Re: [PATCH] usb: r8a66597-hcd: fix potential divide-by-zero in prepare_packet_read()

Next message: Martin Blumenstingl: "[PATCH 0/3] Add Mali-G31 GPU to Amlogic Meson-S4"
Previous message: Greg Kroah-Hartman: "Re: [PATCH] usb: xhci: fix potential divide-by-zero in xhci_urb_enqueue()"
In reply to: pip-izony: "[PATCH] usb: r8a66597-hcd: fix potential divide-by-zero in prepare_packet_read()"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH] usb: r8a66597-hcd: fix potential divide-by-zero in prepare_packet_read()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Sat Jan 10 2026 - 15:02:43 EST

On Sat, Jan 10, 2026 at 02:22:33PM -0500, pip-izony wrote:
> From: Seungjin Bae <eeodqql09@xxxxxxxxx>
>
> The `prepare_packet_read()` function calculates the number of packets
> required for a transfer by dividing the transfer buffer length by the
> maximum packet size (`td->maxpacket`). The `td->maxpacket` is
> initialized in `r8a66597_make_td()` function based on the endpoint
> descriptor. However, it does not validate whether `td->maxpacket` is
> zero before using it in the `DIV_ROUND_UP` macro.
>
> If a malicious USB device sends a descriptor with `wMaxPacketSize` set to
> 0, it triggers a divide-by-zero exception (kernel panic).

Same here, when can this happen, before a device is bound to the device
or afterward?

thanks,

greg k-h