Re: [PATCH v2] net/9p: Fix buffer overflow in USB transport layer

All of lore.kernel.org
 help / color / mirror / Atom feed

From: kernel test robot <lkp@intel.com>
To: Dominique Martinet via B4 Relay
	<devnull+asmadeus.codewreck.org@kernel.org>,
	Eric Van Hensbergen <ericvh@kernel.org>,
	Latchesar Ionkov <lucho@ionkov.net>,
	Christian Schoenebeck <linux_oss@crudebyte.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Michael Grzeschik <m.grzeschik@pengutronix.de>
Cc: llvm@lists.linux.dev, oe-kbuild-all@lists.linux.dev,
	stable@vger.kernel.org, Yuhao Jiang <danisjiang@gmail.com>,
	v9fs@lists.linux.dev, linux-kernel@vger.kernel.org,
	Dominique Martinet <asmadeus@codewreck.org>
Subject: Re: [PATCH v2] net/9p: Fix buffer overflow in USB transport layer
Date: Fri, 20 Jun 2025 18:02:52 +0800	[thread overview]
Message-ID: <202506201706.IUsC9LOI-lkp@intel.com> (raw)
In-Reply-To: <20250620-9p-usb_overflow-v2-1-026c6109c7a1@codewreck.org>

Hi Dominique,

kernel test robot noticed the following build errors:

[auto build test ERROR on 74b4cc9b8780bfe8a3992c9ac0033bf22ac01f19]

url:    https://github.com/intel-lab-lkp/linux/commits/Dominique-Martinet-via-B4-Relay/net-9p-Fix-buffer-overflow-in-USB-transport-layer/20250620-052411
base:   74b4cc9b8780bfe8a3992c9ac0033bf22ac01f19
patch link:    https://lore.kernel.org/r/20250620-9p-usb_overflow-v2-1-026c6109c7a1%40codewreck.org
patch subject: [PATCH v2] net/9p: Fix buffer overflow in USB transport layer
config: i386-randconfig-004-20250620 (https://download.01.org/0day-ci/archive/20250620/202506201706.IUsC9LOI-lkp@intel.com/config)
compiler: clang version 20.1.2 (https://github.com/llvm/llvm-project 58df0ef89dd64126512e4ee27b4ac3fd8ddf6247)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250620/202506201706.IUsC9LOI-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202506201706.IUsC9LOI-lkp@intel.com/

All errors (new ones prefixed by >>):

>> net/9p/trans_usbg.c:257:23: error: use of undeclared identifier 'req_sizel'; did you mean 'req_size'?
     257 |         p9_rx_req->rc.size = req_sizel;
         |                              ^~~~~~~~~
         |                              req_size
   net/9p/trans_usbg.c:234:15: note: 'req_size' declared here
     234 |         unsigned int req_size = req->actual;
         |                      ^
   1 error generated.


vim +257 net/9p/trans_usbg.c

   228	
   229	static void usb9pfs_rx_complete(struct usb_ep *ep, struct usb_request *req)
   230	{
   231		struct f_usb9pfs *usb9pfs = ep->driver_data;
   232		struct usb_composite_dev *cdev = usb9pfs->function.config->cdev;
   233		struct p9_req_t *p9_rx_req;
   234		unsigned int req_size = req->actual;
   235		int status = REQ_STATUS_RCVD;
   236	
   237		if (req->status) {
   238			dev_err(&cdev->gadget->dev, "%s usb9pfs complete --> %d, %d/%d\n",
   239				ep->name, req->status, req->actual, req->length);
   240			return;
   241		}
   242	
   243		p9_rx_req = usb9pfs_rx_header(usb9pfs, req->buf);
   244		if (!p9_rx_req)
   245			return;
   246	
   247		if (req_size > p9_rx_req->rc.capacity) {
   248			dev_err(&cdev->gadget->dev,
   249				"%s received data size %u exceeds buffer capacity %zu\n",
   250				ep->name, req_size, p9_rx_req->rc.capacity);
   251			req_size = 0;
   252			status = REQ_STATUS_ERROR;
   253		}
   254	
   255		memcpy(p9_rx_req->rc.sdata, req->buf, req_size);
   256	
 > 257		p9_rx_req->rc.size = req_sizel;
   258	
   259		p9_client_cb(usb9pfs->client, p9_rx_req, status);
   260		p9_req_put(usb9pfs->client, p9_rx_req);
   261	
   262		complete(&usb9pfs->received);
   263	}
   264	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

     prev parent reply	other threads:[~2025-06-20 10:03 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-19 21:22 [PATCH v2] net/9p: Fix buffer overflow in USB transport layer Dominique Martinet
2025-06-19 21:22 ` Dominique Martinet via B4 Relay
2025-06-20  4:56 ` Greg Kroah-Hartman
2025-06-22 20:33   ` Dominique Martinet
2025-06-20 10:02 ` kernel test robot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202506201706.IUsC9LOI-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=asmadeus@codewreck.org \
    --cc=danisjiang@gmail.com \
    --cc=devnull+asmadeus.codewreck.org@kernel.org \
    --cc=ericvh@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux_oss@crudebyte.com \
    --cc=llvm@lists.linux.dev \
    --cc=lucho@ionkov.net \
    --cc=m.grzeschik@pengutronix.de \
    --cc=oe-kbuild-all@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=v9fs@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.