[PATCH] usbip: vudc: fix NULL pointer dereference in vep_dequeue
From: Jipa Alexandru-Ionut
Date: Fri Jun 12 2026 - 07:49:35 EST
vep_dequeue() reads the udc from req->udc, but struct vrequest's udc
field is never assigned anywhere in the driver, so it is always NULL.
The following dereference of udc->driver then oopses.
vep_queue(), the symmetric path, correctly derives the udc from the
endpoint via ep_to_vudc(ep); vep_dequeue() must do the same.
This is only reached when a request is queued at the time of dequeue.
A FunctionFS gadget keeps OUT requests queued, so unbinding such a
gadget from a usbip-vudc UDC (ffs_func_unbind -> usb_ep_dequeue)
hits it and wedges the vudc subsystem.
Fixes: b6a0ca111867 ("usbip: vudc: Add UDC specific ops")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jipa Alexandru-Ionut <jipaionut@xxxxxxxxx>
---
drivers/usb/usbip/vudc_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/usbip/vudc_dev.c b/drivers/usb/usbip/vudc_dev.c
index 100000000000..100000000001 100644
--- a/drivers/usb/usbip/vudc_dev.c
+++ b/drivers/usb/usbip/vudc_dev.c
@@ -344,7 +344,7 @@ static int vep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
ep = to_vep(_ep);
req = to_vrequest(_req);
- udc = req->udc;
+ udc = ep_to_vudc(ep);
if (!udc->driver)
return -ESHUTDOWN;
--
2.47.0