Patch "NFC: reorganize the functions in nci_request" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 21 Nov 2021 18:20:43 -0500

This is a note to let you know that I've just added the patch titled

    NFC: reorganize the functions in nci_request

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     nfc-reorganize-the-functions-in-nci_request.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9221de750a193d19858c271781a67023c4f31031
Author: Lin Ma <linma@xxxxxxxxxx>
Date:   Mon Nov 15 22:56:00 2021 +0800

    NFC: reorganize the functions in nci_request
    
    [ Upstream commit 86cdf8e38792545161dbe3350a7eced558ba4d15 ]
    
    There is a possible data race as shown below:
    
    thread-A in nci_request()       | thread-B in nci_close_device()
                                    | mutex_lock(&ndev->req_lock);
    test_bit(NCI_UP, &ndev->flags); |
    ...                             | test_and_clear_bit(NCI_UP, &ndev->flags)
    mutex_lock(&ndev->req_lock);    |
                                    |
    
    This race will allow __nci_request() to be awaked while the device is
    getting removed.
    
    Similar to commit e2cb6b891ad2 ("bluetooth: eliminate the potential race
    condition when removing the HCI controller"). this patch alters the
    function sequence in nci_request() to prevent the data races between the
    nci_close_device().
    
    Signed-off-by: Lin Ma <linma@xxxxxxxxxx>
    Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
    Link: https://lore.kernel.org/r/20211115145600.8320-1-linma@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index 6a34a0a786eaa..1d0aa9e6044bf 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -144,12 +144,15 @@ inline int nci_request(struct nci_dev *ndev,
 {
 	int rc;
 
-	if (!test_bit(NCI_UP, &ndev->flags))
-		return -ENETDOWN;
-
 	/* Serialize all requests */
 	mutex_lock(&ndev->req_lock);
-	rc = __nci_request(ndev, req, opt, timeout);
+	/* check the state after obtaing the lock against any races
+	 * from nci_close_device when the device gets removed.
+	 */
+	if (test_bit(NCI_UP, &ndev->flags))
+		rc = __nci_request(ndev, req, opt, timeout);
+	else
+		rc = -ENETDOWN;
 	mutex_unlock(&ndev->req_lock);
 
 	return rc;






