* [PATCH] usbip: vudc: get vudc from endpoint in vep_dequeue
[not found] <2026061502-rants-doing-407e@gregkh>
@ 2026-06-15 10:11 ` Hu Xinyao
2026-06-15 10:33 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Hu Xinyao @ 2026-06-15 10:11 UTC (permalink / raw)
To: Greg KH
Cc: Valentina Manea, Shuah Khan, Shuah Khan, Hongren Zheng, linux-usb,
security
vep_dequeue() looks up the virtual UDC through vrequest->udc, but
that field is never initialized when requests are allocated or queued.
A gadget function that dequeues a request during disconnect can
therefore dereference a NULL vudc pointer and crash the kernel.
This was observed with a USB/IP vUDC ACM gadget. ACM is not unique here;
it was only the tested gadget path. The bug is in the generic vUDC
dequeue path rather than in ACM itself.
Use the endpoint to recover the vudc, as the other vUDC endpoint ops
already do, instead of relying on the request-private field.
Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Cc: stable@vger.kernel.org
Reported-by: Hu Xinyao <huxinyao0011@gmail.com>
Signed-off-by: Hu Xinyao <huxinyao0011@gmail.com>
---
drivers/usb/usbip/vudc_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c
index c5f079c5a1ea..f0a1a44c18e3 100644
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -344,7 +344,7 @@ static int vep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
ep = to_vep(_ep);
req = to_vrequest(_req);
- udc = req->udc;
+ udc = ep_to_vudc(ep);
if (!udc->driver)
return -ESHUTDOWN;
base-commit: 186d3c4e92242351afc24d9784f31cb4cd08a4b7
--
2.53.0.windows.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] usbip: vudc: get vudc from endpoint in vep_dequeue
2026-06-15 10:11 ` [PATCH] usbip: vudc: get vudc from endpoint in vep_dequeue Hu Xinyao
@ 2026-06-15 10:33 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2026-06-15 10:33 UTC (permalink / raw)
To: Hu Xinyao
Cc: Valentina Manea, Shuah Khan, Shuah Khan, Hongren Zheng, linux-usb,
security
On Mon, Jun 15, 2026 at 06:11:10PM +0800, Hu Xinyao wrote:
> vep_dequeue() looks up the virtual UDC through vrequest->udc, but
> that field is never initialized when requests are allocated or queued.
> A gadget function that dequeues a request during disconnect can
> therefore dereference a NULL vudc pointer and crash the kernel.
>
> This was observed with a USB/IP vUDC ACM gadget. ACM is not unique here;
> it was only the tested gadget path. The bug is in the generic vUDC
> dequeue path rather than in ACM itself.
>
> Use the endpoint to recover the vudc, as the other vUDC endpoint ops
> already do, instead of relying on the request-private field.
>
> Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
> Cc: stable@vger.kernel.org
> Reported-by: Hu Xinyao <huxinyao0011@gmail.com>
> Signed-off-by: Hu Xinyao <huxinyao0011@gmail.com>
When you author and sign off on a patch, you don't need the reported-by
line.
Anyway, isn't this patch:
https://lore.kernel.org/r/18A5F3B379FB205B+20260615093559.3436095-1-raoxu@uniontech.com
a better one instead?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-15 10:34 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <2026061502-rants-doing-407e@gregkh>
2026-06-15 10:11 ` [PATCH] usbip: vudc: get vudc from endpoint in vep_dequeue Hu Xinyao
2026-06-15 10:33 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox