From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C5C673E95BD for ; Fri, 12 Jun 2026 11:41:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.54 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781264522; cv=none; b=DuKHZyfwyWZXZ9iFGcWCyaHLr1K4IaPapp05KkBG6IvKEJbp1Xqkn/0Von6m0iV46Nh2RVnNws+ZpFTlFUhshP2EDBFgyWEErcXv+zB2aalXOn3qYptxENUybotbl4nIsntFyRJvm9O4oA5DU6Em4KSZ4Nuyk52hJFb+FU2XuqM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1781264522; c=relaxed/simple; bh=foR7FDI0458xlh+ugYqRvXItyPjd8fdWRXmqavzCmwE=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=sMX/Ja/d6dnBCv6D8GJb+mWdZ4J+n4VEYW5CwypXwT0zP54LWijFEEnQ0nkXaG0F4mffzUfeyHtwAiI/heWIK/T7Nj4sXD4OTu3XDehzaMa/hYXXvjS8MeqcfcmEoZSZQ+ahlyypQ5aUKhxJaVCGFF8vu0dNKMo/qyYnj4y2+aI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Iv/yMtR1; arc=none smtp.client-ip=209.85.128.54 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Iv/yMtR1" Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-4905529b933so8776905e9.0 for ; Fri, 12 Jun 2026 04:41:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781264517; x=1781869317; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=PsfAOfi1Tsu5nPJOTn7sIWBkXPhQghFPoGo70TQpeaM=; b=Iv/yMtR1HzxzhrCnT6IgnTKDWXfRAek14KBOyEgza3MLsekBO7g6g4MAQdVFZ8DodL Z4QI3kjFQUE7sGAmhkRpVu+MwfILCI6zOUe4D3lhRij4L8nvd4koArB5YkLt3VyUvll1 RO0PhZesoqv1PngNZM8YDFMiQgtUdI1aw8pn3snThYfm0gFmOYC1YEXjbf3FjdfJwMwI z4+JASfEvfvEQmfHgDNigDFtpiYe7hs+LHDtWyeJTWa9iZ7HPzLv185IVGKfoBwBKdFp tlBMg2YgGDEGRAWDywUYutXnj8YuI0eBM83cc/ySQnwLRAZnIF6z82vXA/7lZtXhml1U 0YjA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781264517; x=1781869317; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=PsfAOfi1Tsu5nPJOTn7sIWBkXPhQghFPoGo70TQpeaM=; b=pzDMN3NBPeI/GKut3+WjM7KCoGrPoMVpenNm4yOdmLr2OQgYaR6Sa4c0t1uWcxH9FH P646SgZc8M7u39N4deUI4g1dbD9nR2vmhMdFT9P7c3v0UvyWsxp+v7s55tgV05v4UkPp V+CLKPtxJjWTIx1jPMtw/4mj0BdnEAtCbdVt4OGEdVhNyQ0Yz6+uMsucCH2/ahAJAwn6 CgTRg4eF3ypTu18wPtudQewiYSNvb1BP9DqD7Hh1ZpsCaU+aXZUnFdlBUNvkBIS1Iv1o fGLpF4SxGqD7bV/oZEJhz6TI0+OBqWFisv4XGl5KSwTWVKZiiSxiXgUjOvenaj4aM3pT 0rPA== X-Gm-Message-State: AOJu0YzBa8CB5dcld55AWArvhxwKEVRVHqy4KntxtAJygPkofN2f0Mp+ MKP3vPsbuXbnU2+k9e591WMQCp7rKwOnRcbKDLhwuXykEMgCe5bbLo3Q X-Gm-Gg: Acq92OGKKW6X4cKWKd2e6+EJXDtgtPPT+QL5iSDQZ2ZjfP4wJC57Fi8SlkDTiQZE92F WogrmxT7qhQiCVNd491e8h5BYcr66jW9Cwv25Qq06mTNEQuoVWoM64tYxjypfIYP1vf33WwBULy l6b0SC2T3sAAEDya7R/eTPSyKETIpMhZ3R1xPiDm7QGV8yczszGRU3xxOl31Ua4U7gBGbRdzlC4 zU7cWy5QAbwQwvoBN+TxnEi50habkWEHXDHALMRghi0mztkLNPgMo7HHsV4A1p34Rr1auTLkGyS fcbCg63TCKIPAmKcMmC3IG7YWHbv3BRiVFmGzdeVmBmnyCbeBnWo8j8H52O1cUggRxwTFhn6l0i kO9yzX9M1jio1PVLrtArCd/WSO36D42QGEiMMFDvmOL88HR3aeVd3x+pvA7YoGDFaXO0qOibCsS BO5wccWAobHZAq9x7QGWWOiF5dtOdulpPvAyM= X-Received: by 2002:a05:600c:2d84:b0:490:c2a3:1781 with SMTP id 5b1f17b1804b1-490ec50a93dmr19734205e9.34.1781264516906; Fri, 12 Jun 2026 04:41:56 -0700 (PDT) Received: from localhost.localdomain ([92.180.79.206]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-490ea4a128csm72735105e9.0.2026.06.12.04.41.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Jun 2026 04:41:55 -0700 (PDT) From: Jipa Alexandru-Ionut To: valentina.manea.m@gmail.com, shuah@kernel.org, i@zenithal.me, gregkh@linuxfoundation.org Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Jipa Alexandru-Ionut Subject: [PATCH] usbip: vudc: fix NULL pointer dereference in vep_dequeue Date: Fri, 12 Jun 2026 14:41:48 +0300 Message-ID: <20260612114148.6849-1-jipaionut@gmail.com> X-Mailer: git-send-email 2.47.3 Precedence: bulk X-Mailing-List: linux-usb@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit vep_dequeue() reads the udc from req->udc, but struct vrequest's udc field is never assigned anywhere in the driver, so it is always NULL. The following dereference of udc->driver then oopses. vep_queue(), the symmetric path, correctly derives the udc from the endpoint via ep_to_vudc(ep); vep_dequeue() must do the same. This is only reached when a request is queued at the time of dequeue. A FunctionFS gadget keeps OUT requests queued, so unbinding such a gadget from a usbip-vudc UDC (ffs_func_unbind -> usb_ep_dequeue) hits it and wedges the vudc subsystem. Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops") Cc: stable@vger.kernel.org Signed-off-by: Jipa Alexandru-Ionut --- drivers/usb/usbip/vudc_dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c index 100000000000..100000000001 100644 --- a/drivers/usb/usbip/vudc_dev.c +++ b/drivers/usb/usbip/vudc_dev.c @@ -344,7 +344,7 @@ static int vep_dequeue(struct usb_ep *_ep, struct usb_request *_req) ep = to_vep(_ep); req = to_vrequest(_req); - udc = req->udc; + udc = ep_to_vudc(ep); if (!udc->driver) return -ESHUTDOWN; -- 2.47.0