Re: [PATCH] usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling

[Thinh Nguyen]

On Thu, Feb 19, 2026, Jiasheng Jiang wrote:
> The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically
> managed and tied to userspace configuration via ConfigFS. It can be
> NULL if the USB host sends requests before the nexus is fully
> established or immediately after it is dropped.
> 
> Currently, functions like `bot_submit_command()` and the data
> transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately
> dereference `tv_nexus->tvn_se_sess` without any validation. If a
> malicious or misconfigured USB host sends a BOT (Bulk-Only Transport)
> command during this race window, it triggers a NULL pointer
> dereference, leading to a kernel panic (local DoS).
> 
> This exposes an inconsistent API usage within the module, as peer
> functions like `usbg_submit_command()` and `bot_send_bad_response()`
> correctly implement a NULL check for `tv_nexus` before proceeding.
> 
> Fix this by bringing consistency to the nexus handling. Add the
> missing `if (!tv_nexus)` checks to the vulnerable BOT command and
> request processing paths, aborting the command gracefully with an
> error instead of crashing the system.
> 
> Fixes: 08a1cb0f65fd ("usb: gadget: tcm: factor out f_tcm")
> Signed-off-by: Jiasheng Jiang <jiashengjiangcool@xxxxxxxxx>
> ---
>  drivers/usb/gadget/function/f_tcm.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
> 
> diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
> index 6e8804f04baa..9554ddd9b4b8 100644
> --- a/drivers/usb/gadget/function/f_tcm.c
> +++ b/drivers/usb/gadget/function/f_tcm.c
> @@ -1222,6 +1222,11 @@ static void usbg_submit_cmd(struct usbg_cmd *cmd)
>  	se_cmd = &cmd->se_cmd;
>  	tpg = cmd->fu->tpg;
>  	tv_nexus = tpg->tpg_nexus;
> +	if (!tv_nexus) {
> +		pr_err("Missing nexus, ignoring command\n");

Use dev_err.

BR,
Thinh