[PATCH] usb: raw_gadget: validate io length in raw_alloc_io_data()

From: Gopi Krishna Menon
Date: Sat Oct 25 2025 - 11:18:56 EST

Next message: Zi Yan: "Re: [PATCH v3 1/4] mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0 order"
Previous message: Akira Yokosawa: "Re: [PATCH v3 0/8] Collect documentation-related tools under /tools/docs"
In reply to: Gopi Krishna Menon: "[PATCH] usb: raw_gadget: validate io length in raw_alloc_io_data()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Not checking the io buffer length can allow very large allocations
which cannot be handled by the allocators and can result in warning by
the allocators. Therefore for sizes larger than KMALLOC_MAX_SIZE we
return -EINVAL.

For testing

Signed-off-by: Gopi Krishna Menon <krishnagopi487@xxxxxxxxx>
---
drivers/usb/gadget/legacy/raw_gadget.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
index b71680c58de6..c922ab42b0ca 100644
--- a/drivers/usb/gadget/legacy/raw_gadget.c
+++ b/drivers/usb/gadget/legacy/raw_gadget.c
@@ -667,6 +667,8 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
return ERR_PTR(-EINVAL);
if (!usb_raw_io_flags_valid(io->flags))
return ERR_PTR(-EINVAL);
+ if (io->length > KMALLOC_MAX_SIZE)
+ return ERR_PTR(-EINVAL);
if (get_from_user)
data = memdup_user(ptr + sizeof(*io), io->length);
else {
--
2.43.0

--ovxwxiyonj66htjx--

Next message: Zi Yan: "Re: [PATCH v3 1/4] mm/huge_memory: preserve PG_has_hwpoisoned if a folio is split to >0 order"
Previous message: Akira Yokosawa: "Re: [PATCH v3 0/8] Collect documentation-related tools under /tools/docs"
In reply to: Gopi Krishna Menon: "[PATCH] usb: raw_gadget: validate io length in raw_alloc_io_data()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]