From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [v2] usb:host: fix divide-by-zero in function fhci_queue_urb From: Greg Kroah-Hartman Message-Id: <20190417194903.GD28125@kroah.com> Date: Wed, 17 Apr 2019 21:49:03 +0200 To: "zhuyan \(M\)" Cc: Alan Stern , "anton@enomsg.org" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" List-ID: T24gV2VkLCBBcHIgMTcsIDIwMTkgYXQgMDU6MDU6MzNQTSArMDAwMCwgemh1eWFuIChNKSB3cm90 ZToKPiBPbiBXZWQsIDE3IEFwciAyMDE5LCBBbGFuIFN0ZXJuIHdyb3RlOgo+IAo+ID4gT24gV2Vk LCAxNyBBcHIgMjAxOSwgemh1eWFuIChNKSB3cm90ZToKPiA+IAo+ID4gPiBPbiBUdWUsIDE2IEFw ciAyMDE5IDExOjA3OjU2IC0wNDAwLCBBbGFuIFN0ZXJuIHdyb3RlOgo+ID4gPiAKPiA+ID4gPiBP biBUdWUsIDE2IEFwciAyMDE5LCB6aHV5YW4gKE0pIHdyb3RlOgo+ID4gPiA+ID4gT24gVHVlLCAx NiBBcHIgMjAxOSBhdCAxMTo0NTo0NSArMDIwMCwgR3JlZyBLSCB3cm90ZToKPiA+ID4gPiA+ID4g T24gVHVlLCBBcHIgMDksIDIwMTkgYXQgMTA6Mzc6MTJQTSArMDgwMCwgemh1eWFuIHdyb3RlOgo+ ID4gPiA+ID4gPiA+IEluIGZ1bmN0aW9uIGZoY2lfcXVldWVfdXJiLCB0aGUgZGl2aXNvciBvZiBl eHByZXNzaW9uIAo+ID4gPiA+ID4gPiA+ICh1cmItPnRyYW5zZmVyX2J1ZmZlcl9sZW5ndGggJSB1 c2JfbWF4cGFja2V0KHVyYi0+ZGV2LCAKPiA+ID4gPiA+ID4gPiB1cmItPnBpcGUsCj4gPiA+ID4g PiA+ID4gdXNiX3BpcGVvdXQodXJiLT5waXBlKSkpIG1heSBiZSB6ZXJvLgo+ID4gPiA+ID4gPiAK PiA+ID4gPiA+ID4gSG93IGNhbiB5b3UgaGl0IHRoYXQ/Cj4gPiA+ID4gPiA+IAo+ID4gPiA+ID4g PiA+IFdoZW4gaXQgaXMgemVybywgdW5leHBlY3RlZCByZXN1bHRzIG1heSBvY2N1ciwgc28gaXQg aXMgCj4gPiA+ID4gPiA+ID4gbmVjZXNzYXJ5IHRvIGVuc3VyZSB0aGF0IHRoZSBkaXZpc29yIGlz IG5vdCB6ZXJvLgo+ID4gPiA+ID4gPiA+IAo+ID4gPiA+ID4gPiA+IFNpZ25lZC1vZmYtYnk6IHpo dXlhbiA8emh1eWFuMzRAaHVhd2VpLmNvbT4KPiA+ID4gPiA+ID4gCj4gPiA+ID4gPiA+IEkgbmVl ZCBhICJGdWxsIiBuYW1lIGhlcmUsIG5vdCBqdXN0IGEgc2luZ2xlIG5hbWUuICBXaGF0ZXZlciB5 b3UgdXNlIHRvIHNpZ24gZG9jdW1lbnRzIGlzIGdvb2QuCj4gPiA+ID4gPiA+IAo+ID4gPiA+ID4g PiB0aGFua3MsCj4gPiA+ID4gPiA+IAo+ID4gPiA+ID4gPiBncmVnIGstaAo+ID4gPiA+ID4gCj4g PiA+ID4gPiBJbiBmdW5jdGlvbiB1c2JfbWF4cGFja2V0LCB3aGVuIGVwIGlzIE5VTEwsIGl0cyBy ZXR1cm4gdmFsdWUgaXMgMC4gIAo+ID4gPiA+IAo+ID4gPiA+IGZoY2lfcXVldWVfdXJiKCkgc2hv dWxkbid0IHVzZSB1cmItPnBpcGUgdG8gY29tcHV0ZSB0aGUgbWF4cGFja2V0IAo+ID4gPiA+IHNp emUgYW55d2F5LiAgSXQgc2hvdWxkIHVzZSB1c2JfZW5kcG9pbnRfbWF4cCgmdXJiLT5lcC0+ZGVz YykuCj4gPiA+IAo+ID4gPiBDdXJyZW50bHksIGZoY2lfcXVldWVfdXJiKCksIGNhbGwgdXNiX21h eHBhY2tldCgpIG11bHRpcGxlIHRpbWVzIHRvIAo+ID4gPiBjYWxjdWxhdGUgIHRoZSBtYXhwYWNr ZXQgc2l6ZS4gVGhlIHVzYl9tYXhwYWNrZXQoKSB3aWxsIGNhbGwgCj4gPiA+IHVzYl9lbmRwb2lu dF9tYXhwKCkgdG8gY29tcHV0ZSB0aGUgbWF4cGFja2V0IHNpemUuCj4gPiAKPiA+IEkga25vdyB0 aGF0LiAgV2hhdCBmaGNpX3F1ZXVlX3VyYigpIGlzIGRvaW5nIGlzIHdyb25nLiAgWW91IHNob3Vs ZCBjaGFuZ2UgaXQ6IAo+ID4gTWFrZSBpdCBjYWxsIHVzYl9lbmRwb2ludF9tYXhwIGRpcmVjdGx5 IGluc3RlYWQgb2YgY2FsbGluZyB1c2JfbWF4cGFja2V0Lgo+ID4gCj4gCj4gPkZyb20gMTk5NjQ1 NmQwY2MxN2I1ZmY3NzQ2YTU5OGZmMzU1YjI1ZDEzZGIzZSBNb24gU2VwIDE3IDAwOjAwOjAwIDIw MDEKPiBGcm9tOiB6aHV5YW4gPHpodXlhbjM0QGh1YXdlaS5jb20+Cj4gRGF0ZTogVGh1LCAxOCBB cHIgMjAxOSAwMDo1MzowMyArMDgwMAo+IFN1YmplY3Q6IFtQQVRDSF0gdXNiOiBob3N0OiBmaXgg ZGl2aWRlLWJ5LXplcm8gaW4gZnVuY3Rpb24gZmhjaV9xdWV1ZV91cmIKPiAKPiBmaGNpX3F1ZXVl X3VyYigpIHNob3VsZG4ndCB1c2UgdXJiLT5waXBlIHRvIGNvbXB1dGUgdGhlIG1heHBhY2tldAo+ IHNpemUgYW55d2F5Lkl0IHNob3VsZCB1c2UgdXNiX2VuZHBvaW50X21heHAoJnVyYi0+ZXAtPmRl c2MpLgo+IAo+IEluIGZ1bmN0aW9uIGZoY2lfcXVldWVfdXJiLCB0aGUgZGl2aXNvciBvZiBleHBy ZXNzaW9uCj4gKHVyYi0+dHJhbnNmZXJfYnVmZmVyX2xlbmd0aCAlIHVzYl9tYXhwYWNrZXQodXJi LT5kZXYsIHVyYi0+cGlwZSwKPiB1c2JfcGlwZW91dCh1cmItPnBpcGUpKSkgbWF5IGJlIHplcm8u IFdoZW4gaXQgaXMgemVybywgdW5leHBlY3RlZCByZXN1bHRzCj4gbWF5IG9jY3VyLCBzbyBpdCBp cyBuZWNlc3NhcnkgdG8gZW5zdXJlIHRoYXQgdGhlIGRpdmlzb3IgaXMgbm90IHplcm8uCj4gCj4g U2lnbmVkLW9mZi1ieTogemh1eWFuIDx6aHV5YW4zNEBodWF3ZWkuY29tPgoKSSBzdGlsbCBuZWVk IGEgZnVsbCBuYW1lIGhlcmUgYW5kIG9uIHRoZSBGcm9tOiBsaW5lIDooCgp0aGFua3MsCgpncmVn IGstaAo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS, T_DKIMWL_WL_HIGH,USER_AGENT_MUTT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65119C282DA for ; Wed, 17 Apr 2019 19:49:12 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2EA6E205C9 for ; Wed, 17 Apr 2019 19:49:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555530552; bh=LIfKUoGrsM+QwrdYm+u54524zcfDJvUPW/bsafPuppo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From; b=FJEkF4lsdXFy7KknxnV3mMer2kHx+d9Zmtipfco97o1yesn8Vw9lTrJu4bdL4eJlg PIaFH5NAu8edb8kR0GXAqpnBLC19Q014RRXBAUWtl78SL6OMEW2JPyE7TympISYGzO VXTB6XAwiW02ww2RS/mB/VR77sDLCQXzs593yUaE= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732913AbfDQTtG (ORCPT ); Wed, 17 Apr 2019 15:49:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:50098 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729779AbfDQTtG (ORCPT ); Wed, 17 Apr 2019 15:49:06 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 17793205C9; Wed, 17 Apr 2019 19:49:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555530545; bh=LIfKUoGrsM+QwrdYm+u54524zcfDJvUPW/bsafPuppo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=KtAHVKGesQ1yT67p//eq3tjBwVuozoJkYYJalUHQ2sdLn4PjfhGU/07OrqtO/dqas 50fKhzhRxrU7h5zARGrMFxkC4LSm1nKPpplSiQbV8Q7ULXtQJ0bnVkvAoopGOCwiDk lNwohGRvhGR5iHYSTG5/Dssp0ArdYvPS1rWsizHQ= Date: Wed, 17 Apr 2019 21:49:03 +0200 From: Greg KH To: "zhuyan (M)" Cc: Alan Stern , "anton@enomsg.org" , "linux-usb@vger.kernel.org" , "linux-kernel@vger.kernel.org" Subject: Re: [PATCH v2] usb:host: fix divide-by-zero in function fhci_queue_urb Message-ID: <20190417194903.GD28125@kroah.com> References: <63401dc56ae64aa3a428c4bb8a84034e@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline In-Reply-To: <63401dc56ae64aa3a428c4bb8a84034e@huawei.com> User-Agent: Mutt/1.11.4 (2019-03-13) Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org Message-ID: <20190417194903.d43b0ZECoEFUJL8sxykC_lV8U-UZDzywOa-vgCH_ioU@z> On Wed, Apr 17, 2019 at 05:05:33PM +0000, zhuyan (M) wrote: > On Wed, 17 Apr 2019, Alan Stern wrote: > > > On Wed, 17 Apr 2019, zhuyan (M) wrote: > > > > > On Tue, 16 Apr 2019 11:07:56 -0400, Alan Stern wrote: > > > > > > > On Tue, 16 Apr 2019, zhuyan (M) wrote: > > > > > On Tue, 16 Apr 2019 at 11:45:45 +0200, Greg KH wrote: > > > > > > On Tue, Apr 09, 2019 at 10:37:12PM +0800, zhuyan wrote: > > > > > > > In function fhci_queue_urb, the divisor of expression > > > > > > > (urb->transfer_buffer_length % usb_maxpacket(urb->dev, > > > > > > > urb->pipe, > > > > > > > usb_pipeout(urb->pipe))) may be zero. > > > > > > > > > > > > How can you hit that? > > > > > > > > > > > > > When it is zero, unexpected results may occur, so it is > > > > > > > necessary to ensure that the divisor is not zero. > > > > > > > > > > > > > > Signed-off-by: zhuyan > > > > > > > > > > > > I need a "Full" name here, not just a single name. Whatever you use to sign documents is good. > > > > > > > > > > > > thanks, > > > > > > > > > > > > greg k-h > > > > > > > > > > In function usb_maxpacket, when ep is NULL, its return value is 0. > > > > > > > > fhci_queue_urb() shouldn't use urb->pipe to compute the maxpacket > > > > size anyway. It should use usb_endpoint_maxp(&urb->ep->desc). > > > > > > Currently, fhci_queue_urb(), call usb_maxpacket() multiple times to > > > calculate the maxpacket size. The usb_maxpacket() will call > > > usb_endpoint_maxp() to compute the maxpacket size. > > > > I know that. What fhci_queue_urb() is doing is wrong. You should change it: > > Make it call usb_endpoint_maxp directly instead of calling usb_maxpacket. > > > > >From 1996456d0cc17b5ff7746a598ff355b25d13db3e Mon Sep 17 00:00:00 2001 > From: zhuyan > Date: Thu, 18 Apr 2019 00:53:03 +0800 > Subject: [PATCH] usb: host: fix divide-by-zero in function fhci_queue_urb > > fhci_queue_urb() shouldn't use urb->pipe to compute the maxpacket > size anyway.It should use usb_endpoint_maxp(&urb->ep->desc). > > In function fhci_queue_urb, the divisor of expression > (urb->transfer_buffer_length % usb_maxpacket(urb->dev, urb->pipe, > usb_pipeout(urb->pipe))) may be zero. When it is zero, unexpected results > may occur, so it is necessary to ensure that the divisor is not zero. > > Signed-off-by: zhuyan I still need a full name here and on the From: line :( thanks, greg k-h