1. Patchew
  2. linux
  3. View series

[PATCH] USB: core: replace memdup_user with memdup_array_user in proc_do_submiturb

Thorsten Blum posted 1 patch 4 months, 2 weeks ago 
drivers/usb/core/devio.c | 14 +++++---------
1 file changed, 5 insertions(+), 9 deletions(-)
[PATCH] USB: core: replace memdup_user with memdup_array_user in proc_do_submiturb
Posted by Thorsten Blum 4 months, 2 weeks ago 
Use memdup_array_user() instead of memdup_user() in proc_do_submiturb().
Compared to memdup_user(), memdup_array_user() automatically checks for
multiplication overflow. Remove the obsolete local variable 'isofrmlen'.

Return early if an error occurs instead of manually setting 'ret' and
using 'goto error'.

No functional changes intended.

Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
 drivers/usb/core/devio.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index f6ce6e26e0d4..a259fb6d6292 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1624,7 +1624,7 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
 	struct usb_host_endpoint *ep;
 	struct async *as = NULL;
 	struct usb_ctrlrequest *dr = NULL;
-	unsigned int u, totlen, isofrmlen;
+	unsigned int u, totlen;
 	int i, ret, num_sgs = 0, ifnum = -1;
 	int number_of_packets = 0;
 	unsigned int stream_id = 0;
@@ -1745,14 +1745,10 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
 		if (!usb_endpoint_xfer_isoc(&ep->desc))
 			return -EINVAL;
 		number_of_packets = uurb->number_of_packets;
-		isofrmlen = sizeof(struct usbdevfs_iso_packet_desc) *
-				   number_of_packets;
-		isopkt = memdup_user(iso_frame_desc, isofrmlen);
-		if (IS_ERR(isopkt)) {
-			ret = PTR_ERR(isopkt);
-			isopkt = NULL;
-			goto error;
-		}
+		isopkt = memdup_array_user(iso_frame_desc, number_of_packets,
+				sizeof(struct usbdevfs_iso_packet_desc));
+		if (IS_ERR(isopkt))
+			return PTR_ERR(isopkt);
 		for (totlen = u = 0; u < number_of_packets; u++) {
 			/*
 			 * arbitrary limit need for USB 3.1 Gen2
-- 
2.51.0
Re: [PATCH] USB: core: replace memdup_user with memdup_array_user in proc_do_submiturb
Posted by Greg Kroah-Hartman 4 months ago 
On Fri, Sep 19, 2025 at 02:25:57PM +0200, Thorsten Blum wrote:
> Use memdup_array_user() instead of memdup_user() in proc_do_submiturb().
> Compared to memdup_user(), memdup_array_user() automatically checks for
> multiplication overflow. Remove the obsolete local variable 'isofrmlen'.

But there is no chance for overflow here, right?

I'm all for using "proper" functions, but there is no need to go and
rewrite existing code for them if you can't test the results.  Did you
test this?

> Return early if an error occurs instead of manually setting 'ret' and
> using 'goto error'.

There is no need to do that, please leave the code flow alone as we
"know" it works properly as-is.

> No functional changes intended.

"intended", but did you succeed?  :)

Testing is good, please do that.

thanks,

greg k-h

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.