From nobody Sun Feb  8 01:33:04 2026
Received: from mail-qt1-f180.google.com (mail-qt1-f180.google.com
 [209.85.160.180])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 180C442048
	for <linux-kernel@vger.kernel.org>; Sat, 10 Jan 2026 18:34:40 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.160.180
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768070082; cv=none;
 b=HDh7Mu/WrkfszkCK0cPg9in2fVXyaLSi0NUvpEnELHq0nU0/EZS/N1uvoiZTcOwTfcfvKYyR5cmscIQmhioE9UKiZChD/DKYoKRX0q1AIXHz+yzrO4hG4k0cIg3KDFWKrWcZw0jnVZFFg/RIzaG1RpzPkw/wgPPhJk8lsuxExG8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768070082; c=relaxed/simple;
	bh=W7ZzdtHk5mk8L928J/ejv2T3tcR657Gtr+YyCTdcj7w=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=uJDUWdE7sj1AGJm1mdqdCXUrI/eFfngMfDxkDOwvsyH/U8vB52SSK2r3g3lqh5ZI+Dzn1DftMqRkQT/u2W8a72VBclwbVG3dOefc0kg9fLgb2y488Ct2hUqOGxi55Eo2g8SsFliOpIjjP5og1pKF4w55nJBSFWDuCtw9/t9JfJs=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=AmkrMGuo; arc=none smtp.client-ip=209.85.160.180
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="AmkrMGuo"
Received: by mail-qt1-f180.google.com with SMTP id
 d75a77b69052e-4ee0ce50b95so38138331cf.0
        for <linux-kernel@vger.kernel.org>;
 Sat, 10 Jan 2026 10:34:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768070080; x=1768674880;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=bUc/ovzMdhMl2w5A3gusr3wN1SHEFug4wxgErX68Dxo=;
        b=AmkrMGuo8tNOfWXHZLdrWjPvHgq+WDDUWX43RNFCpYN4nyALf2yoIyZ1MI5UuIKOvL
         vtUA1i6EKCvcFVYLT9ma8V2gwBGQVrECe+6fB6a00mTb08y7MeeWvBrhrWin+hSfxajg
         XK0pWwiJKpkgsGovNDcdwMJ6T2ZbzkS7oN/PQGfnNyZwqZEWBM4+OZj5YvnfTocVxneH
         5ztKguSr5IgxO0bffy+xDXlzMIVU+DcTFglCMmivXFJzoACBe9YuYxuHUDusFiwq8h4O
         9rG2UWr1CpaehtPOLDVjv2tEcLqYK1Oh1vMNmx050eQ+aPEV92ClvLW4KUX9kAJKNVSF
         LHQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768070080; x=1768674880;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=bUc/ovzMdhMl2w5A3gusr3wN1SHEFug4wxgErX68Dxo=;
        b=Bd7ZPJ9nZn1+0SyBbNvSYW1oKL1NeDKfLPpPfAIz7xEF2BE/21YtQwZo/1KtR09glv
         UD3YloOFArP7VscOBijvyhxRLjI8QU0Pe2UHs6WKAmOfwWRsdgh+WOuzDUv57r6TEV1H
         t1wMK//4bseUEP5uJmG4FGJqKUIaCNQUiQxzpmoMmhM4AfJ+4Lidn2RxqM0L5+prwFqq
         tUw84iaZRhA23QIEghStMYyuw2W3HlLUFpAyKzwBgt5VZkEEj8o24DMtjkGe2gR1hqrF
         v+oq0QsPiPR8Izx7elCfnlIMISRF8b4NlOimWKtM1h9gf/WQ54eKKYlJ7OqfgmvVDBpG
         v0mg==
X-Forwarded-Encrypted: i=1;
 AJvYcCU2SPa+lz87pq+J7kVinJT0/OqFWgz7ZGFeAgLIMIRk/qSOlvo2KOy1Ynu8wJZswxdSVoYe1xHXwFRSRnc=@vger.kernel.org
X-Gm-Message-State: AOJu0YyYaU3rKhI+L8Ww73aSserlVFnj1H2zW1VbK9WrMED3F05MRd7u
	V1KQOV4BFD/2YHmSdLlklR2bByQfmXz4kZN0T+uhM6HrakHPpf++e+uo
X-Gm-Gg: AY/fxX5iRvSVA9/eTFxVcrP9Z/bbi7UmrORAMgl3H+yeCTjHHYlJwb1obzk6ddw7bDk
	5+EFJBoWgoav6msxYwfTa7lsUxaV3ivOBTa3M7WTI3ZKlFl/1/K8g+N/8a58Qpejcsp4tDtLJmv
	Xq8zCk+B84kMbiU5tYaHsxQhS/GMCF5v7kBxOuFr1axQ5TjHS4vg+cnFob+lguASZ7FpRhEL+PQ
	yWOmDNw/dYsQmfPem2TAfSbtkSajqOXvdBdd68wKGFQ2RD46ACgRxOOSP775QnmlYJAMvOfQuiu
	TeQMU69SMz+OoPVSQPj0gSI/WUDW0IU4d+dcD5S/LFiClTG09je++fuHMfVn2eXEfDBTI+YBk7s
	+ARfjKTRhZ5b1OPb/QehqLVlZ9oUZAmmNTc3DVxTY2YLa5O0bsq8jnLwNR8PRgk9tH4Dl4WH93C
	gqRBGm+FEXd5+3G1gqwibV5Ybuy0Ck25agAfDq6X4x/+Ai6V2Im5U/VKttxZeK9ymKwrPPACcZY
	kPIu/vkJyNnGSG6meStFEgP7x/B2XtnE35+XUtV2e8=
X-Google-Smtp-Source: 
 AGHT+IGLHqXfKDl7QQYelPdoRHvkDjbKu2HmT9as3UyRsf2S4o15mQzR5mOBnDMoNbiXNkzN/+V76Q==
X-Received: by 2002:ac8:5902:0:b0:4eb:a2ec:6e3e with SMTP id
 d75a77b69052e-4ffa84fb9edmr249964691cf.28.1768070080003;
        Sat, 10 Jan 2026 10:34:40 -0800 (PST)
Received: from seungjin-HP-ENVY-Desktop-TE02-0xxx.dartmouth.edu
 ([129.170.197.124])
        by smtp.gmail.com with ESMTPSA id
 d75a77b69052e-4ffa8e6ce5asm93117171cf.33.2026.01.10.10.34.38
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sat, 10 Jan 2026 10:34:39 -0800 (PST)
From: pip-izony <eeodqql09@gmail.com>
To: Mathias Nyman <mathias.nyman@intel.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Seungjin Bae <eeodqql09@gmail.com>,
	Kyungtae Kim <Kyungtae.Kim@dartmouth.edu>,
	Reyad Attiyat <reyad.attiyat@gmail.com>,
	linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] usb: xhci: fix potential divide-by-zero in xhci_urb_enqueue()
Date: Sat, 10 Jan 2026 13:34:21 -0500
Message-ID: <20260110183421.23758-1-eeodqql09@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Seungjin Bae <eeodqql09@gmail.com>

The `xhci_urb_enqueue()` validates Bulk OUT transfers by checking if the
buffer length is a multiple of the packet size. However, it doesn't check
whether the endpoint's `wMaxPacketSize` is zero before using it as a
divisor in a modulo operation.

If a malicious USB device sends a descriptor with `wMaxPacketSize` set to
0, it triggers a divide-by-zero exception (kernel panic). This allows an
attacker with physical access to crash the system, leading to a Denial of
Service.

Fix this by adding a check to ensure `wMaxPacketSize` is greater than 0
before performing the modulo operation.

Fixes: 4758dcd19a7d ("usb: xhci: Add support for URB_ZERO_PACKET to bulk/sg=
 transfers")
Signed-off-by: Seungjin Bae <eeodqql09@gmail.com>
---
 drivers/usb/host/xhci.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 0cb45b95e4f5..f22ee6cc3083 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1621,15 +1621,18 @@ static int xhci_urb_enqueue(struct usb_hcd *hcd, st=
ruct urb *urb, gfp_t mem_flag
 	unsigned int *ep_state;
 	struct urb_priv	*urb_priv;
 	int num_tds;
+	int maxp;
=20
 	ep_index =3D xhci_get_endpoint_index(&urb->ep->desc);
+	maxp =3D usb_endpoint_maxp(&urb->ep->desc);
=20
 	if (usb_endpoint_xfer_isoc(&urb->ep->desc))
 		num_tds =3D urb->number_of_packets;
 	else if (usb_endpoint_is_bulk_out(&urb->ep->desc) &&
 	    urb->transfer_buffer_length > 0 &&
 	    urb->transfer_flags & URB_ZERO_PACKET &&
-	    !(urb->transfer_buffer_length % usb_endpoint_maxp(&urb->ep->desc)))
+		maxp > 0 &&
+	    !(urb->transfer_buffer_length % maxp))
 		num_tds =3D 2;
 	else
 		num_tds =3D 1;
--=20
2.43.0