Re: [PATCH] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling
From: Thinh Nguyen
Date: Wed Feb 18 2026 - 00:23:30 EST
On Mon, Feb 16, 2026, Jiasheng Jiang wrote:
> The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically
> managed and tied to userspace configuration via ConfigFS. It can be
> NULL if the USB host sends requests before the nexus is fully
> established or immediately after it is dropped.
>
> Currently, functions like `bot_submit_command()` and the data
> transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately
> dereference `tv_nexus->tvn_se_sess` without any validation. If a
> malicious or misconfigured USB host sends a BOT (Bulk-Only Transport)
> command during this race window, it triggers a NULL pointer
> dereference, leading to a kernel panic (local DoS).
>
> This exposes an inconsistent API usage within the module, as peer
> functions like `usbg_submit_command()` and `bot_send_bad_response()`
> correctly implement a NULL check for `tv_nexus` before proceeding.
>
> Fix this by bringing consistency to the nexus handling. Add the
> missing `if (!tv_nexus)` checks to the vulnerable BOT command and
> request processing paths, aborting the command gracefully with an
> error instead of crashing the system.
>
> Fixes: 08a1cb0f65fd ("usb: gadget: tcm: factor out f_tcm")
> Signed-off-by: Jiasheng Jiang <jiashengjiangcool@xxxxxxxxx>
> ---
> drivers/usb/gadget/function/f_tcm.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
> index 6e8804f04baa..9554ddd9b4b8 100644
> --- a/drivers/usb/gadget/function/f_tcm.c
> +++ b/drivers/usb/gadget/function/f_tcm.c
> @@ -1222,6 +1222,11 @@ static void usbg_submit_cmd(struct usbg_cmd *cmd)
> se_cmd = &cmd->se_cmd;
> tpg = cmd->fu->tpg;
> tv_nexus = tpg->tpg_nexus;
> + if (!tv_nexus) {
> + pr_err("Missing nexus, ignoring command\n");
> + return;
> + }
> +
> dir = get_cmd_dir(cmd->cmd_buf);
> if (dir < 0)
> goto out;
> @@ -1482,6 +1487,11 @@ static void bot_cmd_work(struct work_struct *work)
> se_cmd = &cmd->se_cmd;
> tpg = cmd->fu->tpg;
> tv_nexus = tpg->tpg_nexus;
> + if (!tv_nexus) {
> + pr_err("Missing nexus, ignoring command\n");
> + return;
> + }
> +
> dir = get_cmd_dir(cmd->cmd_buf);
> if (dir < 0)
> goto out;
> --
> 2.25.1
>
>
While the patch itself is fine, we should prevent this situation from
occurring in the first place. That is, we should enforce the config
dependency and prevent the users from removing the nexus if the gadget
driver is bound. Likewise, we should prevent the gadget driver from
binding if no nexus is established.
BR,
Thinh