[PATCH] usbip: vudc: fix NULL pointer dereference in vep_dequeue

Linux USB
 help / color / mirror / Atom feed

From: Jipa Alexandru-Ionut <jipaionut@gmail.com>
To: valentina.manea.m@gmail.com, shuah@kernel.org, i@zenithal.me,
	gregkh@linuxfoundation.org
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	stable@vger.kernel.org,
	Jipa Alexandru-Ionut <jipaionut@gmail.com>
Subject: [PATCH] usbip: vudc: fix NULL pointer dereference in vep_dequeue
Date: Fri, 12 Jun 2026 14:41:48 +0300	[thread overview]
Message-ID: <20260612114148.6849-1-jipaionut@gmail.com> (raw)

vep_dequeue() reads the udc from req->udc, but struct vrequest's udc
field is never assigned anywhere in the driver, so it is always NULL.
The following dereference of udc->driver then oopses.

vep_queue(), the symmetric path, correctly derives the udc from the
endpoint via ep_to_vudc(ep); vep_dequeue() must do the same.

This is only reached when a request is queued at the time of dequeue.
A FunctionFS gadget keeps OUT requests queued, so unbinding such a
gadget from a usbip-vudc UDC (ffs_func_unbind -> usb_ep_dequeue)
hits it and wedges the vudc subsystem.

Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Cc: stable@vger.kernel.org
Signed-off-by: Jipa Alexandru-Ionut <jipaionut@gmail.com>
---
 drivers/usb/usbip/vudc_dev.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c
index 100000000000..100000000001 100644
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -344,7 +344,7 @@ static int vep_dequeue(struct usb_ep *_ep, struct usb_request *_req)

 	ep = to_vep(_ep);
 	req = to_vrequest(_req);
-	udc = req->udc;
+	udc = ep_to_vudc(ep);

 	if (!udc->driver)
 		return -ESHUTDOWN;
--
2.47.0

next             reply	other threads:[~2026-06-12 11:41 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-12 11:41 Jipa Alexandru-Ionut [this message]
2026-06-12 18:32 ` [PATCH] usbip: vudc: fix NULL pointer dereference in vep_dequeue kernel test robot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:10000000000 dfblob:10000000000 )
 OR (
bs:"[PATCH] usbip: vudc: fix NULL pointer dereference in vep_dequeue" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260612114148.6849-1-jipaionut@gmail.com \
    --to=jipaionut@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=i@zenithal.me \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=shuah@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=valentina.manea.m@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox