NFC: pn533: bound the UART receive buffer

pn532_receive_buf() appends every incoming byte to dev->recv_skb and
only resets the buffer after pn532_uart_rx_is_frame() recognizes a
complete frame. A continuous stream of bytes without a valid PN532 frame
header therefore keeps growing the skb until skb_put_u8() hits the tail
limit.

Drop the accumulated partial frame once the fixed receive buffer is full
so malformed UART traffic cannot grow the skb past
PN532_UART_SKB_BUFF_LEN.

Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260326142033.82297-1-pengpeng@iscas.ac.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c
index 6d2f520a5bc8d05d4bb514a8c8296b3675b936ee..1b82b7b2a5fae81fd372ff223bdbed43161914e5 100644 (file)
--- a/drivers/nfc/pn533/uart.c
+++ b/drivers/nfc/pn533/uart.c
@@ -211,6 +211,9 @@ static size_t pn532_receive_buf(struct serdev_device *serdev,
 
        timer_delete(&dev->cmd_timeout);
        for (i = 0; i < count; i++) {
+               if (unlikely(!skb_tailroom(dev->recv_skb)))
+                       skb_trim(dev->recv_skb, 0);
+
                skb_put_u8(dev->recv_skb, *data++);
                if (!pn532_uart_rx_is_frame(dev->recv_skb))
                        continue;