nfc: nci: clear NCI_DATA_EXCHANGE before calling completion callback

Move clear_bit(NCI_DATA_EXCHANGE) before invoking the data exchange
callback in nci_data_exchange_complete().

The callback (e.g. rawsock_data_exchange_complete) may immediately
schedule another data exchange via schedule_work(tx_work).  On a
multi-CPU system, tx_work can run and reach nci_transceive() before
the current nci_data_exchange_complete() clears the flag, causing
test_and_set_bit(NCI_DATA_EXCHANGE) to return -EBUSY and the new
transfer to fail.

This causes intermittent flakes in nci/nci_dev in NIPA:

  # #  RUN           NCI.NCI1_0.t4t_tag_read ...
  # # t4t_tag_read: Test terminated by timeout
  # #          FAIL  NCI.NCI1_0.t4t_tag_read
  # not ok 3 NCI.NCI1_0.t4t_tag_read

Fixes: 38f04c6b1b68 ("NFC: protect nci_data_exchange transactions")
Reviewed-by: Joe Damato <joe@dama.to>
Link: https://patch.msgid.link/20260303162346.2071888-5-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/net/nfc/nci/data.c b/net/nfc/nci/data.c
index 78f4131af3cf3cfbd386423b521fca7a62527eec..5f98c73db5afde7a7d81acc8ad5b000235d94e30 100644 (file)
--- a/net/nfc/nci/data.c
+++ b/net/nfc/nci/data.c
@@ -33,7 +33,8 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
        conn_info = nci_get_conn_info_by_conn_id(ndev, conn_id);
        if (!conn_info) {
                kfree_skb(skb);
-               goto exit;
+               clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
+               return;
        }
 
        cb = conn_info->data_exchange_cb;
@@ -45,6 +46,12 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
        timer_delete_sync(&ndev->data_timer);
        clear_bit(NCI_DATA_EXCHANGE_TO, &ndev->flags);
 
+       /* Mark the exchange as done before calling the callback.
+        * The callback (e.g. rawsock_data_exchange_complete) may
+        * want to immediately queue another data exchange.
+        */
+       clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
+
        if (cb) {
                /* forward skb to nfc core */
                cb(cb_context, skb, err);
@@ -54,9 +61,6 @@ void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
                /* no waiting callback, free skb */
                kfree_skb(skb);
        }
-
-exit:
-       clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);
 }
 
 /* ----------------- NCI TX Data ----------------- */