Re: [PATCH v3] net/9p: Fix buffer overflow in USB transport layer

[asmadeus]

Christian Schoenebeck wrote on Sun, Jun 22, 2025 at 11:20:21PM +0200:
> On Sunday, June 22, 2025 10:39:29 PM CEST asmadeus@xxxxxxxxxxxxx wrote:
> [...]
> > (... And this made me realize commit 60ece0833b6c ("net/9p: allocate
> > appropriate reduced message buffers") likely broke everything for
> > 9p/rdma 3 years ago, as rdma is swapping buffers around...
> > I guess it doesn't have (m)any users...)
> 
> That patch contains an RDMA exception:

Oh, thanks for pointing that out!


BTW I just tried __counted_by and it's not obvious because it's not
allocated with the fcall (fcall structs themselves are allocated in the
req, and each fcall gets a data buffer)

For everything other than RDMA it shouldn't be too difficult to bubble
the allocation up (fcall+data as a flexible array as a pointer in req),
but then with large "round" msizes we'd get into the next power of two
buckets so I think it's probably better to keep as is.
(.. that and I wouldn't look forward to rework the buffer swapping logic
with RDMA, even if it should be straightforward enough with a couple of
container_of()s...)

Perhaps when/if counted_by learns to apply to pointers:
---
.../include/net/9p/9p.h:558:13: error: ‘counted_by’ attribute is not allowed for a non-array field
  558 |         u8 *sdata __counted_by(capacity);
      |             ^~~~~
make[3]: *** [.../scripts/Makefile.build:287: trans_xen.o] Error 1
In file included from client.c:22:
---

Thanks,
-- 
Dominique Martinet | Asmadeus