kernel/drivers/usb/gadget/function/f_tcm.c, branch linux-rolling-lts

usb: gadget: f_tcm: Fix NULL pointer dereferences in nexus handling

2026-03-19T15:08:27Z

commit b9fde507355342a2d64225d582dc8b98ff5ecb19 upstream. The `tpg->tpg_nexus` pointer in the USB Target driver is dynamically managed and tied to userspace configuration via ConfigFS. It can be NULL if the USB host sends requests before the nexus is fully established or immediately after it is dropped. Currently, functions like `bot_submit_command()` and the data transfer paths retrieve `tv_nexus = tpg->tpg_nexus` and immediately dereference `tv_nexus->tvn_se_sess` without any validation. If a malicious or misconfigured USB host sends a BOT (Bulk-Only Transport) command during this race window, it triggers a NULL pointer dereference, leading to a kernel panic (local DoS). This exposes an inconsistent API usage within the module, as peer functions like `usbg_submit_command()` and `bot_send_bad_response()` correctly implement a NULL check for `tv_nexus` before proceeding. Fix this by bringing consistency to the nexus handling. Add the missing `if (!tv_nexus)` checks to the vulnerable BOT command and request processing paths, aborting the command gracefully with an error instead of crashing the system. Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT") Cc: stable Signed-off-by: Jiasheng Jiang Reviewed-by: Thinh Nguyen Link: https://patch.msgid.link/20260219023834.17976-1-jiashengjiangcool@gmail.com Signed-off-by: Greg Kroah-Hartman

usb: potential integer overflow in usbg_make_tpg()

2025-04-15T12:29:33Z

The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt. I modified the type of tpgt to match tpgt->tport_tpgt and adjusted the relevant code accordingly. This patch is similar to commit 59c816c1f24d ("vhost/scsi: potential memory corruption"). Signed-off-by: Chen Yufeng Link: https://lore.kernel.org/r/20250415065857.1619-1-chenyufeng@iie.ac.cn Signed-off-by: Greg Kroah-Hartman

usb: gadget: f_tcm: Refactor goto check_condition

2024-12-24T07:56:08Z

Move the command initialization before the check_condition to after the goto statement for a cleaner look. No functional change here. Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/8442364f51f2788d2a191997581a8eda7a143272.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman

usb: gadget: f_tcm: Track BOT command kref

2024-12-24T07:56:08Z

Set TARGET_SCF_ACK_KREF flag and allow f_tcm to take the BOT command reference. A usb request may be canceled, the f_tcm knows this. Let it decides if the command should be freed. This is the same as how the UAS interface is done. Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/e791c639e91b5d91a8787f5d6902e8c58f1dc172.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman

usb: gadget: f_tcm: Requeue command request on error

2024-12-24T07:56:08Z

If there's error on command request, make sure to requeue to receive the next one. Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/d4e55c13be8f83f99ee55f7b979a99e2c14fc4c8.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman

usb: gadget: f_tcm: Stall on invalid CBW

2024-12-24T07:56:07Z

If the BOT command CBW is invalid, make sure to respond by setting status endpoint STALL until the next proper CBW or reset. Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/96022e2d5225f01a20263a4ba9c2e2c8a63328b8.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman

usb: gadget: f_tcm: Check overlapped command

2024-12-24T07:56:07Z

If there's an overlapped command tag, cancel the command and respond with RC_OVERLAPPED_TAG to host. Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/6bffc2903d0cd1e7c7afca837053a48e883d8903.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman

usb: gadget: f_tcm: Handle TASK_MANAGEMENT commands

2024-12-24T07:56:07Z

Handle target_core_fabric_ops TASK MANAGEMENT functions and their response. If a TASK MANAGEMENT command is received, the driver will interpret the function TMF_*, translate to TMR_*, and fire off a command work executing target_submit_tmr(). On completion, it will handle the TASK MANAGEMENT response through uasp_send_tm_response(). Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/50339586e36509dadb9c208b3314530993e673b6.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman

usb: gadget: f_tcm: Send sense on cancelled transfer

2024-12-24T07:56:07Z

If the transfer is cancelled due to a disconnect or driver tear down (error code -ESHUTDOWN), then just free the command. However, if it got cancelled due to other reasons, then send a sense CHECK CONDITION status with TCM_CHECK_CONDITION_ABORT_CMD status to host notifying the delivery failure. Note that this is separate from TASK MANAGEMENT function abort task command, which will require a separate response IU. See UAS-r04 section 8. Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/f2ae293c1fc39df4d242a2f724584bf4ec105ece.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman

usb: gadget: f_tcm: Save CPU ID per command

2024-12-24T07:56:07Z

Normally we don't care about the CPU id, but if we ever use TARGET_SCF_USE_CPUID, then we need to save the cpuid. Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/ab45e37314405d9cdd7a8e3b761c654400bb2270.1733876548.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman