]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 77facb3)
nfc: s3fwrn5: allocate rx skb before consuming bytes
authorPengpeng Hou <pengpeng@iscas.ac.cn>
Thu, 2 Apr 2026 04:21:48 +0000 (12:21 +0800)
committerJakub Kicinski <kuba@kernel.org>
Fri, 3 Apr 2026 22:57:46 +0000 (15:57 -0700)
s3fwrn82_uart_read() reports the number of accepted bytes to the serdev
core. The current code consumes bytes into recv_skb and may already
deliver a complete frame before allocating a fresh receive buffer.

If that alloc_skb() fails, the callback returns 0 even though it has
already consumed bytes, and it leaves recv_skb as NULL for the next
receive callback. That breaks the receive_buf() accounting contract and
can also lead to a NULL dereference on the next skb_put_u8().

Allocate the receive skb lazily before consuming the next byte instead.
If allocation fails, return the number of bytes already accepted.

Fixes: 3f52c2cb7e3a ("nfc: s3fwrn5: Support a UART interface")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260402042148.65236-1-pengpeng@iscas.ac.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
drivers/nfc/s3fwrn5/uart.c patch | blob | blame | history

diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c
index 9c09c10c2a4640e626c4f62fc8800c9d2ccc1e5c..4ee481bd7e9654c7113d66b6cd47dd85b8082746 100644 (file)
--- a/drivers/nfc/s3fwrn5/uart.c
+++ b/drivers/nfc/s3fwrn5/uart.c
@@ -58,6 +58,12 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev,
        size_t i;
 
        for (i = 0; i < count; i++) {
+               if (!phy->recv_skb) {
+                       phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
+                       if (!phy->recv_skb)
+                               return i;
+               }
+
                skb_put_u8(phy->recv_skb, *data++);
 
                if (phy->recv_skb->len < S3FWRN82_NCI_HEADER)
@@ -69,9 +75,7 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev,
 
                s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb,
                                   phy->common.mode);
-               phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
-               if (!phy->recv_skb)
-                       return 0;
+               phy->recv_skb = NULL;
        }
 
        return i;
A mirror of Linus' kernel repository