[PATCH net 4/5] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jakub Kicinski <kuba@kernel.org>
To: davem@davemloft.net
Cc: netdev@vger.kernel.org, edumazet@google.com, pabeni@redhat.com,
	andrew+netdev@lunn.ch, horms@kernel.org,
	Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH net 4/5] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback
Date: Tue,  3 Mar 2026 08:23:44 -0800	[thread overview]
Message-ID: <20260303162346.2071888-5-kuba@kernel.org> (raw)
In-Reply-To: <20260303162346.2071888-1-kuba@kernel.org>

Move clear_bit(NCI_DATA_EXCHANGE) before invoking the data exchange
callback in nci_data_exchange_complete().

The callback (e.g. rawsock_data_exchange_complete) may immediately
schedule another data exchange via schedule_work(tx_work).  On a
multi-CPU system, tx_work can run and reach nci_transceive() before
the current nci_data_exchange_complete() clears the flag, causing
test_and_set_bit(NCI_DATA_EXCHANGE) to return -EBUSY and the new
transfer to fail.

This causes intermittent flakes in nci/nci_dev in NIPA:

  # #  RUN           NCI.NCI1_0.t4t_tag_read ...
  # # t4t_tag_read: Test terminated by timeout
  # #          FAIL  NCI.NCI1_0.t4t_tag_read
  # not ok 3 NCI.NCI1_0.t4t_tag_read

Fixes: 38f04c6b1b68 ("NFC: protect nci_data_exchange transactions")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
---
 net/nfc/nci/data.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c
index 78f4131af3cf..efb001b41aa8 100644
--- a/net/nfc/nci/data.c
+++ b/net/nfc/nci/data.c
@@ -33,7 +33,8 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
 	conn_info = nci_get_conn_info_by_conn_id(ndev, conn_id);
 	if (!conn_info) {
 		kfree_skb(skb);
-		goto exit;
+		clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
+		return;
 	}
 
 	cb = conn_info->data_exchange_cb;
@@ -45,6 +46,12 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
 	timer_delete_sync(&ndev->data_timer);
 	clear_bit(NCI_DATA_EXCHANGE_TO, &ndev->flags);
 
+	/* Mark the exchange as done before calling the callback.
+	 * The callback (e.g. rawsock_data_exchange_complete) may
+	 * want to immediately queue another data exchange.
+         */
+	clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
+
 	if (cb) {
 		/* forward skb to nfc core */
 		cb(cb_context, skb, err);
@@ -54,9 +61,6 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
 		/* no waiting callback, free skb */
 		kfree_skb(skb);
 	}
-
-exit:
-	clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
 }
 
 /* ----------------- NCI TX Data ----------------- */
-- 
2.53.0

next prev parent reply	other threads:[~2026-03-03 16:23 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-03 16:23 [PATCH net 0/5] nfc: fix leaks and races surfaced by NIPA Jakub Kicinski
2026-03-03 16:23 ` [PATCH net 1/5] nfc: nci: free skb on nci_transceive early error paths Jakub Kicinski
2026-03-03 21:02   ` Joe Damato
2026-03-03 16:23 ` [PATCH net 2/5] nfc: digital: free skb on digital_in_send " Jakub Kicinski
2026-03-03 21:04   ` Joe Damato
2026-03-03 16:23 ` [PATCH net 3/5] nfc: nci: complete pending data exchange on device close Jakub Kicinski
2026-03-03 22:03   ` Joe Damato
2026-03-03 16:23 ` Jakub Kicinski [this message]
2026-03-03 22:46   ` [PATCH net 4/5] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback Joe Damato
2026-03-03 16:23 ` [PATCH net 5/5] nfc: rawsock: cancel tx_work before socket teardown Jakub Kicinski
2026-03-03 22:51   ` Joe Damato
2026-03-24 13:31   ` Guenter Roeck
2026-03-05  2:40 ` [PATCH net 0/5] nfc: fix leaks and races surfaced by NIPA patchwork-bot+netdevbpf

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:78f4131af3c dfblob:efb001b41aa )
 OR (
bs:"[PATCH net 4/5] nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260303162346.2071888-5-kuba@kernel.org \
    --to=kuba@kernel.org \
    --cc=andrew+netdev@lunn.ch \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.