diff --git a/net/9p/client.c b/net/9p/client.cindex 18c5271910dc..a765ddad2337

1. diff --git a/net/9p/client.c b/net/9p/client.c
2. index 18c5271910dc..a765ddad2337 100644
3. --- a/net/9p/client.c
4. +++ b/net/9p/client.c
5. @@ -477,20 +477,11 @@ p9_parse_header(struct p9_fcall *pdu, int32_t *size, int8_t *type, int16_t *tag,
6. int err;
7.  
8. pdu->offset = 0;
9. - if (pdu->size == 0)
10. - pdu->size = 7;
11.  
12. err = p9pdu_readf(pdu, 0, "dbw", &r_size, &r_type, &r_tag);
13. if (err)
14. goto rewind_and_exit;
15.  
16. - pdu->size = r_size;
17. - pdu->id = r_type;
18. - pdu->tag = r_tag;
19. -
20. - p9_debug(P9_DEBUG_9P, "<<< size=%d type: %d tag: %d\n",
21. - pdu->size, pdu->id, pdu->tag);
22. -
23. if (type)
24. *type = r_type;
25. if (tag)
26. @@ -498,6 +489,16 @@ p9_parse_header(struct p9_fcall *pdu, int32_t *size, int8_t *type, int16_t *tag,
27. if (size)
28. *size = r_size;
29.  
30. + if (pdu->size != r_size || r_size < 7) {
31. + err = -EINVAL;
32. + goto rewind_and_exit;
33. + }
34. +
35. + pdu->id = r_type;
36. + pdu->tag = r_tag;
37. +
38. + p9_debug(P9_DEBUG_9P, "<<< size=%d type: %d tag: %d\n",
39. + pdu->size, pdu->id, pdu->tag);
40.  
41. rewind_and_exit:
42. if (rewind)
43. @@ -524,6 +525,12 @@ static int p9_check_errors(struct p9_client *c, struct p9_req_t *req)
44. int ecode;
45.  
46. err = p9_parse_header(req->rc, NULL, &type, NULL, 0);
47. + if (req->rc->size >= c->msize) {
48. + p9_debug(P9_DEBUG_ERROR,
49. + "requested packet size too big: %d\n",
50. + pdu->size);
51. + return -EIO;
52. + }
53. /*
54. * dump the response from server
55. * This should be after check errors which poplulate pdu_fcall.
56. @@ -1575,7 +1582,7 @@ p9_client_read(struct p9_fid *fid, u64 offset, struct iov_iter *to, int *err)
57. int count = iov_iter_count(to);
58. int rsize, non_zc = 0;
59. char *dataptr;
60. -
61. +
62. rsize = fid->iounit;
63. if (!rsize || rsize > clnt->msize-P9_IOHDRSZ)
64. rsize = clnt->msize - P9_IOHDRSZ;
65. diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
66. index 588bf88c3305..fadf9b43a287 100644
67. --- a/net/9p/trans_fd.c
68. +++ b/net/9p/trans_fd.c
69. @@ -324,7 +324,9 @@ static void p9_read_work(struct work_struct *work)
70. if ((!m->req) && (m->rc.offset == m->rc.capacity)) {
71. p9_debug(P9_DEBUG_TRANS, "got new header\n");
72.  
73. - err = p9_parse_header(&m->rc, NULL, NULL, NULL, 0);
74. + /* Header size */
75. + m->rc.size = 7;
76. + err = p9_parse_header(&m->rc, &m->rc.size, NULL, NULL, 0);
77. if (err) {
78. p9_debug(P9_DEBUG_ERROR,
79. "error parsing header: %d\n", err);
80. diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c
81. index 3d414acb7015..2649b2ebf961 100644
82. --- a/net/9p/trans_rdma.c
83. +++ b/net/9p/trans_rdma.c
84. @@ -320,6 +320,7 @@ recv_done(struct ib_cq *cq, struct ib_wc *wc)
85. if (wc->status != IB_WC_SUCCESS)
86. goto err_out;
87.  
88. + c->rc->size = wc->byte_len;
89. err = p9_parse_header(c->rc, NULL, NULL, &tag, 1);
90. if (err)
91. goto err_out;
92. diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
93. index 05006cbb3361..6d515f7ebfaf 100644
94. --- a/net/9p/trans_virtio.c
95. +++ b/net/9p/trans_virtio.c
96. @@ -159,8 +159,10 @@ static void req_done(struct virtqueue *vq)
97. spin_unlock_irqrestore(&chan->lock, flags);
98. /* Wakeup if anyone waiting for VirtIO ring space. */
99. wake_up(chan->vc_wq);
100. - if (len)
101. + if (len) {
102. + req->rc->size = len;
103. p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
104. + }
105. }
106. }
107.  
108. @@ -446,7 +448,7 @@ p9_virtio_zc_request(struct p9_client *client, struct p9_req_t *req,
109. out += pack_sg_list_p(chan->sg, out, VIRTQUEUE_NUM,
110. out_pages, out_nr_pages, offs, outlen);
111. }
112. -
113. +
114. /*
115. * Take care of in data
116. * For example TREAD have 11.