Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp392826yba; Thu, 18 Apr 2019 03:08:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqxbNsBFWY4zpa4bPleZ+ThpTeMviQRMdTc4FRyOa7lb857YM6dZNCbMKi2iNP4y4f4GQjV8 X-Received: by 2002:a17:902:7081:: with SMTP id z1mr94994175plk.252.1555582133998; Thu, 18 Apr 2019 03:08:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555582133; cv=none; d=google.com; s=arc-20160816; b=0Vp0dNprNZB721i4mY8yGHvWuUk48kvAXwi3/HoACQm9sOT1CKeGNUHqoiir9ptrRt iCxw23PYBQP7bjhfgv2wF0cvJcOVscPDzPI4r6mHUZvc0KLr40FG1qWiPNFijynnxH4M LvgGrZTrOvxBeJCjR77o1Eyy8rKNxlhMjBCYN0FzMghQyCnsRFwseJZYdgwj7ROR8unt II1XdFtkk/1YaoOt5GdAsuoZ0ZJY+JiXf0G8FVJ6DYV5j9ZkwWaCs0aDQyk7mSC/QI6b VmKQ2AD3AZFKn5AuXmqzlt33w/WEF+QewXFmKTEiylI+QXUFjLZ0RLqB/jAxKOOXQp/n Q0LA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:message-id:date:thread-index :thread-topic:subject:cc:to:from; bh=beupzvlGg2Vbu6sN6Cgy9M2omLnEbbTJrJhslZNfnjo=; b=Q9gNkMfTTxggRf1UvObr1jPGjI7b+Td0oQXTvKWNs2UPJ3BgNJ6dCzbmzVO/fTeDLu lRmOMNyMfdUrfE/pa/YbRIXRi0bRByUOu11mGl18yWX2onTuHmPSVojj0BibRS+hga4A CbEXm575fQSOE7aIxpU3CdXERvPpTMC6mWyKz2vdKrwmo+u2RcbyfRGvl8YNpRtsIE3x SZTQ4T3n/3NXCWN94gUBNGjVegHILu4vgz4AEsVMZg58p/bx9yckJ8WGAhoNMFGYvjLQ j3xJc1dsoiB1f/CusV05WqWliCttbY4rHg10nuIPyc86P3UAOTxzs/7M8BW9gzOI5R4B Kpdw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l11si1637758pgg.554.2019.04.18.03.08.37; Thu, 18 Apr 2019 03:08:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388488AbfDRJ6V convert rfc822-to-8bit (ORCPT + 99 others); Thu, 18 Apr 2019 05:58:21 -0400 Received: from szxga01-in.huawei.com ([45.249.212.187]:2921 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728074AbfDRJ6V (ORCPT ); Thu, 18 Apr 2019 05:58:21 -0400 Received: from DGGEMM406-HUB.china.huawei.com (unknown [172.30.72.57]) by Forcepoint Email with ESMTP id 0E4A5E1A772DA16B629A; Thu, 18 Apr 2019 17:58:19 +0800 (CST) Received: from dggeme759-chm.china.huawei.com (10.3.19.105) by DGGEMM406-HUB.china.huawei.com (10.3.20.214) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 18 Apr 2019 17:58:18 +0800 Received: from dggeme762-chm.china.huawei.com (10.3.19.108) by dggeme759-chm.china.huawei.com (10.3.19.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Thu, 18 Apr 2019 17:58:17 +0800 Received: from dggeme762-chm.china.huawei.com ([10.8.68.53]) by dggeme762-chm.china.huawei.com ([10.8.68.53]) with mapi id 15.01.1591.008; Thu, 18 Apr 2019 17:58:17 +0800 From: "zhuyan (M)" To: Greg KH CC: Alan Stern , "anton@enomsg.org" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "zhuyan (M)" Subject: Re: [PATCH v2] usb:host: fix divide-by-zero in function fhci_queue_urb Thread-Topic: [PATCH v2] usb:host: fix divide-by-zero in function fhci_queue_urb Thread-Index: AdT1zSREg6Rr/q0XRBeXbW3Dz7nOAw== Date: Thu, 18 Apr 2019 09:58:17 +0000 Message-ID: <4634c9459e9840f5aa64ee8b589e6e81@huawei.com> Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.40.99.186] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 17 Apr 2019 21:49:03 +0200, Greg KH wrote: > On Wed, Apr 17, 2019 at 05:05:33PM +0000, zhuyan (M) wrote: > > On Wed, 17 Apr 2019, Alan Stern wrote: > > > > > On Wed, 17 Apr 2019, zhuyan (M) wrote: > > > > > > > On Tue, 16 Apr 2019 11:07:56 -0400, Alan Stern wrote: > > > > > > > > > On Tue, 16 Apr 2019, zhuyan (M) wrote: > > > > > > On Tue, 16 Apr 2019 at 11:45:45 +0200, Greg KH wrote: > > > > > > > On Tue, Apr 09, 2019 at 10:37:12PM +0800, zhuyan wrote: > > > > > > > > In function fhci_queue_urb, the divisor of expression > > > > > > > > (urb->transfer_buffer_length % usb_maxpacket(urb->dev, > > > > > > > > urb->pipe, > > > > > > > > usb_pipeout(urb->pipe))) may be zero. > > > > > > > > > > > > > > How can you hit that? > > > > > > > > > > > > > > > When it is zero, unexpected results may occur, so it is > > > > > > > > necessary to ensure that the divisor is not zero. > > > > > > > > > > > > > > > > Signed-off-by: zhuyan > > > > > > > > > > > > > > I need a "Full" name here, not just a single name. Whatever you use to sign documents is good. > > > > > > > > > > > > > > thanks, > > > > > > > > > > > > > > greg k-h > > > > > > > > > > > > In function usb_maxpacket, when ep is NULL, its return value is 0. > > > > > > > > > > fhci_queue_urb() shouldn't use urb->pipe to compute the > > > > > maxpacket size anyway. It should use usb_endpoint_maxp(&urb->ep->desc). > > > > > > > > Currently, fhci_queue_urb(), call usb_maxpacket() multiple times > > > > to calculate the maxpacket size. The usb_maxpacket() will call > > > > usb_endpoint_maxp() to compute the maxpacket size. > > > > > > I know that. What fhci_queue_urb() is doing is wrong. You should change it: > > > Make it call usb_endpoint_maxp directly instead of calling usb_maxpacket. > > > > > > > >From 1996456d0cc17b5ff7746a598ff355b25d13db3e Mon Sep 17 00:00:00 > > >2001 > > From: zhuyan > > Date: Thu, 18 Apr 2019 00:53:03 +0800 > > Subject: [PATCH] usb: host: fix divide-by-zero in function > > fhci_queue_urb > > > > fhci_queue_urb() shouldn't use urb->pipe to compute the maxpacket size > > anyway.It should use usb_endpoint_maxp(&urb->ep->desc). > > > > In function fhci_queue_urb, the divisor of expression > > (urb->transfer_buffer_length % usb_maxpacket(urb->dev, urb->pipe, > > usb_pipeout(urb->pipe))) may be zero. When it is zero, unexpected > > results may occur, so it is necessary to ensure that the divisor is not zero. > > > > Signed-off-by: zhuyan > > I still need a full name here and on the From: line :( I am so sorry. I will change it. From 1996456d0cc17b5ff7746a598ff355b25d13db3e Mon Sep 17 00:00:00 2001 From: Yan Zhu Date: Thu, 18 Apr 2019 00:53:03 +0800 Subject: [PATCH] usb: host: fix divide-by-zero in function fhci_queue_urb fhci_queue_urb() shouldn't use urb->pipe to compute the maxpacket size anyway.It should use usb_endpoint_maxp(&urb->ep->desc). In function fhci_queue_urb, the divisor of expression (urb->transfer_buffer_length % usb_maxpacket(urb->dev, urb->pipe, usb_pipeout(urb->pipe))) may be zero. When it is zero, unexpected results may occur, so it is necessary to ensure that the divisor is not zero. Signed-off-by: Yan Zhu --- drivers/usb/host/fhci-sched.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/usb/host/fhci-sched.c b/drivers/usb/host/fhci-sched.c index 3d12cdd..7dcfe22 100644 --- a/drivers/usb/host/fhci-sched.c +++ b/drivers/usb/host/fhci-sched.c @@ -704,6 +704,7 @@ void fhci_queue_urb(struct fhci_hcd *fhci, struct urb *urb) struct td *td; u8 *data; u16 cnt = 0; + u16 max_pkt_size = 0; if (ed == NULL) { ed = fhci_get_empty_ed(fhci); @@ -727,8 +728,7 @@ void fhci_queue_urb(struct fhci_hcd *fhci, struct urb *urb) } ed->speed = (urb->dev->speed == USB_SPEED_LOW) ? FHCI_LOW_SPEED : FHCI_FULL_SPEED; - ed->max_pkt_size = usb_maxpacket(urb->dev, - urb->pipe, usb_pipeout(urb->pipe)); + ed->max_pkt_size = usb_endpoint_maxp(&urb->ep->desc); urb->ep->hcpriv = ed; fhci_dbg(fhci, "new ep speed=%d max_pkt_size=%d\n", ed->speed, ed->max_pkt_size); @@ -765,11 +765,12 @@ void fhci_queue_urb(struct fhci_hcd *fhci, struct urb *urb) switch (ed->mode) { case FHCI_TF_BULK: + max_pkt_size = usb_endpoint_maxp(&urb->ep->desc); if (urb->transfer_flags & URB_ZERO_PACKET && urb->transfer_buffer_length > 0 && + (max_pkt_size != 0) && ((urb->transfer_buffer_length % - usb_maxpacket(urb->dev, urb->pipe, - usb_pipeout(urb->pipe))) == 0)) + max_pkt_size) == 0)) urb_state = US_BULK0; while (data_len > 4096) { td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt, @@ -807,8 +808,8 @@ void fhci_queue_urb(struct fhci_hcd *fhci, struct urb *urb) break; case FHCI_TF_CTRL: ed->dev_addr = usb_pipedevice(urb->pipe); - ed->max_pkt_size = usb_maxpacket(urb->dev, urb->pipe, - usb_pipeout(urb->pipe)); + ed->max_pkt_size = usb_endpoint_maxp(&urb->ep->desc); + /* setup stage */ td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, FHCI_TA_SETUP, USB_TD_TOGGLE_DATA0, urb->setup_packet, 8, 0, 0, true); -- 1.8.5.6