On Mon, Oct 18, 2021 at 9:04 PM Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote: > On 10/18/21 8:31 PM, Wan Jiabing wrote: > > --- a/drivers/net/wireless/marvell/mwifiex/usb.c > > +++ b/drivers/net/wireless/marvell/mwifiex/usb.c > > @@ -693,7 +693,7 @@ static int mwifiex_write_data_sync(struct mwifiex_adapter *adapter, u8 *pbuf, > > struct usb_card_rec *card = adapter->card; > > int actual_length, ret; > > > > - if (!(*len % card->bulk_out_maxpktsize)) > > + if (card->bulk_out_maxpktsize && !(*len % card->bulk_out_maxpktsize)) > > > Are you sure this fix is not working around the real bug ? > > In which cases bulk_out_maxpktsize would be zero ? > > If this is a valid case, this needs to be explained in the changelog. I'm with Eric here. This was a bug reported by a fuzzer, which throws invalid input at the driver. The right answer is likely that we should reject such invalid input when we receive it -- i.e., we should fail to probe() the device if it has invalid capabilities. In particular, we should fail to probe if wMaxPacketSize==0. I was thinking of sending such a patch myself, but I don't have any USB mwifiex hardware to test, so I deferred. It's probably pretty low risk anyway, though. Brian
