From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Seungjin Bae <eeodqql09@gmail.com>
Cc: Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] usb: r8a66597-hcd: fix potential divide-by-zero in prepare_packet_read()
Date: Sun, 11 Jan 2026 08:33:53 +0100 [thread overview]
Message-ID: <2026011117-surrender-dude-9f5b@gregkh> (raw)
In-Reply-To: <CAAsoPpUv_G1Se_z9WRQ_4rHv=tiUW__eHU=03mytkdU9+kW1ag@mail.gmail.com>
On Sun, Jan 11, 2026 at 02:25:54AM -0500, Seungjin Bae wrote:
> 2026년 1월 10일 (토) PM 3:02, Greg Kroah-Hartman <gregkh@linuxfoundation.org>님이
> 작성:
>
> > On Sat, Jan 10, 2026 at 02:22:33PM -0500, pip-izony wrote:
> > > From: Seungjin Bae <eeodqql09@gmail.com>
> > >
> > > The `prepare_packet_read()` function calculates the number of packets
> > > required for a transfer by dividing the transfer buffer length by the
> > > maximum packet size (`td->maxpacket`). The `td->maxpacket` is
> > > initialized in `r8a66597_make_td()` function based on the endpoint
> > > descriptor. However, it does not validate whether `td->maxpacket` is
> > > zero before using it in the `DIV_ROUND_UP` macro.
> > >
> > > If a malicious USB device sends a descriptor with `wMaxPacketSize` set to
> > > 0, it triggers a divide-by-zero exception (kernel panic).
> >
> > Same here, when can this happen, before a device is bound to the device
> > or afterward?
> >
> > thanks,
> >
> > greg k-h
> >
>
> This logic triggers after the driver is bound, specifically during the
> packet preparation phase.
>
> I checked `usb_parse_endpoint()` and confirmed that if `wMaxPacketSize`
> is 0, it only prints a warning and continues the binding process.
> It does not reject the device at that stage.
>
> However, I missed that `usb_submit_urb()` explicitly checks if
> `wMaxPacketSize` is 0 before calling the driver's enqueue function.
> Since the core rejects such requests with -EMSGSIZE, this code path
> is unreachable in practice.
That's great to verify, thanks for checking.
also, when writing a patch that says "this will fix a crash", please
verify that the tool that found this issue is actually correct and not
making things up. We have a lot of bad AI generated bug reports these
days, so be careful as we are getting much more sensitive to this.
thanks,
greg k-h
prev parent reply other threads:[~2026-01-11 7:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-10 19:22 [PATCH] usb: r8a66597-hcd: fix potential divide-by-zero in prepare_packet_read() pip-izony
2026-01-10 20:02 ` Greg Kroah-Hartman
[not found] ` <CAAsoPpUv_G1Se_z9WRQ_4rHv=tiUW__eHU=03mytkdU9+kW1ag@mail.gmail.com>
2026-01-11 7:33 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026011117-surrender-dude-9f5b@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=Kyungtae.Kim@dartmouth.edu \
--cc=eeodqql09@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.