Re: [PATCH v2] net/9p: Fix buffer overflow in USB transport layer

[kernel test robot]

Hi Dominique,

kernel test robot noticed the following build errors:

[auto build test ERROR on 74b4cc9b8780bfe8a3992c9ac0033bf22ac01f19]

url:    https://github.com/intel-lab-lkp/linux/commits/Dominique-Martinet-via-B4-Relay/net-9p-Fix-buffer-overflow-in-USB-transport-layer/20250620-052411
base:   74b4cc9b8780bfe8a3992c9ac0033bf22ac01f19
patch link:    https://lore.kernel.org/r/20250620-9p-usb_overflow-v2-1-026c6109c7a1%40codewreck.org
patch subject: [PATCH v2] net/9p: Fix buffer overflow in USB transport layer
config: i386-randconfig-004-20250620 (https://download.01.org/0day-ci/archive/20250620/202506201706.IUsC9LOI-lkp@xxxxxxxxx/config)
compiler: clang version 20.1.2 (https://github.com/llvm/llvm-project 58df0ef89dd64126512e4ee27b4ac3fd8ddf6247)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250620/202506201706.IUsC9LOI-lkp@xxxxxxxxx/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@xxxxxxxxx>
| Closes: https://lore.kernel.org/oe-kbuild-all/202506201706.IUsC9LOI-lkp@xxxxxxxxx/

All errors (new ones prefixed by >>):

>> net/9p/trans_usbg.c:257:23: error: use of undeclared identifier 'req_sizel'; did you mean 'req_size'?
     257 |         p9_rx_req->rc.size = req_sizel;
         |                              ^~~~~~~~~
         |                              req_size
   net/9p/trans_usbg.c:234:15: note: 'req_size' declared here
     234 |         unsigned int req_size = req->actual;
         |                      ^
   1 error generated.


vim +257 net/9p/trans_usbg.c

   228	
   229	static void usb9pfs_rx_complete(struct usb_ep *ep, struct usb_request *req)
   230	{
   231		struct f_usb9pfs *usb9pfs = ep->driver_data;
   232		struct usb_composite_dev *cdev = usb9pfs->function.config->cdev;
   233		struct p9_req_t *p9_rx_req;
   234		unsigned int req_size = req->actual;
   235		int status = REQ_STATUS_RCVD;
   236	
   237		if (req->status) {
   238			dev_err(&cdev->gadget->dev, "%s usb9pfs complete --> %d, %d/%d\n",
   239				ep->name, req->status, req->actual, req->length);
   240			return;
   241		}
   242	
   243		p9_rx_req = usb9pfs_rx_header(usb9pfs, req->buf);
   244		if (!p9_rx_req)
   245			return;
   246	
   247		if (req_size > p9_rx_req->rc.capacity) {
   248			dev_err(&cdev->gadget->dev,
   249				"%s received data size %u exceeds buffer capacity %zu\n",
   250				ep->name, req_size, p9_rx_req->rc.capacity);
   251			req_size = 0;
   252			status = REQ_STATUS_ERROR;
   253		}
   254	
   255		memcpy(p9_rx_req->rc.sdata, req->buf, req_size);
   256	
 > 257		p9_rx_req->rc.size = req_sizel;
   258	
   259		p9_client_cb(usb9pfs->client, p9_rx_req, status);
   260		p9_req_put(usb9pfs->client, p9_rx_req);
   261	
   262		complete(&usb9pfs->received);
   263	}
   264	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki