[PATCH] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX

public inbox for linux-kernel-mentees@lists.linux-foundation.org
 help / color / mirror / Atom feed

* [PATCH] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE
@ 2025-10-28 16:56 Gopi Krishna Menon
  2025-10-28 20:15 ` Andrey Konovalov
  0 siblings, 1 reply; 4+ messages in thread
From: Gopi Krishna Menon @ 2025-10-28 16:56 UTC (permalink / raw)
  To: andreyknvl, gregkh
  Cc: Gopi Krishna Menon, snovitoll, linux-usb, linux-kernel, skhan,
	david.hunter.linux, khalid, linux-kernel-mentees,
	syzbot+d8fd35fa6177afa8c92b

The previous commit removed the PAGE_SIZE limit on transfer length of
raw_io buffer in order to avoid any problems with emulating USB devices
whose full configuration descriptor exceeds PAGE_SIZE in length. However
this also removes the upperbound on user supplied length, allowing very
large values to be passed to the allocator.

syzbot on fuzzing the transfer length with very large value (1.81GB)
results in kmalloc() to fall back to the page allocator, which triggers
a kernel warning as the page allocator cannot handle allocations more
than MAX_PAGE_ORDER/KMALLOC_MAX_SIZE.

Since there is no limit imposed on the size of buffer for both control
and non control transfers, cap the raw_io transfer length to
KMALLOC_MAX_SIZE and return -EINVAL for larger transfer length to
prevent any warnings from the page allocator.

Fixes: 37b9dd0d114a ("usb: raw-gadget: do not limit transfer length")
Tested-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
Reported-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/68fc07a0.a70a0220.3bf6c6.01ab.GAE@google.com/
Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com>
---
 drivers/usb/gadget/legacy/raw_gadget.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
index b71680c58de6..46f343ba48b3 100644
--- a/drivers/usb/gadget/legacy/raw_gadget.c
+++ b/drivers/usb/gadget/legacy/raw_gadget.c
@@ -40,6 +40,7 @@ MODULE_LICENSE("GPL");

 static DEFINE_IDA(driver_id_numbers);
 #define DRIVER_DRIVER_NAME_LENGTH_MAX	32
+#define USB_RAW_IO_LENGTH_MAX KMALLOC_MAX_SIZE

 #define RAW_EVENT_QUEUE_SIZE	16

@@ -667,6 +668,8 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
 		return ERR_PTR(-EINVAL);
 	if (!usb_raw_io_flags_valid(io->flags))
 		return ERR_PTR(-EINVAL);
+	if (io->length > USB_RAW_IO_LENGTH_MAX)
+		return ERR_PTR(-EINVAL);
 	if (get_from_user)
 		data = memdup_user(ptr + sizeof(*io), io->length);
 	else {
-- 
2.43.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE
  2025-10-28 16:56 [PATCH] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE Gopi Krishna Menon
@ 2025-10-28 20:15 ` Andrey Konovalov
  2025-11-13 16:39   ` Gopi Krishna Menon
  0 siblings, 1 reply; 4+ messages in thread
From: Andrey Konovalov @ 2025-10-28 20:15 UTC (permalink / raw)
  To: Gopi Krishna Menon
  Cc: gregkh, snovitoll, linux-usb, linux-kernel, skhan,
	david.hunter.linux, khalid, linux-kernel-mentees,
	syzbot+d8fd35fa6177afa8c92b

On Tue, Oct 28, 2025 at 5:57 PM Gopi Krishna Menon
<krishnagopi487@gmail.com> wrote:
>
> The previous commit removed the PAGE_SIZE limit on transfer length of
> raw_io buffer in order to avoid any problems with emulating USB devices
> whose full configuration descriptor exceeds PAGE_SIZE in length. However
> this also removes the upperbound on user supplied length, allowing very
> large values to be passed to the allocator.
>
> syzbot on fuzzing the transfer length with very large value (1.81GB)
> results in kmalloc() to fall back to the page allocator, which triggers
> a kernel warning as the page allocator cannot handle allocations more
> than MAX_PAGE_ORDER/KMALLOC_MAX_SIZE.

Ah, right.

>
> Since there is no limit imposed on the size of buffer for both control
> and non control transfers, cap the raw_io transfer length to
> KMALLOC_MAX_SIZE and return -EINVAL for larger transfer length to
> prevent any warnings from the page allocator.
>
> Fixes: 37b9dd0d114a ("usb: raw-gadget: do not limit transfer length")
> Tested-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
> Reported-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/68fc07a0.a70a0220.3bf6c6.01ab.GAE@google.com/
> Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com>
> ---
>  drivers/usb/gadget/legacy/raw_gadget.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
> index b71680c58de6..46f343ba48b3 100644
> --- a/drivers/usb/gadget/legacy/raw_gadget.c
> +++ b/drivers/usb/gadget/legacy/raw_gadget.c
> @@ -40,6 +40,7 @@ MODULE_LICENSE("GPL");
>
>  static DEFINE_IDA(driver_id_numbers);
>  #define DRIVER_DRIVER_NAME_LENGTH_MAX  32
> +#define USB_RAW_IO_LENGTH_MAX KMALLOC_MAX_SIZE
>
>  #define RAW_EVENT_QUEUE_SIZE   16
>
> @@ -667,6 +668,8 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
>                 return ERR_PTR(-EINVAL);
>         if (!usb_raw_io_flags_valid(io->flags))
>                 return ERR_PTR(-EINVAL);
> +       if (io->length > USB_RAW_IO_LENGTH_MAX)
> +               return ERR_PTR(-EINVAL);
>         if (get_from_user)
>                 data = memdup_user(ptr + sizeof(*io), io->length);
>         else {
> --
> 2.43.0
>

Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>

Thank you!

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE
  2025-10-28 20:15 ` Andrey Konovalov
@ 2025-11-13 16:39   ` Gopi Krishna Menon
  2025-11-20 10:07     ` Gopi Krishna Menon
  0 siblings, 1 reply; 4+ messages in thread
From: Gopi Krishna Menon @ 2025-11-13 16:39 UTC (permalink / raw)
  To: Andrey Konovalov
  Cc: gregkh, snovitoll, linux-usb, linux-kernel, skhan,
	david.hunter.linux, khalid, linux-kernel-mentees,
	syzbot+d8fd35fa6177afa8c92b

On Tue, Oct 28, 2025 at 09:15:47PM +0100, Andrey Konovalov wrote:

> On Tue, Oct 28, 2025 at 5:57 PM Gopi Krishna Menon
> <krishnagopi487@gmail.com> wrote:
> >
> > The previous commit removed the PAGE_SIZE limit on transfer length of
> > raw_io buffer in order to avoid any problems with emulating USB devices
> > whose full configuration descriptor exceeds PAGE_SIZE in length. However
> > this also removes the upperbound on user supplied length, allowing very
> > large values to be passed to the allocator.
> >
> > syzbot on fuzzing the transfer length with very large value (1.81GB)
> > results in kmalloc() to fall back to the page allocator, which triggers
> > a kernel warning as the page allocator cannot handle allocations more
> > than MAX_PAGE_ORDER/KMALLOC_MAX_SIZE.
> 
> Ah, right.
> 
> >
> > Since there is no limit imposed on the size of buffer for both control
> > and non control transfers, cap the raw_io transfer length to
> > KMALLOC_MAX_SIZE and return -EINVAL for larger transfer length to
> > prevent any warnings from the page allocator.
> >
> > Fixes: 37b9dd0d114a ("usb: raw-gadget: do not limit transfer length")
> > Tested-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
> > Reported-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/all/68fc07a0.a70a0220.3bf6c6.01ab.GAE@google.com/
> > Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com>
> > ---
> >  drivers/usb/gadget/legacy/raw_gadget.c | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
> > index b71680c58de6..46f343ba48b3 100644
> > --- a/drivers/usb/gadget/legacy/raw_gadget.c
> > +++ b/drivers/usb/gadget/legacy/raw_gadget.c
> > @@ -40,6 +40,7 @@ MODULE_LICENSE("GPL");
> >
> >  static DEFINE_IDA(driver_id_numbers);
> >  #define DRIVER_DRIVER_NAME_LENGTH_MAX  32
> > +#define USB_RAW_IO_LENGTH_MAX KMALLOC_MAX_SIZE
> >
> >  #define RAW_EVENT_QUEUE_SIZE   16
> >
> > @@ -667,6 +668,8 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
> >                 return ERR_PTR(-EINVAL);
> >         if (!usb_raw_io_flags_valid(io->flags))
> >                 return ERR_PTR(-EINVAL);
> > +       if (io->length > USB_RAW_IO_LENGTH_MAX)
> > +               return ERR_PTR(-EINVAL);
> >         if (get_from_user)
> >                 data = memdup_user(ptr + sizeof(*io), io->length);
> >         else {
> > --
> > 2.43.0
> >
> 
> Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
> 
> Thank you!

Hi,

Just following up on this patch to check its status.
Thanks again to Andrey Konovalov for the earlier review. Please let me
know if any further changes are required from my side.

Thanks,
Gopi Krishna Menon

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE
  2025-11-13 16:39   ` Gopi Krishna Menon
@ 2025-11-20 10:07     ` Gopi Krishna Menon
  0 siblings, 0 replies; 4+ messages in thread
From: Gopi Krishna Menon @ 2025-11-20 10:07 UTC (permalink / raw)
  To: andreyknvl, gregkh
  Cc: gregkh, snovitoll, linux-usb, linux-kernel, skhan,
	david.hunter.linux, khalid, linux-kernel-mentees,
	syzbot+d8fd35fa6177afa8c92b

On Thu, Nov 13, 2025 at 10:09:08PM +0530, Gopi Krishna Menon wrote:

> On Tue, Oct 28, 2025 at 09:15:47PM +0100, Andrey Konovalov wrote:
> 
> > On Tue, Oct 28, 2025 at 5:57 PM Gopi Krishna Menon
> > <krishnagopi487@gmail.com> wrote:
> > >
> > > The previous commit removed the PAGE_SIZE limit on transfer length of
> > > raw_io buffer in order to avoid any problems with emulating USB devices
> > > whose full configuration descriptor exceeds PAGE_SIZE in length. However
> > > this also removes the upperbound on user supplied length, allowing very
> > > large values to be passed to the allocator.
> > >
> > > syzbot on fuzzing the transfer length with very large value (1.81GB)
> > > results in kmalloc() to fall back to the page allocator, which triggers
> > > a kernel warning as the page allocator cannot handle allocations more
> > > than MAX_PAGE_ORDER/KMALLOC_MAX_SIZE.
> > 
> > Ah, right.
> > 
> > >
> > > Since there is no limit imposed on the size of buffer for both control
> > > and non control transfers, cap the raw_io transfer length to
> > > KMALLOC_MAX_SIZE and return -EINVAL for larger transfer length to
> > > prevent any warnings from the page allocator.
> > >
> > > Fixes: 37b9dd0d114a ("usb: raw-gadget: do not limit transfer length")
> > > Tested-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
> > > Reported-by: syzbot+d8fd35fa6177afa8c92b@syzkaller.appspotmail.com
> > > Closes: https://lore.kernel.org/all/68fc07a0.a70a0220.3bf6c6.01ab.GAE@google.com/
> > > Signed-off-by: Gopi Krishna Menon <krishnagopi487@gmail.com>
> > > ---
> > >  drivers/usb/gadget/legacy/raw_gadget.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > >
> > > diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
> > > index b71680c58de6..46f343ba48b3 100644
> > > --- a/drivers/usb/gadget/legacy/raw_gadget.c
> > > +++ b/drivers/usb/gadget/legacy/raw_gadget.c
> > > @@ -40,6 +40,7 @@ MODULE_LICENSE("GPL");
> > >
> > >  static DEFINE_IDA(driver_id_numbers);
> > >  #define DRIVER_DRIVER_NAME_LENGTH_MAX  32
> > > +#define USB_RAW_IO_LENGTH_MAX KMALLOC_MAX_SIZE
> > >
> > >  #define RAW_EVENT_QUEUE_SIZE   16
> > >
> > > @@ -667,6 +668,8 @@ static void *raw_alloc_io_data(struct usb_raw_ep_io *io, void __user *ptr,
> > >                 return ERR_PTR(-EINVAL);
> > >         if (!usb_raw_io_flags_valid(io->flags))
> > >                 return ERR_PTR(-EINVAL);
> > > +       if (io->length > USB_RAW_IO_LENGTH_MAX)
> > > +               return ERR_PTR(-EINVAL);
> > >         if (get_from_user)
> > >                 data = memdup_user(ptr + sizeof(*io), io->length);
> > >         else {
> > > --
> > > 2.43.0
> > >
> > 
> > Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
> > 
> > Thank you!
> 
> Hi,
> 
> Just following up on this patch to check its status.
> Thanks again to Andrey Konovalov for the earlier review. Please let me
> know if any further changes are required from my side.
> 
> Thanks,
> Gopi Krishna Menon

Hi Greg,

Could you please take a look at this patch?

Thanks,
Gopi Krishna Menon

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-11-20 10:07 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-28 16:56 [PATCH] usb: raw-gadget: cap raw_io transfer length to KMALLOC_MAX_SIZE Gopi Krishna Menon
2025-10-28 20:15 ` Andrey Konovalov
2025-11-13 16:39   ` Gopi Krishna Menon
2025-11-20 10:07     ` Gopi Krishna Menon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox