>From ec93e88de10f0c0b02645e9caedad75323cf767c Mon Sep 17 00:00:00 2001 From: Gopi Krishna Menon Date: Sat, 25 Oct 2025 20:48:56 +0530 Subject: [PATCH] usb: raw_gadget: validate io length in raw_alloc_io_data() Not checking the io buffer length can allow very large allocations which cannot be handled by the allocators and can result in warning by the allocators. Therefore for sizes larger than KMALLOC_MAX_SIZE we return -EINVAL. For testing Signed-off-by: Gopi Krishna Menon --- drivers/usb/gadget/legacy/raw_gadget.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c index b71680c58de6..c922ab42b0ca 100644 --- a/drivers/usb/gadget/legacy/raw_gadget.c +++ b/drivers/usb/gadget/legacy/raw_gadget.c @@ -667,6 +667,8 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr, return ERR_PTR(-EINVAL); if (!usb_raw_io_flags_valid(io->flags)) return ERR_PTR(-EINVAL); + if (io->length > KMALLOC_MAX_SIZE) + return ERR_PTR(-EINVAL); if (get_from_user) data = memdup_user(ptr + sizeof(*io), io->length); else { -- 2.43.0