>From 06149314c2d71c1a6481db9a0fba98d4509cde6a Mon Sep 17 00:00:00 2001 From: Gopi Krishna Menon Date: Sat, 25 Oct 2025 18:55:45 +0530 Subject: [PATCH] usb: raw_gadget: validate io length in raw_alloc_io_data() Since the maximum packet size of the endpoint descriptor is a 16 bit field, we can make sure that the io->length is never greater than 65535 bytes. For testing in syzbot Signed-off-by: Gopi Krishna Menon --- drivers/usb/gadget/legacy/raw_gadget.c | 2 ++ include/uapi/linux/usb/raw_gadget.h | 3 +++ 2 files changed, 5 insertions(+) diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c index b71680c58de6..00f5e697d321 100644 --- a/drivers/usb/gadget/legacy/raw_gadget.c +++ b/drivers/usb/gadget/legacy/raw_gadget.c @@ -667,6 +667,8 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr, return ERR_PTR(-EINVAL); if (!usb_raw_io_flags_valid(io->flags)) return ERR_PTR(-EINVAL); + if (io->length > USB_RAW_IO_MAX_LENGTH) + return ERR_PTR(-EINVAL); if (get_from_user) data = memdup_user(ptr + sizeof(*io), io->length); else { diff --git a/include/uapi/linux/usb/raw_gadget.h b/include/uapi/linux/usb/raw_gadget.h index f0224a8dc858..effe8a543c75 100644 --- a/include/uapi/linux/usb/raw_gadget.h +++ b/include/uapi/linux/usb/raw_gadget.h @@ -106,6 +106,9 @@ struct usb_raw_ep_io { /* Maximum number of non-control endpoints in struct usb_raw_eps_info. */ #define USB_RAW_EPS_NUM_MAX 30 +/* Maximum length for raw endpoint IO */ +#define USB_RAW_IO_MAX_LENGTH 65535 + /* Maximum length of UDC endpoint name in struct usb_raw_ep_info. */ #define USB_RAW_EP_NAME_MAX 16 -- 2.43.0