From nobody Sun Jun 14 19:01:42 2026 Received: from cstnet.cn (smtp21.cstnet.cn [159.226.251.21]) (using TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CFEB82E1746; Sun, 5 Apr 2026 02:15:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=159.226.251.21 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775355310; cv=none; b=WUSOlsG9eT+31wW1CDus1INuqF/dG0YIWS7vAVaC51g7eeg5tqjYlxXqfdkEIHIEVDEz9Jedxwc1jyAWYqNvGJWV07ke5lHstKQ+H6hkzs/RTJwtMwdtLs+cyZJcmLy+kcU2JrxQe5H2q2CeY6rtNlqklMMbD6dsV7Y+5r3xCe4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775355310; c=relaxed/simple; bh=7OOma5hn6cWCzif1BFZM+8WKH508jp5M99D4hlA8H7Q=; h=From:Date:Message-ID:To:Cc:In-Reply-To:References:Subject; b=VKTtrqvY8v1jYcHJW9BL91iQetpuU0yOs7oKIzI74+x378zIv4dvrZzbXw8UYwqzQuFpkwYgR34MAT3xCr1aoOZUqTq/u7mYsuWLZ20yQBHeu+r/nt/AxZz7z82zrDqaHqzmWYN67c/+RsROo8eKoNhqfJA8tlQGfq+vOrV2QiY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn; spf=pass smtp.mailfrom=iscas.ac.cn; arc=none smtp.client-ip=159.226.251.21 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=iscas.ac.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=iscas.ac.cn Received: from 0003-pn533-v2.eml (unknown [111.196.245.197]) by APP-01 (Coremail) with SMTP id qwCowADHbGihxdFpRgU5DA--.1680S2; Sun, 05 Apr 2026 10:14:57 +0800 (CST) From: Pengpeng Hou Date: Sun, 5 Apr 2026 08:40:00 +0800 Message-ID: <20260405094003.3-pn533-v2-pengpeng@iscas.ac.cn> To: netdev@vger.kernel.org Cc: Lars Poeschel , Duoming Zhou , Rikard Falkeborn , linux-kernel@vger.kernel.org, pengpeng@iscas.ac.cn, stable@vger.kernel.org In-Reply-To: <20260402042148.65251-1-pengpeng@iscas.ac.cn> References: <20260402042148.65251-1-pengpeng@iscas.ac.cn> Subject: [PATCH net v2] nfc: pn533: allocate rx skb before consuming bytes X-CM-TRANSID: qwCowADHbGihxdFpRgU5DA--.1680S2 X-Coremail-Antispam: 1UD129KBjvJXoW7ZryUuFWruFyxKFy5Jw43ZFb_yoW8CrWrpF ZxGFy5tryUJr47GwsrCw1rWa45CayvyrWrGrWqk347Z3sxJFW3GFW3Ka42vrZ5JFWkXF4a vFWDXF4UCFyrua7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUkm14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26ryj6F1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4j 6F4UM28EF7xvwVC2z280aVAFwI0_Cr1j6rxdM28EF7xvwVC2z280aVCY1x0267AKxVWxJr 0_GcWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_Jrv_JF1lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lc7CjxVAaw2AFwI0_JF0_ Jw1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxV WUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r126r1DMIIYrxkI 7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r 4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E87Iv67AKxVWUJVW8JwCI 42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa73UjIFyTuYvjfUOgAwDUUUU X-CM-SenderInfo: pshqw1xhqjqxpvfd2hldfou0/ Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" pn532_receive_buf() reports the number of accepted bytes to the serdev core. The current code consumes bytes into recv_skb and may already hand a complete frame to pn533_recv_frame() before allocating a fresh receive buffer. If that alloc_skb() fails, the callback returns 0 even though it has already consumed bytes, and it leaves recv_skb as NULL for the next receive callback. That breaks the receive_buf() accounting contract and can also lead to a NULL dereference on the next skb_put_u8(). Allocate the receive skb lazily before consuming the next byte instead. If allocation fails, return the number of bytes already accepted. Fixes: c656aa4c27b1 ("nfc: pn533: add UART phy driver") Cc: stable@vger.kernel.org Signed-off-by: Pengpeng Hou --- Changes since v1: - rebase on `net/main` - keep the same fix shape on top of the current tailroom handling drivers/nfc/pn533/uart.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/nfc/pn533/uart.c b/drivers/nfc/pn533/uart.c index 1b82b7b2..e0d67cd2 100644 --- a/drivers/nfc/pn533/uart.c +++ b/drivers/nfc/pn533/uart.c @@ -211,6 +211,13 @@ static size_t pn532_receive_buf(struct serdev_device *= serdev, =20 timer_delete(&dev->cmd_timeout); for (i =3D 0; i < count; i++) { + if (!dev->recv_skb) { + dev->recv_skb =3D alloc_skb(PN532_UART_SKB_BUFF_LEN, + GFP_KERNEL); + if (!dev->recv_skb) + return i; + } + if (unlikely(!skb_tailroom(dev->recv_skb))) skb_trim(dev->recv_skb, 0); =20 @@ -219,9 +226,7 @@ static size_t pn532_receive_buf(struct serdev_device *s= erdev, continue; =20 pn533_recv_frame(dev->priv, dev->recv_skb, 0); - dev->recv_skb =3D alloc_skb(PN532_UART_SKB_BUFF_LEN, GFP_KERNEL); - if (!dev->recv_skb) - return 0; + dev->recv_skb =3D NULL; } =20 return i; --=20 2.50.1