From: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> commit 54f83b8c8ea9b22082a496deadf90447a326954e upstream. Endpoints with a maxpacket length of 0 are probably useless. They can't transfer any data, and it's not at all unlikely that a UDC will crash or hang when trying to handle a non-zero-length usb_request for such an endpoint. Indeed, dummy-hcd gets a divide error when trying to calculate the remainder of a transfer length by the maxpacket value, as discovered by the syzbot fuzzer. Currently the gadget core does not check for endpoints having a maxpacket value of 0. This patch adds a check to usb_ep_enable(), preventing such endpoints from being used. As far as I know, none of the gadget drivers in the kernel tries to create an endpoint with maxpacket = 0, but until now there has been nothing to prevent userspace programs under gadgetfs or configfs from doing it. Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> Reported-and-tested-by: syzbot+8ab8bf161038a8768553@xxxxxxxxxxxxxxxxxxxxxxxxx CC: <stable@xxxxxxxxxxxxxxx> Acked-by: Felipe Balbi <balbi@xxxxxxxxxx> Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1910281052370.1485-100000@xxxxxxxxxxxxxxxxxxxx Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- include/linux/usb/gadget.h | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/include/linux/usb/gadget.h +++ b/include/linux/usb/gadget.h @@ -270,6 +270,16 @@ static inline int usb_ep_enable(struct u if (ep->enabled) return 0; + /* UDC drivers can't handle endpoints with maxpacket size 0 */ + if (usb_endpoint_maxp(ep->desc) == 0) { + /* + * We should log an error message here, but we can't call + * dev_err() because there's no way to find the gadget + * given only ep. + */ + return -EINVAL; + } + ret = ep->ops->enable(ep, ep->desc); if (ret) return ret;