Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp3276226yba; Tue, 16 Apr 2019 08:09:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqw9CKd3/uzXgAsDXFRf6RoRBq/LF8Jlm9kXT5JaGWK8EGuspnUPyZYwog2TjgH9S55SXc2n X-Received: by 2002:a65:4048:: with SMTP id h8mr65986237pgp.6.1555427356064; Tue, 16 Apr 2019 08:09:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555427356; cv=none; d=google.com; s=arc-20160816; b=xHW8hPcii7+Qr2XzFTR7YgjNCZm5yDpkXCE1MieGVrcivtbvzYFm2XS54mppeHtjc8 FK1ZA0KFO3tBMVPwa0WDPEB6AoWBehLmbtdkW+d/2jkUbGMF59jJmIICzQsyHurR0vPN An792yYge/73tDqWpJDN0s3Wre+zU3WonicdtqiILhh/GOnKoE2AK1GhyH2jhdHDYXIV goUJ4ZXwUQ0/oBGpiP8oOn1/dWcpVF3wJ9mHuZh73Za2y3BTjUGyNlpm6eH5/7MFpnsV Gtt16G4Ks1mDA4F3geleHZ6QdcbKSjtj2ddlLV+CcQBhN/WrwE7ZTy7CdjKQYvOAs6N8 Mj6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=JZC/NigTEYrjRFWMQcVe3kWygHCjbEj0Pwo/HMq6+bA=; b=ahNL5JBL0R3zquAuCxsgr3SZ5UEllnaGIqzoA8Rq/ggiDCmjZqW4803DlP8Rzwdp3T dE5wtbGiuAqDdKGv4Lvn5KnbBqCqPRUdBACk5g71fk7UTEdqvfy1Y41lGU5hE0O0h3AX 0ZyPnvOAq+0HkomfEvNrU1Vb2FeYmWhqRkq6A/w8LJy8ffieJH/BxMQj5EAcbaI15LeK Hi3gjO0dQ8LA+S8ApjYnUQEHUauWkUhIE1BQSyddvAB8RDXgBJ5zbil7YEHFQXGVP99w D2hv//rrYXdP0KJVjoxiiNsvhChuhorA7Hir5dF/xCdLJd97PSKhrWqBwYujPz7ZNHaj JrLw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l66si30299009pfi.62.2019.04.16.08.08.59; Tue, 16 Apr 2019 08:09:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729365AbfDPPH5 (ORCPT + 99 others); Tue, 16 Apr 2019 11:07:57 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:42826 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1725796AbfDPPH5 (ORCPT ); Tue, 16 Apr 2019 11:07:57 -0400 Received: (qmail 5569 invoked by uid 2102); 16 Apr 2019 11:07:56 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Apr 2019 11:07:56 -0400 Date: Tue, 16 Apr 2019 11:07:56 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: "zhuyan (M)" cc: Greg KH , "anton@enomsg.org" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH] usb:host: fix divide-by-zero in function fhci_queue_urb In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 16 Apr 2019, zhuyan (M) wrote: > On Tue, 16 Apr 2019 at 11:45:45 +0200, Greg KH wrote: > > On Tue, Apr 09, 2019 at 10:37:12PM +0800, zhuyan wrote: > > > In function fhci_queue_urb, the divisor of expression > > > (urb->transfer_buffer_length % usb_maxpacket(urb->dev, urb->pipe, > > > usb_pipeout(urb->pipe))) may be zero. > > > > How can you hit that? > > > > > When it is zero, unexpected results may occur, so it is necessary to > > > ensure that the divisor is not zero. > > > > > > Signed-off-by: zhuyan > > > > I need a "Full" name here, not just a single name. Whatever you use to sign documents is good. > > > > thanks, > > > > greg k-h > > In function usb_maxpacket, when ep is NULL, its return value is 0. fhci_queue_urb() shouldn't use urb->pipe to compute the maxpacket size anyway. It should use usb_endpoint_maxp(&urb->ep->desc). Alan Stern > Then, in function fhci_queue_urb, the divisor of expression > (urb->transfer_buffer_length % usb_maxpacket(urb->dev, urb->pipe, usb_pipeout(urb->pipe))) > is zero. It will lead to unpredictable results.