comma= nd\n"); + return; + } + + se_sess =3D tv_nexus->tvn_se_sess; =20 hash_for_each_possible_safe(fu->stream_hash, stream, tmp, node, cmd->tag= ) { int i =3D stream - &fu->stream[0]; --=20 2.43.0