From: Jakub Kicinski <kuba@kernel.org>
To: pengpeng@iscas.ac.cn
Cc: Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org, krzk@kernel.org, bongsu.jeon@samsung.com,
davem@davemloft.net, edumazet@google.com, pabeni@redhat.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] NFC: s3fwrn5: bound the UART receive buffer
Date: Wed, 1 Apr 2026 19:49:38 -0700 [thread overview]
Message-ID: <20260402024939.845287-1-kuba@kernel.org> (raw)
In-Reply-To: <20260328113615.37260-1-pengpeng@iscas.ac.cn>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
---
NFC: s3fwrn5: bound the UART receive buffer
This commit attempts to fix a potential buffer overrun in the UART receive
handler by dropping oversized frames before they exceed NCI_SKB_BUFF_LEN.
> diff --git a/drivers/nfc/s3fwrn5/uart.c b/drivers/nfc/s3fwrn5/uart.c
> index ccfcee06ee77..aba688499c05 100644
> --- a/drivers/nfc/s3fwrn5/uart.c
> +++ b/drivers/nfc/s3fwrn5/uart.c
> @@ -63,8 +63,17 @@ static size_t s3fwrn82_uart_read(struct serdev_device *serdev,
[ ... ]
> if ((phy->recv_skb->len - S3FWRN82_NCI_HEADER)
> - < phy->recv_skb->data[S3FWRN82_NCI_IDX])
> + < phy->recv_skb->data[S3FWRN82_NCI_IDX]) {
> + if (phy->recv_skb->len < NCI_SKB_BUFF_LEN)
> + continue;
Is it mathematically possible for this condition to be false?
Since phy->recv_skb->data[S3FWRN82_NCI_IDX] is an 8-bit unsigned integer,
its maximum value is 255. With S3FWRN82_NCI_HEADER being 3, the check
len - 3 < data[2] ensures the length is strictly less than 258 when
entering this block.
Because NCI_SKB_BUFF_LEN is 258, wouldn't len < NCI_SKB_BUFF_LEN always
evaluate to true, making the new frame-dropping logic unreachable?
> +
> + dev_dbg(&serdev->dev, "dropping oversized UART frame\n");
> + kfree_skb(phy->recv_skb);
> + phy->recv_skb = alloc_skb(NCI_SKB_BUFF_LEN, GFP_KERNEL);
> + if (!phy->recv_skb)
> + return 0;
This isn't a new issue introduced by this patch, but does returning 0 here
after a failed allocation cause a NULL pointer dereference?
If alloc_skb() fails, phy->recv_skb becomes NULL and the function returns 0.
When the serdev core retries delivering the buffer later, the loop
immediately calls skb_put_u8(phy->recv_skb, *data++), which will dereference
the NULL pointer.
Also, does returning 0 after already processing some bytes corrupt the
UART state machine by forcing already-consumed bytes to be replayed?
> continue;
> + }
>
> s3fwrn5_recv_frame(phy->common.ndev, phy->recv_skb,
> phy->common.mode);
--
pw-bot: cr
prev parent reply other threads:[~2026-04-02 2:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-28 11:36 [PATCH] NFC: s3fwrn5: bound the UART receive buffer Pengpeng Hou
2026-04-02 2:49 ` Jakub Kicinski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260402024939.845287-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=bongsu.jeon@samsung.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=krzk@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pengpeng@iscas.ac.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.