Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4460932yba; Wed, 17 Apr 2019 12:00:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqyzHUrc/+qjjdw1Xshzfne+BqdfTn+g26zy4ECUIo1V8/aVUltSxeY6w/2so1TgThC8iPfj X-Received: by 2002:a62:a219:: with SMTP id m25mr92613036pff.197.1555527639272; Wed, 17 Apr 2019 12:00:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555527639; cv=none; d=google.com; s=arc-20160816; b=w+gsb5U0QHD5WcoIYYLKAZqNfwRx9MpCZd0TUUp3Oj6a2vrxQNQfnV2UheBlHoo3g9 v5Bq3h/fSTjloSVznbin9NNKoqsFq0u0jZn4FhLP7PQb3OeL/xMq5HX9lMejBq4s7rK0 gksL2JQfKlRKNCXwdGMD75SYm9VpGKCutQbm5ASZlRZugpydbuyhfPTAiH/Pgp6Ej7bf rZKQ+7iWRarudaqGXnPkIm0rp5NKZp8e+s84PDf8RzpG2wGY6FuIdwhGTMtctPrKaQAP INctnAkp7PSODP414/cBxwtotPMnj3O0clAjLLDdMsH82D9AEWV1Wl9MOp0/72QYMO3h keaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:in-reply-to :subject:cc:to:from:date; bh=WolzWkK+5XaBN0x1N2arH1HpnEMSAYfOfyGJyYmdzdE=; b=Jk7SqROKQTZx/5nUv0xaamQVr8CQ7Y5LtKFaGcS5mBk+RHDnNmpQOpu4cF8w6R+GeK XqUD9cJ42HuLR2XD7enNTSSma4UIeZba8nOgYu0VjAOBQT7UaHAOXTjFbO+/u1gLav+W Jc3PP7krDBO19Q5CUd2WRnaEzha8/74+AB2n8q60U8bw50o8HYVF/gzAIOQJfRyOuTC0 CX2WFFFRWxDud/VPmwMk4MPoYh06wNeoU7wOrZMivj5iaXosUxUCDEmdcnbPyJP1lXUP uoJvxG6wJzTJsjgt4i5f645lfgTAw8vXnbemV9MW8KGwLl/g4bJ9++XKA54MDMMuwY/a tc/w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h191si33938452pge.342.2019.04.17.12.00.23; Wed, 17 Apr 2019 12:00:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732767AbfDQS72 (ORCPT + 99 others); Wed, 17 Apr 2019 14:59:28 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:59158 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1732549AbfDQS72 (ORCPT ); Wed, 17 Apr 2019 14:59:28 -0400 Received: (qmail 3392 invoked by uid 2102); 17 Apr 2019 14:59:27 -0400 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Apr 2019 14:59:27 -0400 Date: Wed, 17 Apr 2019 14:59:27 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: "zhuyan (M)" cc: Greg KH , "anton@enomsg.org" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH v2] usb:host: fix divide-by-zero in function fhci_queue_urb In-Reply-To: <63401dc56ae64aa3a428c4bb8a84034e@huawei.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 17 Apr 2019, zhuyan (M) wrote: > On Wed, 17 Apr 2019, Alan Stern wrote: > > > On Wed, 17 Apr 2019, zhuyan (M) wrote: > > > > > On Tue, 16 Apr 2019 11:07:56 -0400, Alan Stern wrote: > > > > > > > On Tue, 16 Apr 2019, zhuyan (M) wrote: > > > > > On Tue, 16 Apr 2019 at 11:45:45 +0200, Greg KH wrote: > > > > > > On Tue, Apr 09, 2019 at 10:37:12PM +0800, zhuyan wrote: > > > > > > > In function fhci_queue_urb, the divisor of expression > > > > > > > (urb->transfer_buffer_length % usb_maxpacket(urb->dev, > > > > > > > urb->pipe, > > > > > > > usb_pipeout(urb->pipe))) may be zero. > > > > > > > > > > > > How can you hit that? > > > > > > > > > > > > > When it is zero, unexpected results may occur, so it is > > > > > > > necessary to ensure that the divisor is not zero. > > > > > > > > > > > > > > Signed-off-by: zhuyan > > > > > > > > > > > > I need a "Full" name here, not just a single name. Whatever you use to sign documents is good. > > > > > > > > > > > > thanks, > > > > > > > > > > > > greg k-h > > > > > > > > > > In function usb_maxpacket, when ep is NULL, its return value is 0. > > > > > > > > fhci_queue_urb() shouldn't use urb->pipe to compute the maxpacket > > > > size anyway. It should use usb_endpoint_maxp(&urb->ep->desc). > > > > > > Currently, fhci_queue_urb(), call usb_maxpacket() multiple times to > > > calculate the maxpacket size. The usb_maxpacket() will call > > > usb_endpoint_maxp() to compute the maxpacket size. > > > > I know that. What fhci_queue_urb() is doing is wrong. You should change it: > > Make it call usb_endpoint_maxp directly instead of calling usb_maxpacket. > > > > From 1996456d0cc17b5ff7746a598ff355b25d13db3e Mon Sep 17 00:00:00 2001 > From: zhuyan > Date: Thu, 18 Apr 2019 00:53:03 +0800 > Subject: [PATCH] usb: host: fix divide-by-zero in function fhci_queue_urb > > fhci_queue_urb() shouldn't use urb->pipe to compute the maxpacket > size anyway.It should use usb_endpoint_maxp(&urb->ep->desc). > > In function fhci_queue_urb, the divisor of expression > (urb->transfer_buffer_length % usb_maxpacket(urb->dev, urb->pipe, > usb_pipeout(urb->pipe))) may be zero. When it is zero, unexpected results > may occur, so it is necessary to ensure that the divisor is not zero. > > Signed-off-by: zhuyan > --- > drivers/usb/host/fhci-sched.c | 13 +++++++------ > 1 file changed, 7 insertions(+), 6 deletions(-) > > diff --git a/drivers/usb/host/fhci-sched.c b/drivers/usb/host/fhci-sched.c > index 3d12cdd..7dcfe22 100644 > --- a/drivers/usb/host/fhci-sched.c > +++ b/drivers/usb/host/fhci-sched.c > @@ -704,6 +704,7 @@ void fhci_queue_urb(struct fhci_hcd *fhci, struct urb *urb) > struct td *td; > u8 *data; > u16 cnt = 0; > + u16 max_pkt_size = 0; > > if (ed == NULL) { > ed = fhci_get_empty_ed(fhci); > @@ -727,8 +728,7 @@ void fhci_queue_urb(struct fhci_hcd *fhci, struct urb *urb) > } > ed->speed = (urb->dev->speed == USB_SPEED_LOW) ? > FHCI_LOW_SPEED : FHCI_FULL_SPEED; > - ed->max_pkt_size = usb_maxpacket(urb->dev, > - urb->pipe, usb_pipeout(urb->pipe)); > + ed->max_pkt_size = usb_endpoint_maxp(&urb->ep->desc); > urb->ep->hcpriv = ed; > fhci_dbg(fhci, "new ep speed=%d max_pkt_size=%d\n", > ed->speed, ed->max_pkt_size); > @@ -765,11 +765,12 @@ void fhci_queue_urb(struct fhci_hcd *fhci, struct urb *urb) > > switch (ed->mode) { > case FHCI_TF_BULK: > + max_pkt_size = usb_endpoint_maxp(&urb->ep->desc); > if (urb->transfer_flags & URB_ZERO_PACKET && > urb->transfer_buffer_length > 0 && > + (max_pkt_size != 0) && Now you shouldn't need to add this extra test. Alan Stern > ((urb->transfer_buffer_length % > - usb_maxpacket(urb->dev, urb->pipe, > - usb_pipeout(urb->pipe))) == 0)) > + max_pkt_size) == 0)) > urb_state = US_BULK0; > while (data_len > 4096) { > td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt, > @@ -807,8 +808,8 @@ void fhci_queue_urb(struct fhci_hcd *fhci, struct urb *urb) > break; > case FHCI_TF_CTRL: > ed->dev_addr = usb_pipedevice(urb->pipe); > - ed->max_pkt_size = usb_maxpacket(urb->dev, urb->pipe, > - usb_pipeout(urb->pipe)); > + ed->max_pkt_size = usb_endpoint_maxp(&urb->ep->desc); > + > /* setup stage */ > td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, FHCI_TA_SETUP, > USB_TD_TOGGLE_DATA0, urb->setup_packet, 8, 0, 0, true);