Re: [PATCH] hw/usb/hcd-dwc2: fix divide-by-zero in dwc2_handle_packet()

[Paul Zimmerman]

Hi Gerd,

On Tue, Oct 13, 2020 at 12:04 AM Gerd Hoffmann <kraxel@redhat.com> wrote:
>
> > > +        if (mps == 0) {
> > > +            qemu_log_mask(LOG_GUEST_ERROR,
> > > +                    "%s: Bad HCCHAR_MPS set to zero\n", __func__);
> > > +            return;
> > > +        }
>
> > I think it would be better to move this check earlier in the function,
> > just after 'mps' is read from the register. Otherwise it can get
> > assigned to 'tlen' and 'p->mps', and who knows what mischief an
> > invalid value there might cause.
>
> Makes sense.  While being at it maybe handle len > DWC2_MAX_XFER_SIZE
> the same way, the assert looks like it can be triggered by the guest.

I sent you a patch to fix up several assert()s, including that one, about a
month ago. Did you miss it?
https://lore.kernel.org/qemu-devel/20200920021449.830-1-pauldzim@gmail.com

> Also: What would be the effect of simply returning here? Would dwc2
> emulation simply stop processing queues? Should we maybe raise an
> error IRQ?

Not entirely sure, I imagine the emulation will just stop working. I can
test it tomorrow. Also, can you give me a hint what an error IRQ is?
Is that a Qemu thing, or do you mean we should emulate what the
real core does in this case?

> What will real dwc2 hardware do in this case?

No idea. I don't think it's mentioned in the manual.

-Paul

> take care,
>   Gerd
>