Re: [net-next v38] mctp pcc: Implement MCTP over PCC Transport

Next message: Edward Adam Davis: "Re: [syzbot] [cgroups?] KASAN: slab-use-after-free Read in pressure_write"
Previous message: Binbin Wu: "Re: [PATCH v2] KVM: TDX: Fix x2APIC MSR handling in tdx_has_emulated_msr()"
In reply to: Jakub Kicinski: "Re: [net-next v38] mctp pcc: Implement MCTP over PCC Transport"
Next in thread: Jakub Kicinski: "Re: [net-next v38] mctp pcc: Implement MCTP over PCC Transport"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jeremy Kerr

Date: Sun Apr 12 2026 - 22:15:23 EST

Hi Adam,

> > + memcpy_toio(outbox->chan->shmem, skb->data, skb->len);
>
> Is it possible to read out of bounds here if the skb is fragmented?
>
> The skb->data pointer only points to the linear portion of the packet, while
> skb->len represents the total packet length including page fragments.
> skb_cow_head() does not linearize the packet, so a call to skb_linearize()
> might be needed before copying.

I assume that we should only be seeing linear skbs here, as the driver
does not advertise NETIF_F_FRAGLIST or NETIF_F_SG.

(that said, this could support fragmented skbs quite easily, but that
would be more suitable for a follow-up change)

Cheers,

Jeremy