usb: gadget: f_tcm: initialize data_len in UAS path for consistency

In usbg_submit_command(), which handles the UAS protocol, the 'data_len'
member of the 'usbg_cmd' structure was left uninitialized by the
logic, relying instead on the zeroing performed by usbg_get_cmd().

In contrast, the BOT path (bot_submit_command) explicitly initializes
this field from the Command Block Wrapper (CBW). This discrepancy is
evident in error handling paths where __target_init_cmd() is called
using cmd->data_len.

Explicitly initialize cmd->data_len to 0 in the UAS path and use this
variable when calling target_submit_cmd(). This ensures architectural
consistency between the UAS and BOT protocols within the driver and
avoids reliance on implicit memory state during error transitions.

Signed-off-by: Jiasheng Jiang <jiashengjiangcool@gmail.com>
Link: https://patch.msgid.link/20260107190622.26070-1-jiashengjiangcool@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/usb/gadget/function/f_tcm.c b/drivers/usb/gadget/function/f_tcm.c
index 92f90592004ee066d71a62f0a9737581127af469..efb94fd825338c6e41345a50b467a1249cd31fa1 100644 (file)
--- a/drivers/usb/gadget/function/f_tcm.c
+++ b/drivers/usb/gadget/function/f_tcm.c
@@ -1227,7 +1227,7 @@ static void usbg_submit_cmd(struct usbg_cmd *cmd)
                goto out;
 
        target_submit_cmd(se_cmd, tv_nexus->tvn_se_sess, cmd->cmd_buf,
-                         cmd->sense_iu.sense, cmd->unpacked_lun, 0,
+                         cmd->sense_iu.sense, cmd->unpacked_lun, cmd->data_len,
                          cmd->prio_attr, dir, flags);
 
        return;
@@ -1389,6 +1389,7 @@ static int usbg_submit_command(struct f_uas *fu, struct usb_request *req)
        cmd->tmr_func = 0;
        cmd->tmr_rsp = RC_RESPONSE_UNKNOWN;
        cmd->flags = 0;
+       cmd->data_len = 0;
 
        cmd_iu = (struct command_iu *)iu;