* [PATCH v2] usbip: vudc: fix NULL deref in vep_dequeue()
@ 2026-06-20 0:18 ` Sam Day via B4 Relay
2026-06-22 7:36 ` Igor Kotrasinski/Security (PLT) /SRPOL/Engineer/Samsung Electronics
2026-06-25 15:12 ` Greg Kroah-Hartman
0 siblings, 2 replies; 3+ messages in thread
From: Sam Day via B4 Relay @ 2026-06-20 0:18 UTC (permalink / raw)
To: Valentina Manea, Shuah Khan, Hongren Zheng, Greg Kroah-Hartman,
Krzysztof Opasiak, Igor Kotrasinski, Karol Kosik
Cc: linux-usb, linux-kernel, Sam Day
From: Sam Day <me@samcday.com>
vep_alloc_request() wasn't initializing vrequest->udc, so cancellations
on the FunctionFS AIO path were arriving in vep_dequeue without a valid
UDC reference.
Since vrequest->udc is never actually properly used anywhere, we opt to
remove it, and update vep_dequeue to obtain a reference to the udc with
ep_to_vudc(), consistent with the other vep_ ops.
AFAICT this bug has existed for ~10 years. Seems that nobody has really
stressed the FunctionFS AIO path on usbip's vudc.
I tested this fix in a QEMU aarch64 guest driving FunctionFS endpoints
via AIO. Before the fix, running `usbip attach` from the host would
cause the guest to oops with the following backtrace:
Call trace:
vep_dequeue+0x1c/0xe4 (P)
usb_ep_dequeue+0x14/0x20
ffs_aio_cancel+0x24/0x34
__arm64_sys_io_cancel+0xb0/0x124
do_el0_svc+0x68/0x100
el0_svc+0x18/0x5c
el0t_64_sync_handler+0x98/0xdc
el0t_64_sync+0x154/0x158
Assisted-by: opencode:openai/gpt-5.5
Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Signed-off-by: Sam Day <me@samcday.com>
---
Changes in v2:
- Reworked to remove vrequest->udc entirely and a call to ep_to_vudc()
from vep_deqe
- Link to v1: https://lore.kernel.org/r/20260619-usbip-vudc-deque-fix-v1-1-9021463b1903@samcday.com
---
drivers/usb/usbip/vudc.h | 1 -
drivers/usb/usbip/vudc_dev.c | 2 +-
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/usb/usbip/vudc.h b/drivers/usb/usbip/vudc.h
index faf61c9c6a98..5ef0e7d9b23a 100644
--- a/drivers/usb/usbip/vudc.h
+++ b/drivers/usb/usbip/vudc.h
@@ -38,7 +38,6 @@ struct vep {
struct vrequest {
struct usb_request req;
- struct vudc *udc;
struct list_head req_entry; /* Request queue */
};
diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c
index c5f079c5a1ea..f0a1a44c18e3 100644
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -344,7 +344,7 @@ static int vep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
ep = to_vep(_ep);
req = to_vrequest(_req);
- udc = req->udc;
+ udc = ep_to_vudc(ep);
if (!udc->driver)
return -ESHUTDOWN;
---
base-commit: 5cd1731cc883a9914d91e3b93d4597317b5b5339
change-id: 20260619-usbip-vudc-deque-fix-d316de3d3f16
Best regards,
--
Sam Day <me@samcday.com>
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] usbip: vudc: fix NULL deref in vep_dequeue()
2026-06-20 0:18 ` [PATCH v2] usbip: vudc: fix NULL deref in vep_dequeue() Sam Day via B4 Relay
@ 2026-06-22 7:36 ` Igor Kotrasinski/Security (PLT) /SRPOL/Engineer/Samsung Electronics
2026-06-25 15:12 ` Greg Kroah-Hartman
1 sibling, 0 replies; 3+ messages in thread
From: Igor Kotrasinski/Security (PLT) /SRPOL/Engineer/Samsung Electronics @ 2026-06-22 7:36 UTC (permalink / raw)
To: me, Valentina Manea, Shuah Khan, Hongren Zheng,
Greg Kroah-Hartman, Karol Kosik
Cc: linux-usb, linux-kernel
> From: Sam Day <me@samcday.com>
>
> vep_alloc_request() wasn't initializing vrequest->udc, so cancellations
> on the FunctionFS AIO path were arriving in vep_dequeue without a valid
> UDC reference.
>
> Since vrequest->udc is never actually properly used anywhere, we opt to
> remove it, and update vep_dequeue to obtain a reference to the udc with
> ep_to_vudc(), consistent with the other vep_ ops.
>
> AFAICT this bug has existed for ~10 years. Seems that nobody has really
> stressed the FunctionFS AIO path on usbip's vudc.
>
> I tested this fix in a QEMU aarch64 guest driving FunctionFS endpoints
> via AIO. Before the fix, running `usbip attach` from the host would
> cause the guest to oops with the following backtrace:
>
> Call trace:
> vep_dequeue+0x1c/0xe4 (P)
> usb_ep_dequeue+0x14/0x20
> ffs_aio_cancel+0x24/0x34
> __arm64_sys_io_cancel+0xb0/0x124
> do_el0_svc+0x68/0x100
> el0_svc+0x18/0x5c
> el0t_64_sync_handler+0x98/0xdc
> el0t_64_sync+0x154/0x158
>
> Assisted-by: opencode:openai/gpt-5.5
> Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
> Signed-off-by: Sam Day <me@samcday.com>
> ---
> Changes in v2:
> - Reworked to remove vrequest->udc entirely and a call to ep_to_vudc()
> from vep_deqe
> - Link to v1: https://lore.kernel.org/r/20260619-usbip-vudc-deque-fix-v1-1-9021463b1903@samcday.com
> ---
> drivers/usb/usbip/vudc.h | 1 -
> drivers/usb/usbip/vudc_dev.c | 2 +-
> 2 files changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/usb/usbip/vudc.h b/drivers/usb/usbip/vudc.h
> index faf61c9c6a98..5ef0e7d9b23a 100644
> --- a/drivers/usb/usbip/vudc.h
> +++ b/drivers/usb/usbip/vudc.h
> @@ -38,7 +38,6 @@ struct vep {
>
> struct vrequest {
> struct usb_request req;
> - struct vudc *udc;
> struct list_head req_entry; /* Request queue */
> };
>
> diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c
> index c5f079c5a1ea..f0a1a44c18e3 100644
> --- a/drivers/usb/usbip/vudc_dev.c
> +++ b/drivers/usb/usbip/vudc_dev.c
> @@ -344,7 +344,7 @@ static int vep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
>
> ep = to_vep(_ep);
> req = to_vrequest(_req);
> - udc = req->udc;
> + udc = ep_to_vudc(ep);
>
> if (!udc->driver)
> return -ESHUTDOWN;
>
> ---
> base-commit: 5cd1731cc883a9914d91e3b93d4597317b5b5339
> change-id: 20260619-usbip-vudc-deque-fix-d316de3d3f16
>
> Best regards,
Looks good to me.
Reviewed-by: Igor Kotrasinski <i.kotrasinsk@samsung.com>
BRs,
Igor Kotrasiński
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] usbip: vudc: fix NULL deref in vep_dequeue()
2026-06-20 0:18 ` [PATCH v2] usbip: vudc: fix NULL deref in vep_dequeue() Sam Day via B4 Relay
2026-06-22 7:36 ` Igor Kotrasinski/Security (PLT) /SRPOL/Engineer/Samsung Electronics
@ 2026-06-25 15:12 ` Greg Kroah-Hartman
1 sibling, 0 replies; 3+ messages in thread
From: Greg Kroah-Hartman @ 2026-06-25 15:12 UTC (permalink / raw)
To: me
Cc: Valentina Manea, Shuah Khan, Hongren Zheng, Krzysztof Opasiak,
Igor Kotrasinski, Karol Kosik, linux-usb, linux-kernel
On Sat, Jun 20, 2026 at 10:18:09AM +1000, Sam Day via B4 Relay wrote:
> From: Sam Day <me@samcday.com>
>
> vep_alloc_request() wasn't initializing vrequest->udc, so cancellations
> on the FunctionFS AIO path were arriving in vep_dequeue without a valid
> UDC reference.
>
> Since vrequest->udc is never actually properly used anywhere, we opt to
> remove it, and update vep_dequeue to obtain a reference to the udc with
> ep_to_vudc(), consistent with the other vep_ ops.
>
> AFAICT this bug has existed for ~10 years. Seems that nobody has really
> stressed the FunctionFS AIO path on usbip's vudc.
>
> I tested this fix in a QEMU aarch64 guest driving FunctionFS endpoints
> via AIO. Before the fix, running `usbip attach` from the host would
> cause the guest to oops with the following backtrace:
>
> Call trace:
> vep_dequeue+0x1c/0xe4 (P)
> usb_ep_dequeue+0x14/0x20
> ffs_aio_cancel+0x24/0x34
> __arm64_sys_io_cancel+0xb0/0x124
> do_el0_svc+0x68/0x100
> el0_svc+0x18/0x5c
> el0t_64_sync_handler+0x98/0xdc
> el0t_64_sync+0x154/0x158
>
> Assisted-by: opencode:openai/gpt-5.5
> Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
> Signed-off-by: Sam Day <me@samcday.com>
> ---
> Changes in v2:
> - Reworked to remove vrequest->udc entirely and a call to ep_to_vudc()
> from vep_deqe
> - Link to v1: https://lore.kernel.org/r/20260619-usbip-vudc-deque-fix-v1-1-9021463b1903@samcday.com
> ---
> drivers/usb/usbip/vudc.h | 1 -
> drivers/usb/usbip/vudc_dev.c | 2 +-
> 2 files changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/drivers/usb/usbip/vudc.h b/drivers/usb/usbip/vudc.h
> index faf61c9c6a98..5ef0e7d9b23a 100644
> --- a/drivers/usb/usbip/vudc.h
> +++ b/drivers/usb/usbip/vudc.h
> @@ -38,7 +38,6 @@ struct vep {
>
> struct vrequest {
> struct usb_request req;
> - struct vudc *udc;
> struct list_head req_entry; /* Request queue */
> };
>
> diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c
> index c5f079c5a1ea..f0a1a44c18e3 100644
> --- a/drivers/usb/usbip/vudc_dev.c
> +++ b/drivers/usb/usbip/vudc_dev.c
> @@ -344,7 +344,7 @@ static int vep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
>
> ep = to_vep(_ep);
> req = to_vrequest(_req);
> - udc = req->udc;
> + udc = ep_to_vudc(ep);
Why is "req" still needed now? Shouldn't that variable be removed also?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-25 15:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CGME20260620001816eucas1p216d49bf6a91cb50717b1bb9e1420d0d6@eucas1p2.samsung.com>
2026-06-20 0:18 ` [PATCH v2] usbip: vudc: fix NULL deref in vep_dequeue() Sam Day via B4 Relay
2026-06-22 7:36 ` Igor Kotrasinski/Security (PLT) /SRPOL/Engineer/Samsung Electronics
2026-06-25 15:12 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox