syzbot

map[Benign:true Confident:true Explanation:The data race occurs on the `req_status` field of the `struct nci_dev`. This field is used to track the status of a pending NCI (NFC Controller Interface) request.

### Analysis of the Race

1.  **Task 1 (`nci_dev_up` -> `__nci_request`)**: This task initiates an NCI request (e.g., `CORE_RESET_CMD`). It sets `ndev->req_status = NCI_REQ_PEND` (value 1) before sending the command and waiting for a completion.
2.  **Task 2 (`nci_rx_work` -> `nci_req_complete`)**: This task processes incoming packets from the NFC controller. When a response packet is received, it calls `nci_req_complete`, which checks if `ndev->req_status == NCI_REQ_PEND`. If it is, it sets the result, changes the status to `NCI_REQ_DONE` (value 0), and signals the completion.

The reported race happens because `nci_req_complete` reads `req_status` without holding the `ndev->req_lock` mutex, while `__nci_request` writes to it while holding the mutex.

### Impact and Verdict

*   **Logic Race**: The race is only possible if a response packet arrives while a new request is being set up. This typically happens if a previous request timed out, and its "late" response arrives just as a new request starts. If the late response is processed between the time `req_status` is set to `NCI_REQ_PEND` and the time the new command is actually sent, the new request might be "completed" prematurely with the result of the old, late response.
*   **Data Race**: From a memory safety perspective, `req_status` is a simple 32-bit integer. On all supported Linux architectures, a 32-bit aligned read or write is atomic. The data race reported by KCSAN indicates that these accesses are concurrent and not synchronized by a common lock or atomic primitives (like `READ_ONCE`/`WRITE_ONCE`).
*   **Benign Nature**: While the logic race described above can lead to incorrect protocol behavior (e.g., assuming a reset succeeded when it hasn't yet), it does not lead to memory corruption, kernel crashes, or undefined behavior in the C sense, assuming a conservative compiler. The `req_status` field is used as a simple state flag. The synchronization of the actual data (`req_result`) is handled by the completion mechanism (`complete()` and `wait_for_completion()`), which includes the necessary memory barriers to ensure that the result is visible after the completion is signaled.

In the context of the Linux kernel, such races on status flags in network/communication drivers are often considered benign, although they should ideally be annotated with `READ_ONCE`/`WRITE_ONCE` to satisfy static and dynamic analysis tools.

The data race is benign as it involves a simple status flag and does not result in memory corruption or system instability. The underlying synchronization issue with late responses is a known characteristic of the NCI implementation and is not exacerbated by the lack of explicit atomic annotations on the `req_status` field.]

map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/ba6c573c9a6402afc2203db2262fbb67bcd5c7ff]

map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/f50c87297a8d59c81949ca44bdc4e2d5ce84c94c]

map[Index:codesearch-index]

gemini-3-flash-preview

map[Benign:true Confident:true]

You are an experienced Linux kernel developer tasked with determining if the given kernel
data race is benign or not. The data race report is from KCSAN tool.
It contains 2 stack traces of the memory accesses that constitute a data race.

A "benign" data races are on a simple int/bool variable or similar field,
and the accesses are not supposed to be protected by any mutual exclusion primitives.
Common examples of such "benign" data races are accesses to various flags fields,
statistics counters, and similar. A "benign" data race does not lead to memory corruption/crash
with a conservative compiler that compiles memory accesses to primitive types
effectively as atomic.

A non-benign (or "harmful" data race) can lead to corruption/crash even with
a conservative compiler that compiles memory accesses to primitive types
effectively as atomic. A common example of a "harmful" data races is race on
a complex container (list/hashmap/etc), where accesses are supposed to be protected
by a mutual exclusion primitive.

Also consider races that happen at the same time with the given one.
If there is no synchronization in between, other memory accesses in the involved threads
race with each other if they access the same memory. For example, if both threads execute:

	some_struct->have_elements = true;
	list_add(new_node, &some_struct->list_head);

the race on some_struct->have_elements may appear benign, however it also implies there
is a race on some_struct->list_head which is not benign, since the list is not thread-safe.

Take into account that on 32-bit systems 64-bit memory accesses may be split into two accesses,
and thus even with a conservative compiler may not be fully atomic. However, such races may
still be benign depending on how writes are done, and how read data is used.

In the final reply explain why you think the given data race is benign or is harmful.

Use the provided tools to confirm any assumptions, variables/fields being accessed, etc.
In particular, don't make assumptions about the kernel source code,
use codesearch tools to read the actual source code.

Prefer calling several tools at the same time to save round-trips.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

The data race report is:

==================================================================
BUG: KCSAN: data-race in nci_dev_up / nci_req_complete

write to 0xffff88811bfb69a0 of 4 bytes by task 6091 on cpu 1:
 __nci_request net/nfc/nci/core.c:136 [inline]
 nci_open_device net/nfc/nci/core.c:503 [inline]
 nci_dev_up+0x272/0x8f0 net/nfc/nci/core.c:632
 nfc_dev_up+0x103/0x1b0 net/nfc/core.c:118
 nfc_genl_dev_up+0x53/0x90 net/nfc/netlink.c:775
 genl_family_rcv_msg_doit+0x143/0x1b0 net/netlink/genetlink.c:1115
 genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]
 genl_rcv_msg+0x422/0x460 net/netlink/genetlink.c:1210
 netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2550
 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x5c0/0x690 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x58b/0x6b0 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x145/0x180 net/socket.c:742
 ____sys_sendmsg+0x31e/0x4a0 net/socket.c:2592
 ___sys_sendmsg+0x17b/0x1d0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0xd4/0x160 net/socket.c:2681
 x64_sys_call+0x17ba/0x3000 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xca/0x2b0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffff88811bfb69a0 of 4 bytes by task 2331 on cpu 0:
 nci_req_complete+0x23/0x90 net/nfc/nci/core.c:80
 nci_rsp_packet+0xc6f/0xe30 net/nfc/nci/rsp.c:-1
 nci_rx_work+0x16f/0x2c0 net/nfc/nci/core.c:1551
 process_one_work kernel/workqueue.c:3257 [inline]
 process_scheduled_works+0x4ce/0x9d0 kernel/workqueue.c:3340
 worker_thread+0x582/0x770 kernel/workqueue.c:3421
 kthread+0x489/0x510 kernel/kthread.c:463
 ret_from_fork+0x149/0x290 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

value changed: 0x00000000 -> 0x00000001

Reported by Kernel Concurrency Sanitizer on:
CPU: 0 UID: 0 PID: 2331 Comm: kworker/u8:13 Not tainted syzkaller #0 PREEMPT(voluntary) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Workqueue: nfc2_nci_rx_wq nci_rx_work
==================================================================

The data race occurs on the `req_status` field of the `struct nci_dev`. This field is used to track the status of a pending NCI (NFC Controller Interface) request.

### Analysis of the Race

1.  **Task 1 (`nci_dev_up` -> `__nci_request`)**: This task initiates an NCI request (e.g., `CORE_RESET_CMD`). It sets `ndev->req_status = NCI_REQ_PEND` (value 1) before sending the command and waiting for a completion.
2.  **Task 2 (`nci_rx_work` -> `nci_req_complete`)**: This task processes incoming packets from the NFC controller. When a response packet is received, it calls `nci_req_complete`, which checks if `ndev->req_status == NCI_REQ_PEND`. If it is, it sets the result, changes the status to `NCI_REQ_DONE` (value 0), and signals the completion.

The reported race happens because `nci_req_complete` reads `req_status` without holding the `ndev->req_lock` mutex, while `__nci_request` writes to it while holding the mutex.

### Impact and Verdict

*   **Logic Race**: The race is only possible if a response packet arrives while a new request is being set up. This typically happens if a previous request timed out, and its "late" response arrives just as a new request starts. If the late response is processed between the time `req_status` is set to `NCI_REQ_PEND` and the time the new command is actually sent, the new request might be "completed" prematurely with the result of the old, late response.
*   **Data Race**: From a memory safety perspective, `req_status` is a simple 32-bit integer. On all supported Linux architectures, a 32-bit aligned read or write is atomic. The data race reported by KCSAN indicates that these accesses are concurrent and not synchronized by a common lock or atomic primitives (like `READ_ONCE`/`WRITE_ONCE`).
*   **Benign Nature**: While the logic race described above can lead to incorrect protocol behavior (e.g., assuming a reset succeeded when it hasn't yet), it does not lead to memory corruption, kernel crashes, or undefined behavior in the C sense, assuming a conservative compiler. The `req_status` field is used as a simple state flag. The synchronization of the actual data (`req_result`) is handled by the completion mechanism (`complete()` and `wait_for_completion()`), which includes the necessary memory barriers to ensure that the result is visible after the completion is signaled.

In the context of the Linux kernel, such races on status flags in network/communication drivers are often considered benign, although they should ideally be annotated with `READ_ONCE`/`WRITE_ONCE` to satisfy static and dynamic analysis tools.

The data race is benign as it involves a simple status flag and does not result in memory corruption or system instability. The underlying synchronization issue with late responses is a known characteristic of the NCI implementation and is not exacerbated by the lack of explicit atomic annotations on the `req_status` field.

gemini-3-flash-preview

							input: 4290
							output: 26
							thoughts: 189
						

**Analyzing a Data Race in the NFC Stack**

Okay, so the report indicates a data race. My expertise tells me this is serious; we need to understand this fully. Specifically, the race is between `nci_dev_up` (through the `__nci_request` call) and `nci_req_complete`. The report highlights a write to and read from the memory address `0xffff88811bfb69a0`. The value's transition from 0 to 1 is a clear indicator of a potential synchronization problem.

My immediate focus shifts to the code itself. I need to understand what's happening at those reported locations. Let's see... the report specifies `net/nfc/nci/core.c:136` for `__nci_request` (which is inlined within `nci_open_device` which is then inlined in `nci_dev_up`). And `net/nfc/nci/core.c:80` for `nci_req_complete`. I'll open those files in my editor. I'm going to start by getting a quick listing of those files to ensure I'm getting the right context. After that I can get my hands dirty and start reading the code. Let's dig in.

map[Dir:net/nfc/nci/]

map[Files:[core.c data.c hci.c lib.c ntf.c rsp.c spi.c uart.c] Subdirs:<nil>]

gemini-3-flash-preview

							input: 4856
							output: 26
							thoughts: 154
						

Okay, let me get a grasp on this issue.

**Analyzing the NFC NCI Codebase**

Alright, I need to understand what's happening around those reported lines. My immediate thought is to examine the surrounding code to get the context. I'll start with `net/nfc/nci/core.c:136`, `net/nfc/nci/core.c:80`, `net/nfc/nci/core.c:1551`, where that `nci_rx_work` function likely is, then `net/nfc/nci/core.c:632` and `net/nfc/nci/core.c:503` – those look like they handle device setup and opening. I'll need to understand how the data flows. Given the context, the core file will likely be related to overall NCI protocol management.

Given this could be something response related, it's also worth investigating `nci_rsp_packet` in `net/nfc/nci/rsp.c`. This will give me information about how the NCI responses are handled, and how that fits into this process. This will give me a more complete picture of the process.

map[File:net/nfc/nci/core.c]

map[Contents:// SPDX-License-Identifier: GPL-2.0-only
/*
 *  The NFC Controller Interface is the communication protocol between an
 *  NFC Controller (NFCC) and a Device Host (DH).
 *
 *  Copyright (C) 2011 Texas Instruments, Inc.
 *  Copyright (C) 2014 Marvell International Ltd.
 *
 *  Written by Ilan Elias <ilane@ti.com>
 *
 *  Acknowledgements:
 *  This file is based on hci_core.c, which was written
 *  by Maxim Krasnyansky.
 */

#define pr_fmt(fmt) KBUILD_MODNAME ": %s: " fmt, __func__

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/types.h>
#include <linux/workqueue.h>
#include <linux/completion.h>
#include <linux/export.h>
#include <linux/sched.h>
#include <linux/bitops.h>
#include <linux/skbuff.h>
#include <linux/kcov.h>

#include "../nfc.h"
#include <net/nfc/nci.h>
#include <net/nfc/nci_core.h>
#include <linux/nfc.h>

struct core_conn_create_data {
	int length;
	struct nci_core_conn_create_cmd *cmd;
};

static void nci_cmd_work(struct work_struct *work);
static void nci_rx_work(struct work_struct *work);
static void nci_tx_work(struct work_struct *work);

struct nci_conn_info *nci_get_conn_info_by_conn_id(struct nci_dev *ndev,
						   int conn_id)
{
	struct nci_conn_info *conn_info;

	list_for_each_entry(conn_info, &ndev->conn_info_list, list) {
		if (conn_info->conn_id == conn_id)
			return conn_info;
	}

	return NULL;
}

int nci_get_conn_info_by_dest_type_params(struct nci_dev *ndev, u8 dest_type,
					  const struct dest_spec_params *params)
{
	const struct nci_conn_info *conn_info;

	list_for_each_entry(conn_info, &ndev->conn_info_list, list) {
		if (conn_info->dest_type == dest_type) {
			if (!params)
				return conn_info->conn_id;

			if (params->id == conn_info->dest_params->id &&
			    params->protocol == conn_info->dest_params->protocol)
				return conn_info->conn_id;
		}
	}

	return -EINVAL;
}
EXPORT_SYMBOL(nci_get_conn_info_by_dest_type_params);

/* ---- NCI requests ---- */

void nci_req_complete(struct nci_dev *ndev, int result)
{
	if (ndev->req_status == NCI_REQ_PEND) {
		ndev->req_result = result;
		ndev->req_status = NCI_REQ_DONE;
		complete(&ndev->req_completion);
	}
}
EXPORT_SYMBOL(nci_req_complete);

static void nci_req_cancel(struct nci_dev *ndev, int err)
{
	if (ndev->req_status == NCI_REQ_PEND) {
		ndev->req_result = err;
		ndev->req_status = NCI_REQ_CANCELED;
		complete(&ndev->req_completion);
	}
}

/* Execute request and wait for completion. */
static int __nci_request(struct nci_dev *ndev,
			 void (*req)(struct nci_dev *ndev, const void *opt),
			 const void *opt, __u32 timeout)
{
	int rc = 0;
	long completion_rc;

	ndev->req_status = NCI_REQ_PEND;

	reinit_completion(&ndev->req_completion);
	req(ndev, opt);
	completion_rc =
		wait_for_completion_interruptible_timeout(&ndev->req_completion,
							  timeout);

	pr_debug("wait_for_completion return %ld\n", completion_rc);

	if (completion_rc > 0) {
		switch (ndev->req_status) {
		case NCI_REQ_DONE:
			rc = nci_to_errno(ndev->req_result);
			break;

		case NCI_REQ_CANCELED:
			rc = -ndev->req_result;
			break;

		default:
			rc = -ETIMEDOUT;
			break;
		}
	} else {
		pr_err("wait_for_completion_interruptible_timeout failed %ld\n",
		       completion_rc);

		rc = ((completion_rc == 0) ? (-ETIMEDOUT) : (completion_rc));
	}

	ndev->req_status = ndev->req_result = 0;

	return rc;
}

inline int nci_request(struct nci_dev *ndev,
		       void (*req)(struct nci_dev *ndev,
				   const void *opt),
		       const void *opt, __u32 timeout)
{
	int rc;

	/* Serialize all requests */
	mutex_lock(&ndev->req_lock);
	/* check the state after obtaing the lock against any races
	 * from nci_close_device when the device gets removed.
	 */
	if (test_bit(NCI_UP, &ndev->flags))
		rc = __nci_request(ndev, req, opt, timeout);
	else
		rc = -ENETDOWN;
	mutex_unlock(&ndev->req_lock);

	return rc;
}

static void nci_reset_req(struct nci_dev *ndev, const void *opt)
{
	struct nci_core_reset_cmd cmd;

	cmd.reset_type = NCI_RESET_TYPE_RESET_CONFIG;
	nci_send_cmd(ndev, NCI_OP_CORE_RESET_CMD, 1, &cmd);
}

static void nci_init_req(struct nci_dev *ndev, const void *opt)
{
	u8 plen = 0;

	if (opt)
		plen = sizeof(struct nci_core_init_v2_cmd);

	nci_send_cmd(ndev, NCI_OP_CORE_INIT_CMD, plen, opt);
}

static void nci_init_complete_req(struct nci_dev *ndev, const void *opt)
{
	struct nci_rf_disc_map_cmd cmd;
	struct disc_map_config *cfg = cmd.mapping_configs;
	__u8 *num = &cmd.num_mapping_configs;
	int i;

	/* set rf mapping configurations */
	*num = 0;

	/* by default mapping is set to NCI_RF_INTERFACE_FRAME */
	for (i = 0; i < ndev->num_supported_rf_interfaces; i++) {
		if (ndev->supported_rf_interfaces[i] ==
		    NCI_RF_INTERFACE_ISO_DEP) {
			cfg[*num].rf_protocol = NCI_RF_PROTOCOL_ISO_DEP;
			cfg[*num].mode = NCI_DISC_MAP_MODE_POLL |
				NCI_DISC_MAP_MODE_LISTEN;
			cfg[*num].rf_interface = NCI_RF_INTERFACE_ISO_DEP;
			(*num)++;
		} else if (ndev->supported_rf_interfaces[i] ==
			   NCI_RF_INTERFACE_NFC_DEP) {
			cfg[*num].rf_protocol = NCI_RF_PROTOCOL_NFC_DEP;
			cfg[*num].mode = NCI_DISC_MAP_MODE_POLL |
				NCI_DISC_MAP_MODE_LISTEN;
			cfg[*num].rf_interface = NCI_RF_INTERFACE_NFC_DEP;
			(*num)++;
		}

		if (*num == NCI_MAX_NUM_MAPPING_CONFIGS)
			break;
	}

	nci_send_cmd(ndev, NCI_OP_RF_DISCOVER_MAP_CMD,
		     (1 + ((*num) * sizeof(struct disc_map_config))), &cmd);
}

struct nci_set_config_param {
	__u8		id;
	size_t		len;
	const __u8	*val;
};

static void nci_set_config_req(struct nci_dev *ndev, const void *opt)
{
	const struct nci_set_config_param *param = opt;
	struct nci_core_set_config_cmd cmd;

	BUG_ON(param->len > NCI_MAX_PARAM_LEN);

	cmd.num_params = 1;
	cmd.param.id = param->id;
	cmd.param.len = param->len;
	memcpy(cmd.param.val, param->val, param->len);

	nci_send_cmd(ndev, NCI_OP_CORE_SET_CONFIG_CMD, (3 + param->len), &cmd);
}

struct nci_rf_discover_param {
	__u32	im_protocols;
	__u32	tm_protocols;
};

static void nci_rf_discover_req(struct nci_dev *ndev, const void *opt)
{
	const struct nci_rf_discover_param *param = opt;
	struct nci_rf_disc_cmd cmd;

	cmd.num_disc_configs = 0;

	if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
	    (param->im_protocols & NFC_PROTO_JEWEL_MASK ||
	     param->im_protocols & NFC_PROTO_MIFARE_MASK ||
	     param->im_protocols & NFC_PROTO_ISO14443_MASK ||
	     param->im_protocols & NFC_PROTO_NFC_DEP_MASK)) {
		cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
			NCI_NFC_A_PASSIVE_POLL_MODE;
		cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
		cmd.num_disc_configs++;
	}

	if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
	    (param->im_protocols & NFC_PROTO_ISO14443_B_MASK)) {
		cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
			NCI_NFC_B_PASSIVE_POLL_MODE;
		cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
		cmd.num_disc_configs++;
	}

	if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
	    (param->im_protocols & NFC_PROTO_FELICA_MASK ||
	     param->im_protocols & NFC_PROTO_NFC_DEP_MASK)) {
		cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
			NCI_NFC_F_PASSIVE_POLL_MODE;
		cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
		cmd.num_disc_configs++;
	}

	if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS) &&
	    (param->im_protocols & NFC_PROTO_ISO15693_MASK)) {
		cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
			NCI_NFC_V_PASSIVE_POLL_MODE;
		cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
		cmd.num_disc_configs++;
	}

	if ((cmd.num_disc_configs < NCI_MAX_NUM_RF_CONFIGS - 1) &&
	    (param->tm_protocols & NFC_PROTO_NFC_DEP_MASK)) {
		cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
			NCI_NFC_A_PASSIVE_LISTEN_MODE;
		cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
		cmd.num_disc_configs++;
		cmd.disc_configs[cmd.num_disc_configs].rf_tech_and_mode =
			NCI_NFC_F_PASSIVE_LISTEN_MODE;
		cmd.disc_configs[cmd.num_disc_configs].frequency = 1;
		cmd.num_disc_configs++;
	}

	nci_send_cmd(ndev, NCI_OP_RF_DISCOVER_CMD,
		     (1 + (cmd.num_disc_configs * sizeof(struct disc_config))),
		     &cmd);
}

struct nci_rf_discover_select_param {
	__u8	rf_discovery_id;
	__u8	rf_protocol;
};

static void nci_rf_discover_select_req(struct nci_dev *ndev, const void *opt)
{
	const struct nci_rf_discover_select_param *param = opt;
	struct nci_rf_discover_select_cmd cmd;

	cmd.rf_discovery_id = param->rf_discovery_id;
	cmd.rf_protocol = param->rf_protocol;

	switch (cmd.rf_protocol) {
	case NCI_RF_PROTOCOL_ISO_DEP:
		cmd.rf_interface = NCI_RF_INTERFACE_ISO_DEP;
		break;

	case NCI_RF_PROTOCOL_NFC_DEP:
		cmd.rf_interface = NCI_RF_INTERFACE_NFC_DEP;
		break;

	default:
		cmd.rf_interface = NCI_RF_INTERFACE_FRAME;
		break;
	}

	nci_send_cmd(ndev, NCI_OP_RF_DISCOVER_SELECT_CMD,
		     sizeof(struct nci_rf_discover_select_cmd), &cmd);
}

static void nci_rf_deactivate_req(struct nci_dev *ndev, const void *opt)
{
	struct nci_rf_deactivate_cmd cmd;

	cmd.type = (unsigned long)opt;

	nci_send_cmd(ndev, NCI_OP_RF_DEACTIVATE_CMD,
		     sizeof(struct nci_rf_deactivate_cmd), &cmd);
}

struct nci_cmd_param {
	__u16 opcode;
	size_t len;
	const __u8 *payload;
};

static void nci_generic_req(struct nci_dev *ndev, const void *opt)
{
	const struct nci_cmd_param *param = opt;

	nci_send_cmd(ndev, param->opcode, param->len, param->payload);
}

int nci_prop_cmd(struct nci_dev *ndev, __u8 oid, size_t len, const __u8 *payload)
{
	struct nci_cmd_param param;

	param.opcode = nci_opcode_pack(NCI_GID_PROPRIETARY, oid);
	param.len = len;
	param.payload = payload;

	return __nci_request(ndev, nci_generic_req, &param,
			     msecs_to_jiffies(NCI_CMD_TIMEOUT));
}
EXPORT_SYMBOL(nci_prop_cmd);

int nci_core_cmd(struct nci_dev *ndev, __u16 opcode, size_t len,
		 const __u8 *payload)
{
	struct nci_cmd_param param;

	param.opcode = opcode;
	param.len = len;
	param.payload = payload;

	return __nci_request(ndev, nci_generic_req, &param,
			     msecs_to_jiffies(NCI_CMD_TIMEOUT));
}
EXPORT_SYMBOL(nci_core_cmd);

int nci_core_reset(struct nci_dev *ndev)
{
	return __nci_request(ndev, nci_reset_req, (void *)0,
			     msecs_to_jiffies(NCI_RESET_TIMEOUT));
}
EXPORT_SYMBOL(nci_core_reset);

int nci_core_init(struct nci_dev *ndev)
{
	return __nci_request(ndev, nci_init_req, (void *)0,
			     msecs_to_jiffies(NCI_INIT_TIMEOUT));
}
EXPORT_SYMBOL(nci_core_init);

struct nci_loopback_data {
	u8 conn_id;
	struct sk_buff *data;
};

static void nci_send_data_req(struct nci_dev *ndev, const void *opt)
{
	const struct nci_loopback_data *data = opt;

	nci_send_data(ndev, data->conn_id, data->data);
}

static void nci_nfcc_loopback_cb(void *context, struct sk_buff *skb, int err)
{
	struct nci_dev *ndev = (struct nci_dev *)context;
	struct nci_conn_info *conn_info;

	conn_info = nci_get_conn_info_by_conn_id(ndev, ndev->cur_conn_id);
	if (!conn_info) {
		nci_req_complete(ndev, NCI_STATUS_REJECTED);
		return;
	}

	conn_info->rx_skb = skb;

	nci_req_complete(ndev, NCI_STATUS_OK);
}

int nci_nfcc_loopback(struct nci_dev *ndev, const void *data, size_t data_len,
		      struct sk_buff **resp)
{
	int r;
	struct nci_loopback_data loopback_data;
	struct nci_conn_info *conn_info;
	struct sk_buff *skb;
	int conn_id = nci_get_conn_info_by_dest_type_params(ndev,
					NCI_DESTINATION_NFCC_LOOPBACK, NULL);

	if (conn_id < 0) {
		r = nci_core_conn_create(ndev, NCI_DESTINATION_NFCC_LOOPBACK,
					 0, 0, NULL);
		if (r != NCI_STATUS_OK)
			return r;

		conn_id = nci_get_conn_info_by_dest_type_params(ndev,
					NCI_DESTINATION_NFCC_LOOPBACK,
					NULL);
	}

	conn_info = nci_get_conn_info_by_conn_id(ndev, conn_id);
	if (!conn_info)
		return -EPROTO;

	/* store cb and context to be used on receiving data */
	conn_info->data_exchange_cb = nci_nfcc_loopback_cb;
	conn_info->data_exchange_cb_context = ndev;

	skb = nci_skb_alloc(ndev, NCI_DATA_HDR_SIZE + data_len, GFP_KERNEL);
	if (!skb)
		return -ENOMEM;

	skb_reserve(skb, NCI_DATA_HDR_SIZE);
	skb_put_data(skb, data, data_len);

	loopback_data.conn_id = conn_id;
	loopback_data.data = skb;

	ndev->cur_conn_id = conn_id;
	r = nci_request(ndev, nci_send_data_req, &loopback_data,
			msecs_to_jiffies(NCI_DATA_TIMEOUT));
	if (r == NCI_STATUS_OK && resp)
		*resp = conn_info->rx_skb;

	return r;
}
EXPORT_SYMBOL(nci_nfcc_loopback);

static int nci_open_device(struct nci_dev *ndev)
{
	int rc = 0;

	mutex_lock(&ndev->req_lock);

	if (test_bit(NCI_UNREG, &ndev->flags)) {
		rc = -ENODEV;
		goto done;
	}

	if (test_bit(NCI_UP, &ndev->flags)) {
		rc = -EALREADY;
		goto done;
	}

	if (ndev->ops->open(ndev)) {
		rc = -EIO;
		goto done;
	}

	atomic_set(&ndev->cmd_cnt, 1);

	set_bit(NCI_INIT, &ndev->flags);

	if (ndev->ops->init)
		rc = ndev->ops->init(ndev);

	if (!rc) {
		rc = __nci_request(ndev, nci_reset_req, (void *)0,
				   msecs_to_jiffies(NCI_RESET_TIMEOUT));
	}

	if (!rc && ndev->ops->setup) {
		rc = ndev->ops->setup(ndev);
	}

	if (!rc) {
		struct nci_core_init_v2_cmd nci_init_v2_cmd = {
			.feature1 = NCI_FEATURE_DISABLE,
			.feature2 = NCI_FEATURE_DISABLE
		};
		const void *opt = NULL;

		if (ndev->nci_ver & NCI_VER_2_MASK)
			opt = &nci_init_v2_cmd;

		rc = __nci_request(ndev, nci_init_req, opt,
				   msecs_to_jiffies(NCI_INIT_TIMEOUT));
	}

	if (!rc && ndev->ops->post_setup)
		rc = ndev->ops->post_setup(ndev);

	if (!rc) {
		rc = __nci_request(ndev, nci_init_complete_req, (void *)0,
				   msecs_to_jiffies(NCI_INIT_TIMEOUT));
	}

	clear_bit(NCI_INIT, &ndev->flags);

	if (!rc) {
		set_bit(NCI_UP, &ndev->flags);
		nci_clear_target_list(ndev);
		atomic_set(&ndev->state, NCI_IDLE);
	} else {
		/* Init failed, cleanup */
		skb_queue_purge(&ndev->cmd_q);
		skb_queue_purge(&ndev->rx_q);
		skb_queue_purge(&ndev->tx_q);

		ndev->ops->close(ndev);
		ndev->flags &= BIT(NCI_UNREG);
	}

done:
	mutex_unlock(&ndev->req_lock);
	return rc;
}

static int nci_close_device(struct nci_dev *ndev)
{
	nci_req_cancel(ndev, ENODEV);

	/* This mutex needs to be held as a barrier for
	 * caller nci_unregister_device
	 */
	mutex_lock(&ndev->req_lock);

	if (!test_and_clear_bit(NCI_UP, &ndev->flags)) {
		/* Need to flush the cmd wq in case
		 * there is a queued/running cmd_work
		 */
		flush_workqueue(ndev->cmd_wq);
		timer_delete_sync(&ndev->cmd_timer);
		timer_delete_sync(&ndev->data_timer);
		mutex_unlock(&ndev->req_lock);
		return 0;
	}

	/* Drop RX and TX queues */
	skb_queue_purge(&ndev->rx_q);
	skb_queue_purge(&ndev->tx_q);

	/* Flush RX and TX wq */
	flush_workqueue(ndev->rx_wq);
	flush_workqueue(ndev->tx_wq);

	/* Reset device */
	skb_queue_purge(&ndev->cmd_q);
	atomic_set(&ndev->cmd_cnt, 1);

	set_bit(NCI_INIT, &ndev->flags);
	__nci_request(ndev, nci_reset_req, (void *)0,
		      msecs_to_jiffies(NCI_RESET_TIMEOUT));

	/* After this point our queues are empty
	 * and no works are scheduled.
	 */
	ndev->ops->close(ndev);

	clear_bit(NCI_INIT, &ndev->flags);

	/* Flush cmd wq */
	flush_workqueue(ndev->cmd_wq);

	timer_delete_sync(&ndev->cmd_timer);

	/* Clear flags except NCI_UNREG */
	ndev->flags &= BIT(NCI_UNREG);

	mutex_unlock(&ndev->req_lock);

	return 0;
}

/* NCI command timer function */
static void nci_cmd_timer(struct timer_list *t)
{
	struct nci_dev *ndev = timer_container_of(ndev, t, cmd_timer);

	atomic_set(&ndev->cmd_cnt, 1);
	queue_work(ndev->cmd_wq, &ndev->cmd_work);
}

/* NCI data exchange timer function */
static void nci_data_timer(struct timer_list *t)
{
	struct nci_dev *ndev = timer_container_of(ndev, t, data_timer);

	set_bit(NCI_DATA_EXCHANGE_TO, &ndev->flags);
	queue_work(ndev->rx_wq, &ndev->rx_work);
}

static int nci_dev_up(struct nfc_dev *nfc_dev)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);

	return nci_open_device(ndev);
}

static int nci_dev_down(struct nfc_dev *nfc_dev)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);

	return nci_close_device(ndev);
}

int nci_set_config(struct nci_dev *ndev, __u8 id, size_t len, const __u8 *val)
{
	struct nci_set_config_param param;

	if (!val || !len)
		return 0;

	param.id = id;
	param.len = len;
	param.val = val;

	return __nci_request(ndev, nci_set_config_req, &param,
			     msecs_to_jiffies(NCI_SET_CONFIG_TIMEOUT));
}
EXPORT_SYMBOL(nci_set_config);

static void nci_nfcee_discover_req(struct nci_dev *ndev, const void *opt)
{
	struct nci_nfcee_discover_cmd cmd;
	__u8 action = (unsigned long)opt;

	cmd.discovery_action = action;

	nci_send_cmd(ndev, NCI_OP_NFCEE_DISCOVER_CMD, 1, &cmd);
}

int nci_nfcee_discover(struct nci_dev *ndev, u8 action)
{
	unsigned long opt = action;

	return __nci_request(ndev, nci_nfcee_discover_req, (void *)opt,
				msecs_to_jiffies(NCI_CMD_TIMEOUT));
}
EXPORT_SYMBOL(nci_nfcee_discover);

static void nci_nfcee_mode_set_req(struct nci_dev *ndev, const void *opt)
{
	const struct nci_nfcee_mode_set_cmd *cmd = opt;

	nci_send_cmd(ndev, NCI_OP_NFCEE_MODE_SET_CMD,
		     sizeof(struct nci_nfcee_mode_set_cmd), cmd);
}

int nci_nfcee_mode_set(struct nci_dev *ndev, u8 nfcee_id, u8 nfcee_mode)
{
	struct nci_nfcee_mode_set_cmd cmd;

	cmd.nfcee_id = nfcee_id;
	cmd.nfcee_mode = nfcee_mode;

	return __nci_request(ndev, nci_nfcee_mode_set_req, &cmd,
			     msecs_to_jiffies(NCI_CMD_TIMEOUT));
}
EXPORT_SYMBOL(nci_nfcee_mode_set);

static void nci_core_conn_create_req(struct nci_dev *ndev, const void *opt)
{
	const struct core_conn_create_data *data = opt;

	nci_send_cmd(ndev, NCI_OP_CORE_CONN_CREATE_CMD, data->length, data->cmd);
}

int nci_core_conn_create(struct nci_dev *ndev, u8 destination_type,
			 u8 number_destination_params,
			 size_t params_len,
			 const struct core_conn_create_dest_spec_params *params)
{
	int r;
	struct nci_core_conn_create_cmd *cmd;
	struct core_conn_create_data data;

	data.length = params_len + sizeof(struct nci_core_conn_create_cmd);
	cmd = kzalloc(data.length, GFP_KERNEL);
	if (!cmd)
		return -ENOMEM;

	cmd->destination_type = destination_type;
	cmd->number_destination_params = number_destination_params;

	data.cmd = cmd;

	if (params) {
		memcpy(cmd->params, params, params_len);
		if (params->length > 0)
			memcpy(&ndev->cur_params,
			       &params->value[DEST_SPEC_PARAMS_ID_INDEX],
			       sizeof(struct dest_spec_params));
		else
			ndev->cur_params.id = 0;
	} else {
		ndev->cur_params.id = 0;
	}
	ndev->cur_dest_type = destination_type;

	r = __nci_request(ndev, nci_core_conn_create_req, &data,
			  msecs_to_jiffies(NCI_CMD_TIMEOUT));
	kfree(cmd);
	return r;
}
EXPORT_SYMBOL(nci_core_conn_create);

static void nci_core_conn_close_req(struct nci_dev *ndev, const void *opt)
{
	__u8 conn_id = (unsigned long)opt;

	nci_send_cmd(ndev, NCI_OP_CORE_CONN_CLOSE_CMD, 1, &conn_id);
}

int nci_core_conn_close(struct nci_dev *ndev, u8 conn_id)
{
	unsigned long opt = conn_id;

	ndev->cur_conn_id = conn_id;
	return __nci_request(ndev, nci_core_conn_close_req, (void *)opt,
			     msecs_to_jiffies(NCI_CMD_TIMEOUT));
}
EXPORT_SYMBOL(nci_core_conn_close);

static void nci_set_target_ats(struct nfc_target *target, struct nci_dev *ndev)
{
	if (ndev->target_ats_len > 0) {
		target->ats_len = ndev->target_ats_len;
		memcpy(target->ats, ndev->target_ats, target->ats_len);
	}
}

static int nci_set_local_general_bytes(struct nfc_dev *nfc_dev)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
	struct nci_set_config_param param;
	int rc;

	param.val = nfc_get_local_general_bytes(nfc_dev, &param.len);
	if ((param.val == NULL) || (param.len == 0))
		return 0;

	if (param.len > NFC_MAX_GT_LEN)
		return -EINVAL;

	param.id = NCI_PN_ATR_REQ_GEN_BYTES;

	rc = nci_request(ndev, nci_set_config_req, &param,
			 msecs_to_jiffies(NCI_SET_CONFIG_TIMEOUT));
	if (rc)
		return rc;

	param.id = NCI_LN_ATR_RES_GEN_BYTES;

	return nci_request(ndev, nci_set_config_req, &param,
			   msecs_to_jiffies(NCI_SET_CONFIG_TIMEOUT));
}

static int nci_set_listen_parameters(struct nfc_dev *nfc_dev)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
	int rc;
	__u8 val;

	val = NCI_LA_SEL_INFO_NFC_DEP_MASK;

	rc = nci_set_config(ndev, NCI_LA_SEL_INFO, 1, &val);
	if (rc)
		return rc;

	val = NCI_LF_PROTOCOL_TYPE_NFC_DEP_MASK;

	rc = nci_set_config(ndev, NCI_LF_PROTOCOL_TYPE, 1, &val);
	if (rc)
		return rc;

	val = NCI_LF_CON_BITR_F_212 | NCI_LF_CON_BITR_F_424;

	return nci_set_config(ndev, NCI_LF_CON_BITR_F, 1, &val);
}

static int nci_start_poll(struct nfc_dev *nfc_dev,
			  __u32 im_protocols, __u32 tm_protocols)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
	struct nci_rf_discover_param param;
	int rc;

	if ((atomic_read(&ndev->state) == NCI_DISCOVERY) ||
	    (atomic_read(&ndev->state) == NCI_W4_ALL_DISCOVERIES)) {
		pr_err("unable to start poll, since poll is already active\n");
		return -EBUSY;
	}

	if (ndev->target_active_prot) {
		pr_err("there is an active target\n");
		return -EBUSY;
	}

	if ((atomic_read(&ndev->state) == NCI_W4_HOST_SELECT) ||
	    (atomic_read(&ndev->state) == NCI_POLL_ACTIVE)) {
		pr_debug("target active or w4 select, implicitly deactivate\n");

		rc = nci_request(ndev, nci_rf_deactivate_req,
				 (void *)NCI_DEACTIVATE_TYPE_IDLE_MODE,
				 msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
		if (rc)
			return -EBUSY;
	}

	if ((im_protocols | tm_protocols) & NFC_PROTO_NFC_DEP_MASK) {
		rc = nci_set_local_general_bytes(nfc_dev);
		if (rc) {
			pr_err("failed to set local general bytes\n");
			return rc;
		}
	}

	if (tm_protocols & NFC_PROTO_NFC_DEP_MASK) {
		rc = nci_set_listen_parameters(nfc_dev);
		if (rc)
			pr_err("failed to set listen parameters\n");
	}

	param.im_protocols = im_protocols;
	param.tm_protocols = tm_protocols;
	rc = nci_request(ndev, nci_rf_discover_req, &param,
			 msecs_to_jiffies(NCI_RF_DISC_TIMEOUT));

	if (!rc)
		ndev->poll_prots = im_protocols;

	return rc;
}

static void nci_stop_poll(struct nfc_dev *nfc_dev)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);

	if ((atomic_read(&ndev->state) != NCI_DISCOVERY) &&
	    (atomic_read(&ndev->state) != NCI_W4_ALL_DISCOVERIES)) {
		pr_err("unable to stop poll, since poll is not active\n");
		return;
	}

	nci_request(ndev, nci_rf_deactivate_req,
		    (void *)NCI_DEACTIVATE_TYPE_IDLE_MODE,
		    msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
}

static int nci_activate_target(struct nfc_dev *nfc_dev,
			       struct nfc_target *target, __u32 protocol)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
	struct nci_rf_discover_select_param param;
	const struct nfc_target *nci_target = NULL;
	int i;
	int rc = 0;

	pr_debug("target_idx %d, protocol 0x%x\n", target->idx, protocol);

	if ((atomic_read(&ndev->state) != NCI_W4_HOST_SELECT) &&
	    (atomic_read(&ndev->state) != NCI_POLL_ACTIVE)) {
		pr_err("there is no available target to activate\n");
		return -EINVAL;
	}

	if (ndev->target_active_prot) {
		pr_err("there is already an active target\n");
		return -EBUSY;
	}

	for (i = 0; i < ndev->n_targets; i++) {
		if (ndev->targets[i].idx == target->idx) {
			nci_target = &ndev->targets[i];
			break;
		}
	}

	if (!nci_target) {
		pr_err("unable to find the selected target\n");
		return -EINVAL;
	}

	if (protocol >= NFC_PROTO_MAX) {
		pr_err("the requested nfc protocol is invalid\n");
		return -EINVAL;
	}

	if (!(nci_target->supported_protocols & (1 << protocol))) {
		pr_err("target does not support the requested protocol 0x%x\n",
		       protocol);
		return -EINVAL;
	}

	if (atomic_read(&ndev->state) == NCI_W4_HOST_SELECT) {
		param.rf_discovery_id = nci_target->logical_idx;

		if (protocol == NFC_PROTO_JEWEL)
			param.rf_protocol = NCI_RF_PROTOCOL_T1T;
		else if (protocol == NFC_PROTO_MIFARE)
			param.rf_protocol = NCI_RF_PROTOCOL_T2T;
		else if (protocol == NFC_PROTO_FELICA)
			param.rf_protocol = NCI_RF_PROTOCOL_T3T;
		else if (protocol == NFC_PROTO_ISO14443 ||
			 protocol == NFC_PROTO_ISO14443_B)
			param.rf_protocol = NCI_RF_PROTOCOL_ISO_DEP;
		else
			param.rf_protocol = NCI_RF_PROTOCOL_NFC_DEP;

		rc = nci_request(ndev, nci_rf_discover_select_req, &param,
				 msecs_to_jiffies(NCI_RF_DISC_SELECT_TIMEOUT));
	}

	if (!rc) {
		ndev->target_active_prot = protocol;
		if (protocol == NFC_PROTO_ISO14443)
			nci_set_target_ats(target, ndev);
	}

	return rc;
}

static void nci_deactivate_target(struct nfc_dev *nfc_dev,
				  struct nfc_target *target,
				  __u8 mode)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
	unsigned long nci_mode = NCI_DEACTIVATE_TYPE_IDLE_MODE;

	if (!ndev->target_active_prot) {
		pr_err("unable to deactivate target, no active target\n");
		return;
	}

	ndev->target_active_prot = 0;

	switch (mode) {
	case NFC_TARGET_MODE_SLEEP:
		nci_mode = NCI_DEACTIVATE_TYPE_SLEEP_MODE;
		break;
	}

	if (atomic_read(&ndev->state) == NCI_POLL_ACTIVE) {
		nci_request(ndev, nci_rf_deactivate_req, (void *)nci_mode,
			    msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
	}
}

static int nci_dep_link_up(struct nfc_dev *nfc_dev, struct nfc_target *target,
			   __u8 comm_mode, __u8 *gb, size_t gb_len)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
	int rc;

	pr_debug("target_idx %d, comm_mode %d\n", target->idx, comm_mode);

	rc = nci_activate_target(nfc_dev, target, NFC_PROTO_NFC_DEP);
	if (rc)
		return rc;

	rc = nfc_set_remote_general_bytes(nfc_dev, ndev->remote_gb,
					  ndev->remote_gb_len);
	if (!rc)
		rc = nfc_dep_link_is_up(nfc_dev, target->idx, NFC_COMM_PASSIVE,
					NFC_RF_INITIATOR);

	return rc;
}

static int nci_dep_link_down(struct nfc_dev *nfc_dev)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
	int rc;

	if (nfc_dev->rf_mode == NFC_RF_INITIATOR) {
		nci_deactivate_target(nfc_dev, NULL, NCI_DEACTIVATE_TYPE_IDLE_MODE);
	} else {
		if (atomic_read(&ndev->state) == NCI_LISTEN_ACTIVE ||
		    atomic_read(&ndev->state) == NCI_DISCOVERY) {
			nci_request(ndev, nci_rf_deactivate_req, (void *)0,
				    msecs_to_jiffies(NCI_RF_DEACTIVATE_TIMEOUT));
		}

		rc = nfc_tm_deactivated(nfc_dev);
		if (rc)
			pr_err("error when signaling tm deactivation\n");
	}

	return 0;
}


static int nci_transceive(struct nfc_dev *nfc_dev, struct nfc_target *target,
			  struct sk_buff *skb,
			  data_exchange_cb_t cb, void *cb_context)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
	int rc;
	struct nci_conn_info *conn_info;

	conn_info = ndev->rf_conn_info;
	if (!conn_info)
		return -EPROTO;

	pr_debug("target_idx %d, len %d\n", target->idx, skb->len);

	if (!ndev->target_active_prot) {
		pr_err("unable to exchange data, no active target\n");
		return -EINVAL;
	}

	if (test_and_set_bit(NCI_DATA_EXCHANGE, &ndev->flags))
		return -EBUSY;

	/* store cb and context to be used on receiving data */
	conn_info->data_exchange_cb = cb;
	conn_info->data_exchange_cb_context = cb_context;

	rc = nci_send_data(ndev, NCI_STATIC_RF_CONN_ID, skb);
	if (rc)
		clear_bit(NCI_DATA_EXCHANGE, &ndev->flags);

	return rc;
}

static int nci_tm_send(struct nfc_dev *nfc_dev, struct sk_buff *skb)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);
	int rc;

	rc = nci_send_data(ndev, NCI_STATIC_RF_CONN_ID, skb);
	if (rc)
		pr_err("unable to send data\n");

	return rc;
}

static int nci_enable_se(struct nfc_dev *nfc_dev, u32 se_idx)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);

	if (ndev->ops->enable_se)
		return ndev->ops->enable_se(ndev, se_idx);

	return 0;
}

static int nci_disable_se(struct nfc_dev *nfc_dev, u32 se_idx)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);

	if (ndev->ops->disable_se)
		return ndev->ops->disable_se(ndev, se_idx);

	return 0;
}

static int nci_discover_se(struct nfc_dev *nfc_dev)
{
	int r;
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);

	if (ndev->ops->discover_se) {
		r = nci_nfcee_discover(ndev, NCI_NFCEE_DISCOVERY_ACTION_ENABLE);
		if (r != NCI_STATUS_OK)
			return -EPROTO;

		return ndev->ops->discover_se(ndev);
	}

	return 0;
}

static int nci_se_io(struct nfc_dev *nfc_dev, u32 se_idx,
		     u8 *apdu, size_t apdu_length,
		     se_io_cb_t cb, void *cb_context)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);

	if (ndev->ops->se_io)
		return ndev->ops->se_io(ndev, se_idx, apdu,
				apdu_length, cb, cb_context);

	return 0;
}

static int nci_fw_download(struct nfc_dev *nfc_dev, const char *firmware_name)
{
	struct nci_dev *ndev = nfc_get_drvdata(nfc_dev);

	if (!ndev->ops->fw_download)
		return -ENOTSUPP;

	return ndev->ops->fw_download(ndev, firmware_name);
}

static const struct nfc_ops nci_nfc_ops = {
	.dev_up = nci_dev_up,
	.dev_down = nci_dev_down,
	.start_poll = nci_start_poll,
	.stop_poll = nci_stop_poll,
	.dep_link_up = nci_dep_link_up,
	.dep_link_down = nci_dep_link_down,
	.activate_target = nci_activate_target,
	.deactivate_target = nci_deactivate_target,
	.im_transceive = nci_transceive,
	.tm_send = nci_tm_send,
	.enable_se = nci_enable_se,
	.disable_se = nci_disable_se,
	.discover_se = nci_discover_se,
	.se_io = nci_se_io,
	.fw_download = nci_fw_download,
};

/* ---- Interface to NCI drivers ---- */
/**
 * nci_allocate_device - allocate a new nci device
 *
 * @ops: device operations
 * @supported_protocols: NFC protocols supported by the device
 * @tx_headroom: Reserved space at beginning of skb
 * @tx_tailroom: Reserved space at end of skb
 */
struct nci_dev *nci_allocate_device(const struct nci_ops *ops,
				    __u32 supported_protocols,
				    int tx_headroom, int tx_tailroom)
{
	struct nci_dev *ndev;

	pr_debug("supported_protocols 0x%x\n", supported_protocols);

	if (!ops->open || !ops->close || !ops->send)
		return NULL;

	if (!supported_protocols)
		return NULL;

	ndev = kzalloc(sizeof(struct nci_dev), GFP_KERNEL);
	if (!ndev)
		return NULL;

	ndev->ops = ops;

	if (ops->n_prop_ops > NCI_MAX_PROPRIETARY_CMD) {
		pr_err("Too many proprietary commands: %zd\n",
		       ops->n_prop_ops);
		goto free_nci;
	}

	ndev->tx_headroom = tx_headroom;
	ndev->tx_tailroom = tx_tailroom;
	init_completion(&ndev->req_completion);

	ndev->nfc_dev = nfc_allocate_device(&nci_nfc_ops,
					    supported_protocols,
					    tx_headroom + NCI_DATA_HDR_SIZE,
					    tx_tailroom);
	if (!ndev->nfc_dev)
		goto free_nci;

	ndev->hci_dev = nci_hci_allocate(ndev);
	if (!ndev->hci_dev)
		goto free_nfc;

	nfc_set_drvdata(ndev->nfc_dev, ndev);

	return ndev;

free_nfc:
	nfc_free_device(ndev->nfc_dev);
free_nci:
	kfree(ndev);
	return NULL;
}
EXPORT_SYMBOL(nci_allocate_device);

/**
 * nci_free_device - deallocate nci device
 *
 * @ndev: The nci device to deallocate
 */
void nci_free_device(struct nci_dev *ndev)
{
	nfc_free_device(ndev->nfc_dev);
	nci_hci_deallocate(ndev);

	/* drop partial rx data packet if present */
	if (ndev->rx_data_reassembly)
		kfree_skb(ndev->rx_data_reassembly);
	kfree(ndev);
}
EXPORT_SYMBOL(nci_free_device);

/**
 * nci_register_device - register a nci device in the nfc subsystem
 *
 * @ndev: The nci device to register
 */
int nci_register_device(struct nci_dev *ndev)
{
	int rc;
	struct device *dev = &ndev->nfc_dev->dev;
	char name[32];

	ndev->flags = 0;

	INIT_WORK(&ndev->cmd_work, nci_cmd_work);
	snprintf(name, sizeof(name), "%s_nci_cmd_wq", dev_name(dev));
	ndev->cmd_wq = create_singlethread_workqueue(name);
	if (!ndev->cmd_wq) {
		rc = -ENOMEM;
		goto exit;
	}

	INIT_WORK(&ndev->rx_work, nci_rx_work);
	snprintf(name, sizeof(name), "%s_nci_rx_wq", dev_name(dev));
	ndev->rx_wq = create_singlethread_workqueue(name);
	if (!ndev->rx_wq) {
		rc = -ENOMEM;
		goto destroy_cmd_wq_exit;
	}

	INIT_WORK(&ndev->tx_work, nci_tx_work);
	snprintf(name, sizeof(name), "%s_nci_tx_wq", dev_name(dev));
	ndev->tx_wq = create_singlethread_workqueue(name);
	if (!ndev->tx_wq) {
		rc = -ENOMEM;
		goto destroy_rx_wq_exit;
	}

	skb_queue_head_init(&ndev->cmd_q);
	skb_queue_head_init(&ndev->rx_q);
	skb_queue_head_init(&ndev->tx_q);

	timer_setup(&ndev->cmd_timer, nci_cmd_timer, 0);
	timer_setup(&ndev->data_timer, nci_data_timer, 0);

	mutex_init(&ndev->req_lock);
	INIT_LIST_HEAD(&ndev->conn_info_list);

	rc = nfc_register_device(ndev->nfc_dev);
	if (rc)
		goto destroy_tx_wq_exit;

	goto exit;

destroy_tx_wq_exit:
	destroy_workqueue(ndev->tx_wq);

destroy_rx_wq_exit:
	destroy_workqueue(ndev->rx_wq);

destroy_cmd_wq_exit:
	destroy_workqueue(ndev->cmd_wq);

exit:
	return rc;
}
EXPORT_SYMBOL(nci_register_device);

/**
 * nci_unregister_device - unregister a nci device in the nfc subsystem
 *
 * @ndev: The nci device to unregister
 */
void nci_unregister_device(struct nci_dev *ndev)
{
	struct nci_conn_info *conn_info, *n;

	/* This set_bit is not protected with specialized barrier,
	 * However, it is fine because the mutex_lock(&ndev->req_lock);
	 * in nci_close_device() will help to emit one.
	 */
	set_bit(NCI_UNREG, &ndev->flags);

	nci_close_device(ndev);

	destroy_workqueue(ndev->cmd_wq);
	destroy_workqueue(ndev->rx_wq);
	destroy_workqueue(ndev->tx_wq);

	list_for_each_entry_safe(conn_info, n, &ndev->conn_info_list, list) {
		list_del(&conn_info->list);
		/* conn_info is allocated with devm_kzalloc */
	}

	nfc_unregister_device(ndev->nfc_dev);
}
EXPORT_SYMBOL(nci_unregister_device);

/**
 * nci_recv_frame - receive frame from NCI drivers
 *
 * @ndev: The nci device
 * @skb: The sk_buff to receive
 */
int nci_recv_frame(struct nci_dev *ndev, struct sk_buff *skb)
{
	pr_debug("len %d\n", skb->len);

	if (!ndev || (!test_bit(NCI_UP, &ndev->flags) &&
	    !test_bit(NCI_INIT, &ndev->flags))) {
		kfree_skb(skb);
		return -ENXIO;
	}

	/* Queue frame for rx worker thread */
	skb_queue_tail(&ndev->rx_q, skb);
	queue_work(ndev->rx_wq, &ndev->rx_work);

	return 0;
}
EXPORT_SYMBOL(nci_recv_frame);

int nci_send_frame(struct nci_dev *ndev, struct sk_buff *skb)
{
	pr_debug("len %d\n", skb->len);

	if (!ndev) {
		kfree_skb(skb);
		return -ENODEV;
	}

	/* Get rid of skb owner, prior to sending to the driver. */
	skb_orphan(skb);

	/* Send copy to sniffer */
	nfc_send_to_raw_sock(ndev->nfc_dev, skb,
			     RAW_PAYLOAD_NCI, NFC_DIRECTION_TX);

	return ndev->ops->send(ndev, skb);
}
EXPORT_SYMBOL(nci_send_frame);

/* Send NCI command */
int nci_send_cmd(struct nci_dev *ndev, __u16 opcode, __u8 plen, const void *payload)
{
	struct nci_ctrl_hdr *hdr;
	struct sk_buff *skb;

	pr_debug("opcode 0x%x, plen %d\n", opcode, plen);

	skb = nci_skb_alloc(ndev, (NCI_CTRL_HDR_SIZE + plen), GFP_KERNEL);
	if (!skb) {
		pr_err("no memory for command\n");
		return -ENOMEM;
	}

	hdr = skb_put(skb, NCI_CTRL_HDR_SIZE);
	hdr->gid = nci_opcode_gid(opcode);
	hdr->oid = nci_opcode_oid(opcode);
	hdr->plen = plen;

	nci_mt_set((__u8 *)hdr, NCI_MT_CMD_PKT);
	nci_pbf_set((__u8 *)hdr, NCI_PBF_LAST);

	if (plen)
		skb_put_data(skb, payload, plen);

	skb_queue_tail(&ndev->cmd_q, skb);
	queue_work(ndev->cmd_wq, &ndev->cmd_work);

	return 0;
}
EXPORT_SYMBOL(nci_send_cmd);

/* Proprietary commands API */
static const struct nci_driver_ops *ops_cmd_lookup(const struct nci_driver_ops *ops,
						   size_t n_ops,
						   __u16 opcode)
{
	size_t i;
	const struct nci_driver_ops *op;

	if (!ops || !n_ops)
		return NULL;

	for (i = 0; i < n_ops; i++) {
		op = &ops[i];
		if (op->opcode == opcode)
			return op;
	}

	return NULL;
}

static int nci_op_rsp_packet(struct nci_dev *ndev, __u16 rsp_opcode,
			     struct sk_buff *skb, const struct nci_driver_ops *ops,
			     size_t n_ops)
{
	const struct nci_driver_ops *op;

	op = ops_cmd_lookup(ops, n_ops, rsp_opcode);
	if (!op || !op->rsp)
		return -ENOTSUPP;

	return op->rsp(ndev, skb);
}

static int nci_op_ntf_packet(struct nci_dev *ndev, __u16 ntf_opcode,
			     struct sk_buff *skb, const struct nci_driver_ops *ops,
			     size_t n_ops)
{
	const struct nci_driver_ops *op;

	op = ops_cmd_lookup(ops, n_ops, ntf_opcode);
	if (!op || !op->ntf)
		return -ENOTSUPP;

	return op->ntf(ndev, skb);
}

int nci_prop_rsp_packet(struct nci_dev *ndev, __u16 opcode,
			struct sk_buff *skb)
{
	return nci_op_rsp_packet(ndev, opcode, skb, ndev->ops->prop_ops,
				 ndev->ops->n_prop_ops);
}

int nci_prop_ntf_packet(struct nci_dev *ndev, __u16 opcode,
			struct sk_buff *skb)
{
	return nci_op_ntf_packet(ndev, opcode, skb, ndev->ops->prop_ops,
				 ndev->ops->n_prop_ops);
}

int nci_core_rsp_packet(struct nci_dev *ndev, __u16 opcode,
			struct sk_buff *skb)
{
	return nci_op_rsp_packet(ndev, opcode, skb, ndev->ops->core_ops,
				  ndev->ops->n_core_ops);
}

int nci_core_ntf_packet(struct nci_dev *ndev, __u16 opcode,
			struct sk_buff *skb)
{
	return nci_op_ntf_packet(ndev, opcode, skb, ndev->ops->core_ops,
				 ndev->ops->n_core_ops);
}

static bool nci_valid_size(struct sk_buff *skb)
{
	BUILD_BUG_ON(NCI_CTRL_HDR_SIZE != NCI_DATA_HDR_SIZE);
	unsigned int hdr_size = NCI_CTRL_HDR_SIZE;

	if (skb->len < hdr_size ||
	    !nci_plen(skb->data) ||
	    skb->len < hdr_size + nci_plen(skb->data)) {
		return false;
	}
	return true;
}

/* ---- NCI TX Data worker thread ---- */

static void nci_tx_work(struct work_struct *work)
{
	struct nci_dev *ndev = container_of(work, struct nci_dev, tx_work);
	struct nci_conn_info *conn_info;
	struct sk_buff *skb;

	conn_info = nci_get_conn_info_by_conn_id(ndev, ndev->cur_conn_id);
	if (!conn_info)
		return;

	pr_debug("credits_cnt %d\n", atomic_read(&conn_info->credits_cnt));

	/* Send queued tx data */
	while (atomic_read(&conn_info->credits_cnt)) {
		skb = skb_dequeue(&ndev->tx_q);
		if (!skb)
			return;
		kcov_remote_start_common(skb_get_kcov_handle(skb));

		/* Check if data flow control is used */
		if (atomic_read(&conn_info->credits_cnt) !=
		    NCI_DATA_FLOW_CONTROL_NOT_USED)
			atomic_dec(&conn_info->credits_cnt);

		pr_debug("NCI TX: MT=data, PBF=%d, conn_id=%d, plen=%d\n",
			 nci_pbf(skb->data),
			 nci_conn_id(skb->data),
			 nci_plen(skb->data));

		nci_send_frame(ndev, skb);

		mod_timer(&ndev->data_timer,
			  jiffies + msecs_to_jiffies(NCI_DATA_TIMEOUT));
		kcov_remote_stop();
	}
}

/* ----- NCI RX worker thread (data & control) ----- */

static void nci_rx_work(struct work_struct *work)
{
	struct nci_dev *ndev = container_of(work, struct nci_dev, rx_work);
	struct sk_buff *skb;

	for (; (skb = skb_dequeue(&ndev->rx_q)); kcov_remote_stop()) {
		kcov_remote_start_common(skb_get_kcov_handle(skb));

		/* Send copy to sniffer */
		nfc_send_to_raw_sock(ndev->nfc_dev, skb,
				     RAW_PAYLOAD_NCI, NFC_DIRECTION_RX);

		if (!nci_valid_size(skb)) {
			kfree_skb(skb);
			continue;
		}

		/* Process frame */
		switch (nci_mt(skb->data)) {
		case NCI_MT_RSP_PKT:
			nci_rsp_packet(ndev, skb);
			break;

		case NCI_MT_NTF_PKT:
			nci_ntf_packet(ndev, skb);
			break;

		case NCI_MT_DATA_PKT:
			nci_rx_data_packet(ndev, skb);
			break;

		default:
			pr_err("unknown MT 0x%x\n", nci_mt(skb->data));
			kfree_skb(skb);
			break;
		}
	}

	/* check if a data exchange timeout has occurred */
	if (test_bit(NCI_DATA_EXCHANGE_TO, &ndev->flags)) {
		/* complete the data exchange transaction, if exists */
		if (test_bit(NCI_DATA_EXCHANGE, &ndev->flags))
			nci_data_exchange_complete(ndev, NULL,
						   ndev->cur_conn_id,
						   -ETIMEDOUT);

		clear_bit(NCI_DATA_EXCHANGE_TO, &ndev->flags);
	}
}

/* ----- NCI TX CMD worker thread ----- */

static void nci_cmd_work(struct work_struct *work)
{
	struct nci_dev *ndev = container_of(work, struct nci_dev, cmd_work);
	struct sk_buff *skb;

	pr_debug("cmd_cnt %d\n", atomic_read(&ndev->cmd_cnt));

	/* Send queued command */
	if (atomic_read(&ndev->cmd_cnt)) {
		skb = skb_dequeue(&ndev->cmd_q);
		if (!skb)
			return;

		kcov_remote_start_common(skb_get_kcov_handle(skb));
		atomic_dec(&ndev->cmd_cnt);

		pr_debug("NCI TX: MT=cmd, PBF=%d, GID=0x%x, OID=0x%x, plen=%d\n",
			 nci_pbf(skb->data),
			 nci_opcode_gid(nci_opcode(skb->data)),
			 nci_opcode_oid(nci_opcode(skb->data)),
			 nci_plen(skb->data));

		nci_send_frame(ndev, skb);

		mod_timer(&ndev->cmd_timer,
			  jiffies + msecs_to_jiffies(NCI_CMD_TIMEOUT));
		kcov_remote_stop();
	}
}

MODULE_DESCRIPTION("NFC Controller Interface");
MODULE_LICENSE("GPL");
]

gemini-3-flash-preview

							input: 21869
							output: 22
							thoughts: 839
						

**Analyzing the Race Condition on `ndev->req_status`**

Okay, so the trace is clearly highlighting a race condition on `ndev->req_status`. My initial thought is to dive into the code and see exactly where this variable is accessed and how it's being used to manage request states. I'm focusing on `__nci_request` and `nci_req_complete`.

First, I'm noting the line numbers reported. The trace references line 136 in `__nci_request`, which is declared inline in `net/nfc/nci/core.c`, but my local copy has line 136 as `long completion_rc;` and line 138 as `ndev->req_status = NCI_REQ_PEND;`. This is a slight discrepancy that I'll need to account for, likely a minor kernel version difference, I'll need to keep this in mind when relating the trace to my local code.

I'm now looking at `nci_req_complete` where the trace reports a read on line 80, which is `ndev->req_result = result;`. However, the read that the trace indicates should be on line 79: `if (ndev->req_status == NCI_REQ_PEND) {`.

The key here is understanding what constitutes the "read" and "write" operations in terms of the trace output. The trace says it's writing to the memory address `0xffff88811bfb69a0` with the write from task 6091 and reading from task 2331. If `ndev->req_status` resides at that specific memory address, I'm able to identify that the write is from `__nci_request` to `ndev->req_status = NCI_REQ_PEND;` and the read is from `nci_req_complete` within the `if (ndev->req_status == NCI_REQ_PEND)` conditional.

Now, I'm going to carefully examine the `nci_dev` struct definition. I need to understand how `req_status` and the other related fields within `nci_dev` are laid out in memory to confirm these assumptions and how the memory addresses provided relate to specific variables within the struct. This will help confirm that this indeed is the race, and how to verify if there are any other possible accesses within the code.

map[Name:nci_dev]

map[Fields:[map[Name:nfc_dev OffsetBits:0 SizeBits:64] map[Name:ops OffsetBits:64 SizeBits:64] map[Name:hci_dev OffsetBits:128 SizeBits:64] map[Name:tx_headroom OffsetBits:192 SizeBits:32] map[Name:tx_tailroom OffsetBits:224 SizeBits:32] map[Name:state OffsetBits:256 SizeBits:32] map[Name:flags OffsetBits:320 SizeBits:64] map[Name:cmd_cnt OffsetBits:384 SizeBits:32] map[Name:cur_conn_id OffsetBits:416 SizeBits:8] map[Name:conn_info_list OffsetBits:448 SizeBits:128] map[Name:rf_conn_info OffsetBits:576 SizeBits:64] map[Name:cmd_timer OffsetBits:640 SizeBits:320] map[Name:data_timer OffsetBits:960 SizeBits:320] map[Name:cmd_wq OffsetBits:1280 SizeBits:64] map[Name:cmd_work OffsetBits:1344 SizeBits:256] map[Name:rx_wq OffsetBits:1600 SizeBits:64] map[Name:rx_work OffsetBits:1664 SizeBits:256] map[Name:tx_wq OffsetBits:1920 SizeBits:64] map[Name:tx_work OffsetBits:1984 SizeBits:256] map[Name:cmd_q OffsetBits:2240 SizeBits:192] map[Name:rx_q OffsetBits:2432 SizeBits:192] map[Name:tx_q OffsetBits:2624 SizeBits:192] map[Name:req_lock OffsetBits:2816 SizeBits:256] map[Name:req_completion OffsetBits:3072 SizeBits:256] map[Name:req_status OffsetBits:3328 SizeBits:32] map[Name:req_result OffsetBits:3360 SizeBits:32] map[Name:driver_data OffsetBits:3392 SizeBits:64] map[Name:poll_prots OffsetBits:3456 SizeBits:32] map[Name:target_active_prot OffsetBits:3488 SizeBits:32] map[Name:targets OffsetBits:3520 SizeBits:7680] map[Name:n_targets OffsetBits:11200 SizeBits:32] map[Name:nci_ver OffsetBits:11232 SizeBits:8] map[Name:nfcc_features OffsetBits:11264 SizeBits:32] map[Name:num_supported_rf_interfaces OffsetBits:11296 SizeBits:8] map[Name:supported_rf_interfaces OffsetBits:11304 SizeBits:32] map[Name:max_logical_connections OffsetBits:11336 SizeBits:8] map[Name:max_routing_table_size OffsetBits:11344 SizeBits:16] map[Name:max_ctrl_pkt_payload_len OffsetBits:11360 SizeBits:8] map[Name:max_size_for_large_params OffsetBits:11376 SizeBits:16] map[Name:manufact_id OffsetBits:11392 SizeBits:8] map[Name:manufact_specific_info OffsetBits:11424 SizeBits:32] map[Name:cur_params OffsetBits:11456 SizeBits:16] map[Name:cur_dest_type OffsetBits:11472 SizeBits:8] map[Name:rx_data_reassembly OffsetBits:11520 SizeBits:64] map[Name:remote_gb OffsetBits:11584 SizeBits:384] map[Name:remote_gb_len OffsetBits:11968 SizeBits:8] map[Name:target_ats OffsetBits:11976 SizeBits:160] map[Name:target_ats_len OffsetBits:12136 SizeBits:8]]]

gemini-3-flash-preview

							input: 24383
							output: 28
							thoughts: 1414
						

**Analyzing the NCI Driver Race Condition**

Okay, let's break this down. From the provided information, I can see that `req_status` is at offset 416 bytes (3328 bits) and `req_result` at 420 bytes (3360 bits) within the `nci_dev` structure. The crash report highlights a write and read to the memory location `0xffff88811bfb69a0`, which, given the offsets, corresponds to `req_status` within the `nci_dev` structure if we assume an appropriate base address `B` where `B + 416 = 0xffff88811bfb69a0`. Confirmed.

Now, looking at the code snippets, I'm focusing on the interaction between `__nci_request` and `nci_req_complete`. In `__nci_request`, specifically line 138, we have `ndev->req_status = NCI_REQ_PEND;`. This is a crucial write.  `NCI_REQ_PEND` is the starting point. Then, a few lines later, at line 171, there's another write: `ndev->req_status = ndev->req_result = 0;`. This should reset it.

`nci_req_complete`, on the other hand, *reads* `ndev->req_status` at line 79: `if (ndev->req_status == NCI_REQ_PEND) {`. This is how it determines if the request it's handling is the current, pending one. The race is obviously between this read in `nci_req_complete` and the writes to `req_status` in `__nci_request`.

My initial thought was that the issue was a classic race between setting `NCI_REQ_PEND` and then waiting for `nci_req_complete` to clear it, but the code flow makes it pretty clear that `req(ndev, opt)` *must* happen after setting `req_status` to `NCI_REQ_PEND`. `req(ndev, opt)` is what triggers the whole command/response cycle that *leads* to `nci_req_complete` being called. So, the intended sequence is `NCI_REQ_PEND`, send command, NFCC processes, receives the response which calls `nci_req_complete` and which clears the status.

The puzzle is what causes `nci_req_complete` to be called *before* the first write in `__nci_request`, or more precisely, for a *previous* request. But `__nci_request` is called under `ndev->req_lock`, so that suggests a previous request's response might be getting processed, which seems odd. Now, I see that the crash report indicates that the write to `req_status` occurs inside `nci_dev_up`, which calls `nci_open_device`, which *then* calls `__nci_request`. So the lock *should* protect against this happening during the initialization stage.

However, the report suggests a write to the `req_status` register, from 0 to 1, just like setting the `NCI_REQ_PEND`.

I need to confirm the definitions of `NCI_REQ_PEND` and other status values from `nci_core.h`. The crash report suggests that `NCI_REQ_PEND` is likely equal to 1. Something is clearly happening out of sequence or, more likely, we're dealing with a double-free or some other corruption due to the race. I think I know where to look now. The fact that the trace is showing writes happening at both beginning and the end of the `__nci_request` function call, and that it is called from `nci_open_device` is the key.

map[File:include/net/nfc/nci_core.h]

map[Contents:/* SPDX-License-Identifier: GPL-2.0-only */
/*
 *  The NFC Controller Interface is the communication protocol between an
 *  NFC Controller (NFCC) and a Device Host (DH).
 *
 *  Copyright (C) 2011 Texas Instruments, Inc.
 *  Copyright (C) 2013 Intel Corporation. All rights reserved.
 *  Copyright (C) 2014 Marvell International Ltd.
 *
 *  Written by Ilan Elias <ilane@ti.com>
 *
 *  Acknowledgements:
 *  This file is based on hci_core.h, which was written
 *  by Maxim Krasnyansky.
 */

#ifndef __NCI_CORE_H
#define __NCI_CORE_H

#include <linux/interrupt.h>
#include <linux/skbuff.h>
#include <linux/tty.h>

#include <net/nfc/nfc.h>
#include <net/nfc/nci.h>

/* NCI device flags */
enum nci_flag {
	NCI_INIT,
	NCI_UP,
	NCI_DATA_EXCHANGE,
	NCI_DATA_EXCHANGE_TO,
	NCI_UNREG,
};

/* NCI device states */
enum nci_state {
	NCI_IDLE,
	NCI_DISCOVERY,
	NCI_W4_ALL_DISCOVERIES,
	NCI_W4_HOST_SELECT,
	NCI_POLL_ACTIVE,
	NCI_LISTEN_ACTIVE,
	NCI_LISTEN_SLEEP,
};

/* NCI timeouts */
#define NCI_RESET_TIMEOUT			5000
#define NCI_INIT_TIMEOUT			5000
#define NCI_SET_CONFIG_TIMEOUT			5000
#define NCI_RF_DISC_TIMEOUT			5000
#define NCI_RF_DISC_SELECT_TIMEOUT		5000
#define NCI_RF_DEACTIVATE_TIMEOUT		30000
#define NCI_CMD_TIMEOUT				5000
#define NCI_DATA_TIMEOUT			3000

struct nci_dev;

struct nci_driver_ops {
	__u16 opcode;
	int (*rsp)(struct nci_dev *dev, struct sk_buff *skb);
	int (*ntf)(struct nci_dev *dev, struct sk_buff *skb);
};

struct nci_ops {
	int   (*init)(struct nci_dev *ndev);
	int   (*open)(struct nci_dev *ndev);
	int   (*close)(struct nci_dev *ndev);
	int   (*send)(struct nci_dev *ndev, struct sk_buff *skb);
	int   (*setup)(struct nci_dev *ndev);
	int   (*post_setup)(struct nci_dev *ndev);
	int   (*fw_download)(struct nci_dev *ndev, const char *firmware_name);
	__u32 (*get_rfprotocol)(struct nci_dev *ndev, __u8 rf_protocol);
	int   (*discover_se)(struct nci_dev *ndev);
	int   (*disable_se)(struct nci_dev *ndev, u32 se_idx);
	int   (*enable_se)(struct nci_dev *ndev, u32 se_idx);
	int   (*se_io)(struct nci_dev *ndev, u32 se_idx,
				u8 *apdu, size_t apdu_length,
				se_io_cb_t cb, void *cb_context);
	int   (*hci_load_session)(struct nci_dev *ndev);
	void  (*hci_event_received)(struct nci_dev *ndev, u8 pipe, u8 event,
				    struct sk_buff *skb);
	void  (*hci_cmd_received)(struct nci_dev *ndev, u8 pipe, u8 cmd,
				  struct sk_buff *skb);

	const struct nci_driver_ops *prop_ops;
	size_t n_prop_ops;

	const struct nci_driver_ops *core_ops;
	size_t n_core_ops;
};

#define NCI_MAX_SUPPORTED_RF_INTERFACES		4
#define NCI_MAX_DISCOVERED_TARGETS		10
#define NCI_MAX_NUM_NFCEE   255
#define NCI_MAX_CONN_ID		7
#define NCI_MAX_PROPRIETARY_CMD 64

struct nci_conn_info {
	struct list_head list;
	/* NCI specification 4.4.2 Connection Creation
	 * The combination of destination type and destination specific
	 * parameters shall uniquely identify a single destination for the
	 * Logical Connection
	 */
	struct dest_spec_params *dest_params;
	__u8	dest_type;
	__u8	conn_id;
	__u8	max_pkt_payload_len;

	atomic_t credits_cnt;
	__u8	 initial_num_credits;

	data_exchange_cb_t	data_exchange_cb;
	void *data_exchange_cb_context;

	struct sk_buff *rx_skb;
};

#define NCI_INVALID_CONN_ID 0x80

#define NCI_HCI_ANY_OPEN_PIPE      0x03

/* Gates */
#define NCI_HCI_ADMIN_GATE         0x00
#define NCI_HCI_LOOPBACK_GATE	   0x04
#define NCI_HCI_IDENTITY_MGMT_GATE 0x05
#define NCI_HCI_LINK_MGMT_GATE     0x06

/* Pipes */
#define NCI_HCI_LINK_MGMT_PIPE             0x00
#define NCI_HCI_ADMIN_PIPE                 0x01

/* Generic responses */
#define NCI_HCI_ANY_OK                     0x00
#define NCI_HCI_ANY_E_NOT_CONNECTED        0x01
#define NCI_HCI_ANY_E_CMD_PAR_UNKNOWN      0x02
#define NCI_HCI_ANY_E_NOK                  0x03
#define NCI_HCI_ANY_E_PIPES_FULL           0x04
#define NCI_HCI_ANY_E_REG_PAR_UNKNOWN      0x05
#define NCI_HCI_ANY_E_PIPE_NOT_OPENED      0x06
#define NCI_HCI_ANY_E_CMD_NOT_SUPPORTED    0x07
#define NCI_HCI_ANY_E_INHIBITED            0x08
#define NCI_HCI_ANY_E_TIMEOUT              0x09
#define NCI_HCI_ANY_E_REG_ACCESS_DENIED    0x0a
#define NCI_HCI_ANY_E_PIPE_ACCESS_DENIED   0x0b

#define NCI_HCI_DO_NOT_OPEN_PIPE           0x81
#define NCI_HCI_INVALID_PIPE               0x80
#define NCI_HCI_INVALID_GATE               0xFF
#define NCI_HCI_INVALID_HOST               0x80

#define NCI_HCI_MAX_CUSTOM_GATES   50
/*
 * According to specification 102 622 chapter 4.4 Pipes,
 * the pipe identifier is 7 bits long.
 */
#define NCI_HCI_MAX_PIPES          128

struct nci_hci_gate {
	u8 gate;
	u8 pipe;
	u8 dest_host;
} __packed;

struct nci_hci_pipe {
	u8 gate;
	u8 host;
} __packed;

struct nci_hci_init_data {
	u8 gate_count;
	struct nci_hci_gate gates[NCI_HCI_MAX_CUSTOM_GATES];
	char session_id[9];
};

#define NCI_HCI_MAX_GATES          256

struct nci_hci_dev {
	u8 nfcee_id;
	struct nci_dev *ndev;
	struct nci_conn_info *conn_info;

	struct nci_hci_init_data init_data;
	struct nci_hci_pipe pipes[NCI_HCI_MAX_PIPES];
	u8 gate2pipe[NCI_HCI_MAX_GATES];
	int expected_pipes;
	int count_pipes;

	struct sk_buff_head rx_hcp_frags;
	struct work_struct msg_rx_work;
	struct sk_buff_head msg_rx_queue;
};

/* NCI Core structures */
struct nci_dev {
	struct nfc_dev		*nfc_dev;
	const struct nci_ops	*ops;
	struct nci_hci_dev	*hci_dev;

	int			tx_headroom;
	int			tx_tailroom;

	atomic_t		state;
	unsigned long		flags;

	atomic_t		cmd_cnt;
	__u8			cur_conn_id;

	struct list_head	conn_info_list;
	struct nci_conn_info	*rf_conn_info;

	struct timer_list	cmd_timer;
	struct timer_list	data_timer;

	struct workqueue_struct	*cmd_wq;
	struct work_struct	cmd_work;

	struct workqueue_struct	*rx_wq;
	struct work_struct	rx_work;

	struct workqueue_struct	*tx_wq;
	struct work_struct	tx_work;

	struct sk_buff_head	cmd_q;
	struct sk_buff_head	rx_q;
	struct sk_buff_head	tx_q;

	struct mutex		req_lock;
	struct completion	req_completion;
	__u32			req_status;
	__u32			req_result;

	void			*driver_data;

	__u32			poll_prots;
	__u32			target_active_prot;

	struct nfc_target	targets[NCI_MAX_DISCOVERED_TARGETS];
	int			n_targets;

	/* received during NCI_OP_CORE_RESET_RSP */
	__u8			nci_ver;

	/* received during NCI_OP_CORE_INIT_RSP */
	__u32			nfcc_features;
	__u8			num_supported_rf_interfaces;
	__u8			supported_rf_interfaces
				[NCI_MAX_SUPPORTED_RF_INTERFACES];
	__u8			max_logical_connections;
	__u16			max_routing_table_size;
	__u8			max_ctrl_pkt_payload_len;
	__u16			max_size_for_large_params;
	__u8			manufact_id;
	__u32			manufact_specific_info;

	/* Save RF Discovery ID or NFCEE ID under conn_create */
	struct dest_spec_params cur_params;
	/* Save destination type under conn_create */
	__u8			cur_dest_type;

	/* stored during nci_data_exchange */
	struct sk_buff		*rx_data_reassembly;

	/* stored during intf_activated_ntf */
	__u8 remote_gb[NFC_MAX_GT_LEN];
	__u8 remote_gb_len;

	/* stored during intf_activated_ntf */
	__u8 target_ats[NFC_ATS_MAXSIZE];
	__u8 target_ats_len;
};

/* ----- NCI Devices ----- */
struct nci_dev *nci_allocate_device(const struct nci_ops *ops,
				    __u32 supported_protocols,
				    int tx_headroom,
				    int tx_tailroom);
void nci_free_device(struct nci_dev *ndev);
int nci_register_device(struct nci_dev *ndev);
void nci_unregister_device(struct nci_dev *ndev);
int nci_request(struct nci_dev *ndev,
		void (*req)(struct nci_dev *ndev,
			    const void *opt),
		const void *opt, __u32 timeout);
int nci_prop_cmd(struct nci_dev *ndev, __u8 oid, size_t len,
		 const __u8 *payload);
int nci_core_cmd(struct nci_dev *ndev, __u16 opcode, size_t len,
		 const __u8 *payload);
int nci_core_reset(struct nci_dev *ndev);
int nci_core_init(struct nci_dev *ndev);

int nci_recv_frame(struct nci_dev *ndev, struct sk_buff *skb);
int nci_send_frame(struct nci_dev *ndev, struct sk_buff *skb);
int nci_set_config(struct nci_dev *ndev, __u8 id, size_t len, const __u8 *val);

int nci_nfcee_discover(struct nci_dev *ndev, u8 action);
int nci_nfcee_mode_set(struct nci_dev *ndev, u8 nfcee_id, u8 nfcee_mode);
int nci_core_conn_create(struct nci_dev *ndev, u8 destination_type,
			 u8 number_destination_params,
			 size_t params_len,
			 const struct core_conn_create_dest_spec_params *params);
int nci_core_conn_close(struct nci_dev *ndev, u8 conn_id);
int nci_nfcc_loopback(struct nci_dev *ndev, const void *data, size_t data_len,
		      struct sk_buff **resp);

struct nci_hci_dev *nci_hci_allocate(struct nci_dev *ndev);
void nci_hci_deallocate(struct nci_dev *ndev);
int nci_hci_send_event(struct nci_dev *ndev, u8 gate, u8 event,
		       const u8 *param, size_t param_len);
int nci_hci_send_cmd(struct nci_dev *ndev, u8 gate,
		     u8 cmd, const u8 *param, size_t param_len,
		     struct sk_buff **skb);
int nci_hci_open_pipe(struct nci_dev *ndev, u8 pipe);
int nci_hci_connect_gate(struct nci_dev *ndev, u8 dest_host,
			 u8 dest_gate, u8 pipe);
int nci_hci_set_param(struct nci_dev *ndev, u8 gate, u8 idx,
		      const u8 *param, size_t param_len);
int nci_hci_get_param(struct nci_dev *ndev, u8 gate, u8 idx,
		      struct sk_buff **skb);
int nci_hci_clear_all_pipes(struct nci_dev *ndev);
int nci_hci_dev_session_init(struct nci_dev *ndev);

static inline struct sk_buff *nci_skb_alloc(struct nci_dev *ndev,
					    unsigned int len,
					    gfp_t how)
{
	struct sk_buff *skb;

	skb = alloc_skb(len + ndev->tx_headroom + ndev->tx_tailroom, how);
	if (skb)
		skb_reserve(skb, ndev->tx_headroom);

	return skb;
}

static inline void nci_set_parent_dev(struct nci_dev *ndev, struct device *dev)
{
	nfc_set_parent_dev(ndev->nfc_dev, dev);
}

static inline void nci_set_drvdata(struct nci_dev *ndev, void *data)
{
	ndev->driver_data = data;
}

static inline void *nci_get_drvdata(struct nci_dev *ndev)
{
	return ndev->driver_data;
}

static inline int nci_set_vendor_cmds(struct nci_dev *ndev,
				      const struct nfc_vendor_cmd *cmds,
				      int n_cmds)
{
	return nfc_set_vendor_cmds(ndev->nfc_dev, cmds, n_cmds);
}

void nci_rsp_packet(struct nci_dev *ndev, struct sk_buff *skb);
void nci_ntf_packet(struct nci_dev *ndev, struct sk_buff *skb);
int nci_prop_rsp_packet(struct nci_dev *ndev, __u16 opcode,
			struct sk_buff *skb);
int nci_prop_ntf_packet(struct nci_dev *ndev, __u16 opcode,
			struct sk_buff *skb);
int nci_core_rsp_packet(struct nci_dev *ndev, __u16 opcode,
			struct sk_buff *skb);
int nci_core_ntf_packet(struct nci_dev *ndev, __u16 opcode,
			struct sk_buff *skb);
void nci_rx_data_packet(struct nci_dev *ndev, struct sk_buff *skb);
int nci_send_cmd(struct nci_dev *ndev, __u16 opcode, __u8 plen, const void *payload);
int nci_send_data(struct nci_dev *ndev, __u8 conn_id, struct sk_buff *skb);
int nci_conn_max_data_pkt_payload_size(struct nci_dev *ndev, __u8 conn_id);
void nci_data_exchange_complete(struct nci_dev *ndev, struct sk_buff *skb,
				__u8 conn_id, int err);
void nci_hci_data_received_cb(void *context, struct sk_buff *skb, int err);

void nci_clear_target_list(struct nci_dev *ndev);

/* ----- NCI requests ----- */
#define NCI_REQ_DONE		0
#define NCI_REQ_PEND		1
#define NCI_REQ_CANCELED	2

void nci_req_complete(struct nci_dev *ndev, int result);
struct nci_conn_info *nci_get_conn_info_by_conn_id(struct nci_dev *ndev,
						   int conn_id);
int nci_get_conn_info_by_dest_type_params(struct nci_dev *ndev, u8 dest_type,
					  const struct dest_spec_params *params);

/* ----- NCI status code ----- */
int nci_to_errno(__u8 code);

/* ----- NCI over SPI acknowledge modes ----- */
#define NCI_SPI_CRC_DISABLED	0x00
#define NCI_SPI_CRC_ENABLED	0x01

/* ----- NCI SPI structures ----- */
struct nci_spi {
	struct nci_dev		*ndev;
	struct spi_device	*spi;

	unsigned int		xfer_udelay;	/* microseconds delay between
						  transactions */

	unsigned int		xfer_speed_hz; /*
						* SPI clock frequency
						* 0 => default clock
						*/

	u8			acknowledge_mode;

	struct completion	req_completion;
	u8			req_result;
};

/* ----- NCI SPI ----- */
struct nci_spi *nci_spi_allocate_spi(struct spi_device *spi,
				     u8 acknowledge_mode, unsigned int delay,
				     struct nci_dev *ndev);
int nci_spi_send(struct nci_spi *nspi,
		 struct completion *write_handshake_completion,
		 struct sk_buff *skb);
struct sk_buff *nci_spi_read(struct nci_spi *nspi);

/* ----- NCI UART ---- */

/* Ioctl */
#define NCIUARTSETDRIVER	_IOW('U', 0, char *)

enum nci_uart_driver {
	NCI_UART_DRIVER_MARVELL = 0,
	NCI_UART_DRIVER_MAX
};

struct nci_uart;

struct nci_uart_ops {
	int (*open)(struct nci_uart *nci_uart);
	void (*close)(struct nci_uart *nci_uart);
	int (*recv)(struct nci_uart *nci_uart, struct sk_buff *skb);
	int (*send)(struct nci_uart *nci_uart, struct sk_buff *skb);
	void (*tx_start)(struct nci_uart *nci_uart);
	void (*tx_done)(struct nci_uart *nci_uart);
};

struct nci_uart {
	struct module		*owner;
	struct nci_uart_ops	ops;
	const char		*name;
	enum nci_uart_driver	driver;

	/* Dynamic data */
	struct nci_dev		*ndev;
	spinlock_t		rx_lock;
	struct work_struct	write_work;
	struct tty_struct	*tty;
	unsigned long		tx_state;
	struct sk_buff_head	tx_q;
	struct sk_buff		*tx_skb;
	struct sk_buff		*rx_skb;
	int			rx_packet_len;
	void			*drv_data;
};

int nci_uart_register(struct nci_uart *nu);
void nci_uart_unregister(struct nci_uart *nu);
void nci_uart_set_config(struct nci_uart *nu, int baudrate, int flow_ctrl);

#endif /* __NCI_CORE_H */
]

gemini-3-flash-preview

							input: 32071
							output: 26
							thoughts: 1019
						

**Analyzing a Potential Race Condition in the NCI Driver**

Okay, so I'm looking at this code and trying to understand a KCSAN race detection. We have these status defines: `NCI_REQ_DONE` (0), `NCI_REQ_PEND` (1), and `NCI_REQ_CANCELED` (2). The issue seems to be around `ndev->req_status`, specifically the transition from 0 to 1, and how `nci_req_complete` interacts with that change.

Initially, I thought the race was straightforward: Task 1 (in `nci_dev_up`) sets `ndev->req_status = NCI_REQ_PEND;` and Task 2 (in `nci_req_complete`) checks `if (ndev->req_status == NCI_REQ_PEND)`. But then I quickly realized that `nci_req_complete` is triggered by a *response*. If `ndev->req_status` is already 0, the completion path is bypassed, and if it's 1, it completes the request.

My first thought was that the write to `ndev->req_status` wasn't atomic with respect to the read, but that didn't hold up. The assignment `ndev->req_status = NCI_REQ_PEND` occurs *before* the command is sent, using `__nci_request`, specifically lines 138-141. The command send is done with `req(ndev, opt)`. So the response *should* arrive after the status is set.

However, KCSAN detected a race, and that's not what I expected. How could `nci_req_complete` be called while `ndev->req_status = NCI_REQ_PEND` is in progress? Something is amiss.

Then it hit me: could it be a late response from a *previous* request? We know that `__nci_request` is called within the `ndev->req_lock`, so that's not the problem. Also, the status is explicitly reset at the end of the function. Ah, what if a request times out, and the NFCC eventually sends a response anyway? `__nci_request` returns, but the response still arrives. If that late response comes in while a *new* request is starting... bingo!

Looking at the timeout handling in `__nci_request`: we call `wait_for_completion_interruptible_timeout(&ndev->req_completion, timeout)`. If it times out, `req_status` is set back to 0. Then, the next request starts, sets `req_status = NCI_REQ_PEND`, and if the late response arrives right at that very moment, `nci_req_complete` is called.

Now, I'll examine `nci_req_complete`. It's called by `nci_rsp_packet`, so I should look into how that function works in `net/nfc/nci/rsp.c`. This needs a closer inspection.

map[File:net/nfc/nci/rsp.c]

map[Contents:// SPDX-License-Identifier: GPL-2.0-only
/*
 *  The NFC Controller Interface is the communication protocol between an
 *  NFC Controller (NFCC) and a Device Host (DH).
 *
 *  Copyright (C) 2011 Texas Instruments, Inc.
 *
 *  Written by Ilan Elias <ilane@ti.com>
 *
 *  Acknowledgements:
 *  This file is based on hci_event.c, which was written
 *  by Maxim Krasnyansky.
 */

#define pr_fmt(fmt) KBUILD_MODNAME ": %s: " fmt, __func__

#include <linux/types.h>
#include <linux/interrupt.h>
#include <linux/bitops.h>
#include <linux/skbuff.h>

#include "../nfc.h"
#include <net/nfc/nci.h>
#include <net/nfc/nci_core.h>

/* Handle NCI Response packets */

static void nci_core_reset_rsp_packet(struct nci_dev *ndev,
				      const struct sk_buff *skb)
{
	const struct nci_core_reset_rsp *rsp = (void *)skb->data;

	pr_debug("status 0x%x\n", rsp->status);

	/* Handle NCI 1.x ver */
	if (skb->len != 1) {
		if (rsp->status == NCI_STATUS_OK) {
			ndev->nci_ver = rsp->nci_ver;
			pr_debug("nci_ver 0x%x, config_status 0x%x\n",
				 rsp->nci_ver, rsp->config_status);
		}

		nci_req_complete(ndev, rsp->status);
	}
}

static u8 nci_core_init_rsp_packet_v1(struct nci_dev *ndev,
				      const struct sk_buff *skb)
{
	const struct nci_core_init_rsp_1 *rsp_1 = (void *)skb->data;
	const struct nci_core_init_rsp_2 *rsp_2;

	pr_debug("status 0x%x\n", rsp_1->status);

	if (rsp_1->status != NCI_STATUS_OK)
		return rsp_1->status;

	ndev->nfcc_features = __le32_to_cpu(rsp_1->nfcc_features);
	ndev->num_supported_rf_interfaces = rsp_1->num_supported_rf_interfaces;

	ndev->num_supported_rf_interfaces =
		min((int)ndev->num_supported_rf_interfaces,
		    NCI_MAX_SUPPORTED_RF_INTERFACES);

	memcpy(ndev->supported_rf_interfaces,
	       rsp_1->supported_rf_interfaces,
	       ndev->num_supported_rf_interfaces);

	rsp_2 = (void *) (skb->data + 6 + rsp_1->num_supported_rf_interfaces);

	ndev->max_logical_connections = rsp_2->max_logical_connections;
	ndev->max_routing_table_size =
		__le16_to_cpu(rsp_2->max_routing_table_size);
	ndev->max_ctrl_pkt_payload_len =
		rsp_2->max_ctrl_pkt_payload_len;
	ndev->max_size_for_large_params =
		__le16_to_cpu(rsp_2->max_size_for_large_params);
	ndev->manufact_id =
		rsp_2->manufact_id;
	ndev->manufact_specific_info =
		__le32_to_cpu(rsp_2->manufact_specific_info);

	return NCI_STATUS_OK;
}

static u8 nci_core_init_rsp_packet_v2(struct nci_dev *ndev,
				      const struct sk_buff *skb)
{
	const struct nci_core_init_rsp_nci_ver2 *rsp = (void *)skb->data;
	const u8 *supported_rf_interface = rsp->supported_rf_interfaces;
	u8 rf_interface_idx = 0;
	u8 rf_extension_cnt = 0;

	pr_debug("status %x\n", rsp->status);

	if (rsp->status != NCI_STATUS_OK)
		return rsp->status;

	ndev->nfcc_features = __le32_to_cpu(rsp->nfcc_features);
	ndev->num_supported_rf_interfaces = rsp->num_supported_rf_interfaces;

	ndev->num_supported_rf_interfaces =
		min((int)ndev->num_supported_rf_interfaces,
		    NCI_MAX_SUPPORTED_RF_INTERFACES);

	while (rf_interface_idx < ndev->num_supported_rf_interfaces) {
		ndev->supported_rf_interfaces[rf_interface_idx++] = *supported_rf_interface++;

		/* skip rf extension parameters */
		rf_extension_cnt = *supported_rf_interface++;
		supported_rf_interface += rf_extension_cnt;
	}

	ndev->max_logical_connections = rsp->max_logical_connections;
	ndev->max_routing_table_size =
			__le16_to_cpu(rsp->max_routing_table_size);
	ndev->max_ctrl_pkt_payload_len =
			rsp->max_ctrl_pkt_payload_len;
	ndev->max_size_for_large_params = NCI_MAX_LARGE_PARAMS_NCI_v2;

	return NCI_STATUS_OK;
}

static void nci_core_init_rsp_packet(struct nci_dev *ndev, const struct sk_buff *skb)
{
	u8 status = 0;

	if (!(ndev->nci_ver & NCI_VER_2_MASK))
		status = nci_core_init_rsp_packet_v1(ndev, skb);
	else
		status = nci_core_init_rsp_packet_v2(ndev, skb);

	if (status != NCI_STATUS_OK)
		goto exit;

	pr_debug("nfcc_features 0x%x\n",
		 ndev->nfcc_features);
	pr_debug("num_supported_rf_interfaces %d\n",
		 ndev->num_supported_rf_interfaces);
	pr_debug("supported_rf_interfaces[0] 0x%x\n",
		 ndev->supported_rf_interfaces[0]);
	pr_debug("supported_rf_interfaces[1] 0x%x\n",
		 ndev->supported_rf_interfaces[1]);
	pr_debug("supported_rf_interfaces[2] 0x%x\n",
		 ndev->supported_rf_interfaces[2]);
	pr_debug("supported_rf_interfaces[3] 0x%x\n",
		 ndev->supported_rf_interfaces[3]);
	pr_debug("max_logical_connections %d\n",
		 ndev->max_logical_connections);
	pr_debug("max_routing_table_size %d\n",
		 ndev->max_routing_table_size);
	pr_debug("max_ctrl_pkt_payload_len %d\n",
		 ndev->max_ctrl_pkt_payload_len);
	pr_debug("max_size_for_large_params %d\n",
		 ndev->max_size_for_large_params);
	pr_debug("manufact_id 0x%x\n",
		 ndev->manufact_id);
	pr_debug("manufact_specific_info 0x%x\n",
		 ndev->manufact_specific_info);

exit:
	nci_req_complete(ndev, status);
}

static void nci_core_set_config_rsp_packet(struct nci_dev *ndev,
					   const struct sk_buff *skb)
{
	const struct nci_core_set_config_rsp *rsp = (void *)skb->data;

	pr_debug("status 0x%x\n", rsp->status);

	nci_req_complete(ndev, rsp->status);
}

static void nci_rf_disc_map_rsp_packet(struct nci_dev *ndev,
				       const struct sk_buff *skb)
{
	__u8 status = skb->data[0];

	pr_debug("status 0x%x\n", status);

	nci_req_complete(ndev, status);
}

static void nci_rf_disc_rsp_packet(struct nci_dev *ndev,
				   const struct sk_buff *skb)
{
	struct nci_conn_info *conn_info;
	__u8 status = skb->data[0];

	pr_debug("status 0x%x\n", status);

	if (status == NCI_STATUS_OK) {
		atomic_set(&ndev->state, NCI_DISCOVERY);

		conn_info = ndev->rf_conn_info;
		if (!conn_info) {
			conn_info = devm_kzalloc(&ndev->nfc_dev->dev,
						 sizeof(struct nci_conn_info),
						 GFP_KERNEL);
			if (!conn_info) {
				status = NCI_STATUS_REJECTED;
				goto exit;
			}
			conn_info->conn_id = NCI_STATIC_RF_CONN_ID;
			INIT_LIST_HEAD(&conn_info->list);
			list_add(&conn_info->list, &ndev->conn_info_list);
			ndev->rf_conn_info = conn_info;
		}
	}

exit:
	nci_req_complete(ndev, status);
}

static void nci_rf_disc_select_rsp_packet(struct nci_dev *ndev,
					  const struct sk_buff *skb)
{
	__u8 status = skb->data[0];

	pr_debug("status 0x%x\n", status);

	/* Complete the request on intf_activated_ntf or generic_error_ntf */
	if (status != NCI_STATUS_OK)
		nci_req_complete(ndev, status);
}

static void nci_rf_deactivate_rsp_packet(struct nci_dev *ndev,
					 const struct sk_buff *skb)
{
	__u8 status = skb->data[0];

	pr_debug("status 0x%x\n", status);

	/* If target was active, complete the request only in deactivate_ntf */
	if ((status != NCI_STATUS_OK) ||
	    (atomic_read(&ndev->state) != NCI_POLL_ACTIVE)) {
		nci_clear_target_list(ndev);
		atomic_set(&ndev->state, NCI_IDLE);
		nci_req_complete(ndev, status);
	}
}

static void nci_nfcee_discover_rsp_packet(struct nci_dev *ndev,
					  const struct sk_buff *skb)
{
	const struct nci_nfcee_discover_rsp *discover_rsp;

	if (skb->len != 2) {
		nci_req_complete(ndev, NCI_STATUS_NFCEE_PROTOCOL_ERROR);
		return;
	}

	discover_rsp = (struct nci_nfcee_discover_rsp *)skb->data;

	if (discover_rsp->status != NCI_STATUS_OK ||
	    discover_rsp->num_nfcee == 0)
		nci_req_complete(ndev, discover_rsp->status);
}

static void nci_nfcee_mode_set_rsp_packet(struct nci_dev *ndev,
					  const struct sk_buff *skb)
{
	__u8 status = skb->data[0];

	pr_debug("status 0x%x\n", status);
	nci_req_complete(ndev, status);
}

static void nci_core_conn_create_rsp_packet(struct nci_dev *ndev,
					    const struct sk_buff *skb)
{
	__u8 status = skb->data[0];
	struct nci_conn_info *conn_info = NULL;
	const struct nci_core_conn_create_rsp *rsp;

	pr_debug("status 0x%x\n", status);

	if (status == NCI_STATUS_OK) {
		rsp = (struct nci_core_conn_create_rsp *)skb->data;

		conn_info = devm_kzalloc(&ndev->nfc_dev->dev,
					 sizeof(*conn_info), GFP_KERNEL);
		if (!conn_info) {
			status = NCI_STATUS_REJECTED;
			goto exit;
		}

		conn_info->dest_params = devm_kzalloc(&ndev->nfc_dev->dev,
						sizeof(struct dest_spec_params),
						GFP_KERNEL);
		if (!conn_info->dest_params) {
			status = NCI_STATUS_REJECTED;
			goto free_conn_info;
		}

		conn_info->dest_type = ndev->cur_dest_type;
		conn_info->dest_params->id = ndev->cur_params.id;
		conn_info->dest_params->protocol = ndev->cur_params.protocol;
		conn_info->conn_id = rsp->conn_id;

		/* Note: data_exchange_cb and data_exchange_cb_context need to
		 * be specify out of nci_core_conn_create_rsp_packet
		 */

		INIT_LIST_HEAD(&conn_info->list);
		list_add(&conn_info->list, &ndev->conn_info_list);

		if (ndev->cur_params.id == ndev->hci_dev->nfcee_id)
			ndev->hci_dev->conn_info = conn_info;

		conn_info->conn_id = rsp->conn_id;
		conn_info->max_pkt_payload_len = rsp->max_ctrl_pkt_payload_len;
		atomic_set(&conn_info->credits_cnt, rsp->credits_cnt);
	}

free_conn_info:
	if (status == NCI_STATUS_REJECTED)
		devm_kfree(&ndev->nfc_dev->dev, conn_info);
exit:

	nci_req_complete(ndev, status);
}

static void nci_core_conn_close_rsp_packet(struct nci_dev *ndev,
					   const struct sk_buff *skb)
{
	struct nci_conn_info *conn_info;
	__u8 status = skb->data[0];

	pr_debug("status 0x%x\n", status);
	if (status == NCI_STATUS_OK) {
		conn_info = nci_get_conn_info_by_conn_id(ndev,
							 ndev->cur_conn_id);
		if (conn_info) {
			list_del(&conn_info->list);
			if (conn_info == ndev->rf_conn_info)
				ndev->rf_conn_info = NULL;
			devm_kfree(&ndev->nfc_dev->dev, conn_info);
		}
	}
	nci_req_complete(ndev, status);
}

void nci_rsp_packet(struct nci_dev *ndev, struct sk_buff *skb)
{
	__u16 rsp_opcode = nci_opcode(skb->data);

	/* we got a rsp, stop the cmd timer */
	timer_delete(&ndev->cmd_timer);

	pr_debug("NCI RX: MT=rsp, PBF=%d, GID=0x%x, OID=0x%x, plen=%d\n",
		 nci_pbf(skb->data),
		 nci_opcode_gid(rsp_opcode),
		 nci_opcode_oid(rsp_opcode),
		 nci_plen(skb->data));

	/* strip the nci control header */
	skb_pull(skb, NCI_CTRL_HDR_SIZE);

	if (nci_opcode_gid(rsp_opcode) == NCI_GID_PROPRIETARY) {
		if (nci_prop_rsp_packet(ndev, rsp_opcode, skb) == -ENOTSUPP) {
			pr_err("unsupported rsp opcode 0x%x\n",
			       rsp_opcode);
		}

		goto end;
	}

	switch (rsp_opcode) {
	case NCI_OP_CORE_RESET_RSP:
		nci_core_reset_rsp_packet(ndev, skb);
		break;

	case NCI_OP_CORE_INIT_RSP:
		nci_core_init_rsp_packet(ndev, skb);
		break;

	case NCI_OP_CORE_SET_CONFIG_RSP:
		nci_core_set_config_rsp_packet(ndev, skb);
		break;

	case NCI_OP_CORE_CONN_CREATE_RSP:
		nci_core_conn_create_rsp_packet(ndev, skb);
		break;

	case NCI_OP_CORE_CONN_CLOSE_RSP:
		nci_core_conn_close_rsp_packet(ndev, skb);
		break;

	case NCI_OP_RF_DISCOVER_MAP_RSP:
		nci_rf_disc_map_rsp_packet(ndev, skb);
		break;

	case NCI_OP_RF_DISCOVER_RSP:
		nci_rf_disc_rsp_packet(ndev, skb);
		break;

	case NCI_OP_RF_DISCOVER_SELECT_RSP:
		nci_rf_disc_select_rsp_packet(ndev, skb);
		break;

	case NCI_OP_RF_DEACTIVATE_RSP:
		nci_rf_deactivate_rsp_packet(ndev, skb);
		break;

	case NCI_OP_NFCEE_DISCOVER_RSP:
		nci_nfcee_discover_rsp_packet(ndev, skb);
		break;

	case NCI_OP_NFCEE_MODE_SET_RSP:
		nci_nfcee_mode_set_rsp_packet(ndev, skb);
		break;

	default:
		pr_err("unknown rsp opcode 0x%x\n", rsp_opcode);
		break;
	}

	nci_core_rsp_packet(ndev, rsp_opcode, skb);
end:
	kfree_skb(skb);

	/* trigger the next cmd */
	atomic_set(&ndev->cmd_cnt, 1);
	if (!skb_queue_empty(&ndev->cmd_q))
		queue_work(ndev->cmd_wq, &ndev->cmd_work);
}
]

gemini-3-flash-preview

							input: 38499
							output: 22
							thoughts: 3941
						

**Analysis of Potential Race Condition in NCI Request Handling**

Okay, so I'm looking at a potential data race reported by KCSAN within the NCI (Near Field Communication Interface) driver. The core of the problem lies in the interaction between the `__nci_request` function and the `nci_req_complete` function. The race specifically involves the `ndev->req_status` field. Essentially, the code is trying to synchronize the initiation of a request with the handling of its response, but the current implementation may have introduced a vulnerability.

The initial function, `__nci_request`, sets `ndev->req_status` to `NCI_REQ_PEND` at line 138, indicating that a request is now pending.  Concurrently, `nci_req_complete` checks if the status is `NCI_REQ_PEND` to determine if it's the right response for the request. The problem arises with late responses. If a response arrives for a *previous* request *after* a new request has been initiated, `nci_req_complete` could mistakenly identify it as the response to the *current* request.

`nci_req_complete` is called from `nci_rsp_packet`, which itself is called from the `nci_rx_work` worker thread. This asynchronous nature is where the race condition manifests.  The crux of the data race is between the write operation `ndev->req_status = NCI_REQ_PEND;` in `__nci_request` and the read operation `if (ndev->req_status == NCI_REQ_PEND)` in `nci_req_complete`. These two events are happening at the same time.

`__nci_request` sets up a completion structure and initiates the request through the `req(ndev, opt)` call and then waits for the result through `wait_for_completion_interruptible_timeout`. The order of operations in `__nci_request` is critical. If `nci_req_complete` sees the `NCI_REQ_PEND` status and completes the completion *before* `req(ndev, opt)` is even called, we have a late response. The key concern is what happens when a late response arrives – especially the logic flow.

Now, if a late response gets processed as if it's for the *new* request, `__nci_request` finishes early. The `wait_for_completion` call returns immediately and the result of the *late* response is returned, the intended `req(ndev, opt)` is executed afterwards, which might be useless at that point.  `req_status` is *not* protected by a lock, and the lock protects the callers of `__nci_request` and not the RX thread which calls `nci_req_complete`.

The code sets `ndev->req_status = 0` at the end of a request. Thus, Task 1, running in `__nci_request` sets it to 1, and Task 2 running in `nci_req_complete` reads the value. However, the order of the reads and writes is undefined. `nci_req_complete` then sets `ndev->req_status` to `NCI_REQ_DONE` if it sees the correct status. This lack of synchronization is where the logic vulnerability occurs. The problem isn't necessarily memory corruption (though that is always a concern with races). The issue is that the code completes the wrong request.

The KCSAN report indicates a data race on `req_status`. It is not benign. The lack of synchronization in the control flow could cause a late response to "complete" an incorrect, *new* request before the real one is even sent.  This is a significant logic error in the state machine and can lead to incorrect behavior. While the `req_status` variable is a 32-bit integer, and potentially subject to atomic access depending on the architecture, the true issue is a logic race that could lead to errors, such as returning incorrect results or causing the device to enter an unexpected state.

To fix this, the responses and requests must be better synchronized, probably with some kind of sequence numbering or transaction IDs, so late packets are properly discarded, or maybe putting a lock in `nci_req_complete` and `__nci_request`.

map[Dir:net/bluetooth/]

map[Files:[6lowpan.c af_bluetooth.c aosp.c aosp.h coredump.c ecdh_helper.c ecdh_helper.h eir.c eir.h hci_codec.c hci_codec.h hci_conn.c hci_core.c hci_debugfs.c hci_debugfs.h hci_drv.c hci_event.c hci_sock.c hci_sync.c hci_sysfs.c iso.c l2cap_core.c l2cap_sock.c leds.c leds.h lib.c mgmt.c mgmt_config.c mgmt_config.h mgmt_util.c mgmt_util.h msft.c msft.h sco.c selftest.c selftest.h smp.c smp.h] Subdirs:[bnep cmtp hidp rfcomm]]

gemini-3-flash-preview

							input: 43736
							output: 28
							thoughts: 23
						

Okay, here's my take on those thoughts, tailored for an expert audience:

**Diving into `hci_req_complete`**

Right, so I need to understand this specific piece of the Bluetooth HCI puzzle, and where else would I start but `net/bluetooth/hci_core.c`? That's the core of the HCI implementation, the engine room. My immediate thought is, I need to get a clear picture of how `hci_req_complete` functions within the broader architecture. I'll need to remember all the edge cases it handles, and its interaction with the other core functions. I need to understand the sequencing, the data structures it manipulates, and, crucially, how it signals completion and handles any resulting state transitions. I'll need to dissect its role in the command flow. I'm especially interested in how it impacts the overall performance and responsiveness of the Bluetooth stack. Let's see what gems are hidden in the code.

map[SourceFile:net/bluetooth/hci_core.c]

map[Entities:[map[Kind:function Name:__check_timeout] map[Kind:function Name:__hci_cmd_send] map[Kind:function Name:__hci_dev_get] map[Kind:function Name:adv_instance_rpa_expired] map[Kind:function Name:hci_acldata_packet] map[Kind:function Name:hci_add_acl_hdr] map[Kind:function Name:hci_add_adv_instance] map[Kind:function Name:hci_add_adv_monitor] map[Kind:function Name:hci_add_irk] map[Kind:function Name:hci_add_iso_hdr] map[Kind:function Name:hci_add_link_key] map[Kind:function Name:hci_add_ltk] map[Kind:function Name:hci_add_per_instance] map[Kind:function Name:hci_add_remote_oob_data] map[Kind:function Name:hci_adv_instance_flags] map[Kind:function Name:hci_adv_instance_is_scannable] map[Kind:function Name:hci_adv_instances_clear] map[Kind:function Name:hci_adv_instances_set_rpa_expired] map[Kind:function Name:hci_adv_monitors_clear] map[Kind:function Name:hci_alloc_dev_priv] map[Kind:function Name:hci_bdaddr_is_paired] map[Kind:function Name:hci_bdaddr_list_add] map[Kind:function Name:hci_bdaddr_list_add_with_flags] map[Kind:function Name:hci_bdaddr_list_add_with_irk] map[Kind:function Name:hci_bdaddr_list_clear] map[Kind:function Name:hci_bdaddr_list_del] map[Kind:function Name:hci_bdaddr_list_del_with_irk] map[Kind:function Name:hci_bdaddr_list_lookup] map[Kind:function Name:hci_bdaddr_list_lookup_with_flags] map[Kind:function Name:hci_bdaddr_list_lookup_with_irk] map[Kind:function Name:hci_blocked_keys_clear] map[Kind:function Name:hci_cancel_cmd_sync] map[Kind:function Name:hci_chan_sent] map[Kind:function Name:hci_clear_wake_reason] map[Kind:function Name:hci_cmd_data] map[Kind:function Name:hci_cmd_timeout] map[Kind:function Name:hci_cmd_work] map[Kind:function Name:hci_conn_params_add] map[Kind:function Name:hci_conn_params_clear_all] map[Kind:function Name:hci_conn_params_clear_disabled] map[Kind:function Name:hci_conn_params_del] map[Kind:function Name:hci_conn_params_free] map[Kind:function Name:hci_conn_params_lookup] map[Kind:function Name:hci_copy_identity_address] map[Kind:function Name:hci_dev_classify_pkt_type] map[Kind:function Name:hci_dev_close] map[Kind:function Name:hci_dev_cmd] map[Kind:function Name:hci_dev_do_close] map[Kind:function Name:hci_dev_do_open] map[Kind:function Name:hci_dev_do_poweroff] map[Kind:function Name:hci_dev_do_reset] map[Kind:function Name:hci_dev_get] map[Kind:function Name:hci_dev_get_srcu] map[Kind:function Name:hci_dev_open] map[Kind:function Name:hci_dev_put_srcu] map[Kind:function Name:hci_dev_reset] map[Kind:function Name:hci_dev_reset_stat] map[Kind:function Name:hci_discovery_active] map[Kind:function Name:hci_discovery_set_state] map[Kind:function Name:hci_error_reset] map[Kind:function Name:hci_find_adv_instance] map[Kind:function Name:hci_find_adv_sid] map[Kind:function Name:hci_find_irk_by_addr] map[Kind:function Name:hci_find_irk_by_rpa] map[Kind:function Name:hci_find_link_key] map[Kind:function Name:hci_find_ltk] map[Kind:function Name:hci_find_remote_oob_data] map[Kind:function Name:hci_free_adv_monitor] map[Kind:function Name:hci_free_dev] map[Kind:function Name:hci_get_adv_monitor_offload_ext] map[Kind:function Name:hci_get_dev_info] map[Kind:function Name:hci_get_dev_list] map[Kind:function Name:hci_get_next_instance] map[Kind:function Name:hci_inquiry] map[Kind:function Name:hci_inquiry_cache_flush] map[Kind:function Name:hci_inquiry_cache_lookup] map[Kind:function Name:hci_inquiry_cache_lookup_resolve] map[Kind:function Name:hci_inquiry_cache_lookup_unknown] map[Kind:function Name:hci_inquiry_cache_update] map[Kind:function Name:hci_inquiry_cache_update_resolve] map[Kind:function Name:hci_is_adv_monitoring] map[Kind:function Name:hci_is_blocked_key] map[Kind:function Name:hci_isodata_packet] map[Kind:function Name:hci_link_keys_clear] map[Kind:function Name:hci_link_tx_to] map[Kind:function Name:hci_low_sent] map[Kind:function Name:hci_ncmd_timeout] map[Kind:function Name:hci_pend_le_action_lookup] map[Kind:function Name:hci_pend_le_list_add] map[Kind:function Name:hci_pend_le_list_del_init] map[Kind:function Name:hci_persistent_key] map[Kind:function Name:hci_power_off] map[Kind:function Name:hci_power_on] map[Kind:function Name:hci_prio_recalculate] map[Kind:function Name:hci_queue_acl] map[Kind:function Name:hci_queue_iso] map[Kind:function Name:hci_quote_sent] map[Kind:function Name:hci_recv_diag] map[Kind:function Name:hci_recv_event_data] map[Kind:function Name:hci_recv_frame] map[Kind:function Name:hci_register_cb] map[Kind:function Name:hci_register_dev] map[Kind:function Name:hci_register_suspend_notifier] map[Kind:function Name:hci_release_dev] map[Kind:function Name:hci_remote_oob_data_clear] map[Kind:function Name:hci_remove_adv_instance] map[Kind:function Name:hci_remove_adv_monitor] map[Kind:function Name:hci_remove_all_adv_monitor] map[Kind:function Name:hci_remove_irk] map[Kind:function Name:hci_remove_link_key] map[Kind:function Name:hci_remove_ltk] map[Kind:function Name:hci_remove_remote_oob_data] map[Kind:function Name:hci_remove_single_adv_monitor] map[Kind:function Name:hci_req_cmd_complete] map[Kind:function Name:hci_req_is_complete] map[Kind:function Name:hci_resend_last] map[Kind:function Name:hci_reset_dev] map[Kind:function Name:hci_resume_dev] map[Kind:function Name:hci_rfkill_set_block] map[Kind:function Name:hci_rx_work] map[Kind:function Name:hci_sched_acl] map[Kind:function Name:hci_sched_acl_pkt] map[Kind:function Name:hci_sched_iso] map[Kind:function Name:hci_sched_le] map[Kind:function Name:hci_sched_sco] map[Kind:function Name:hci_scodata_packet] map[Kind:function Name:hci_send_acl] map[Kind:function Name:hci_send_cmd] map[Kind:function Name:hci_send_cmd_sync] map[Kind:function Name:hci_send_conn_frame] map[Kind:function Name:hci_send_frame] map[Kind:function Name:hci_send_iso] map[Kind:function Name:hci_send_sco] map[Kind:function Name:hci_sent_cmd_data] map[Kind:function Name:hci_set_adv_instance_data] map[Kind:function Name:hci_set_fw_info] map[Kind:function Name:hci_set_hw_info] map[Kind:function Name:hci_smp_irks_clear] map[Kind:function Name:hci_smp_ltks_clear] map[Kind:function Name:hci_suspend_dev] map[Kind:function Name:hci_suspend_notifier] map[Kind:function Name:hci_tx_work] map[Kind:function Name:hci_unregister_cb] map[Kind:function Name:hci_unregister_dev] map[Kind:function Name:hci_unregister_suspend_notifier] map[Kind:function Name:hci_update_passive_scan_state] map[Kind:function Name:hci_uuids_clear] map[Kind:function Name:inquiry_cache_dump] map[Kind:function Name:ltk_role] map[Kind:global_variable Name:__UNIQUE_ID_addressable___hci_cmd_send_1330] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_alloc_dev_priv_1315] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_free_dev_1316] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_recv_diag_1325] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_recv_frame_1324] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_register_cb_1328] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_register_dev_1317] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_release_dev_1320] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_reset_dev_1323] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_resume_dev_1322] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_set_fw_info_1327] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_set_hw_info_1326] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_suspend_dev_1321] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_unregister_cb_1329] map[Kind:global_variable Name:__UNIQUE_ID_addressable_hci_unregister_dev_1319] map[Kind:global_variable Name:__gendwarfksyms_ptr___hci_cmd_send] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_alloc_dev_priv] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_free_dev] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_recv_diag] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_recv_frame] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_register_cb] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_register_dev] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_release_dev] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_reset_dev] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_resume_dev] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_set_fw_info] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_set_hw_info] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_suspend_dev] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_unregister_cb] map[Kind:global_variable Name:__gendwarfksyms_ptr_hci_unregister_dev] map[Kind:global_variable Name:hci_cb_list] map[Kind:global_variable Name:hci_cb_list_lock] map[Kind:global_variable Name:hci_dev_list] map[Kind:global_variable Name:hci_dev_list_lock] map[Kind:global_variable Name:hci_index_ida] map[Kind:global_variable Name:hci_rfkill_ops]]]

gemini-3-flash-preview

							input: 47681
							output: 20
							thoughts: 1967
						

**Analyzing a Potential Race Condition in the NCI Request/Response Mechanism**

Okay, so I've been digging into this Bluetooth code, specifically looking at the NCI request/response flow. My initial thought was to examine `hci_req_cmd_complete` within `hci_core.c`, but it seems that Bluetooth has moved much of this functionality into `hci_sync.c`. Shifting my focus, I landed on `nci_req_complete` in `net/nfc/nci/core.c`. This function is surprisingly straightforward:

```c
void nci_req_complete(struct nci_dev *ndev, int result)
{
	if (ndev->req_status == NCI_REQ_PEND) {
		ndev->req_result = result;
		ndev->req_status = NCI_REQ_DONE;
		complete(&ndev->req_completion);
	}
}
```

Looking at this code, and the corresponding `__nci_request`, the race condition seems to be around the `ndev->req_status` variable. Let's lay out the scenario. Task 1 is `__nci_request` and Task 2 is `nci_req_complete`. `__nci_request` sets `ndev->req_status = NCI_REQ_PEND`, and then `nci_req_complete` checks `if (ndev->req_status == NCI_REQ_PEND)`.

The concern is if `nci_req_complete` sees `NCI_REQ_PEND` at a bad time. While not possible on x86, KCSAN raises concerns about memory visibility. If `nci_req_complete` observes `NCI_REQ_PEND`, it means `__nci_request` *did* write to it, but has not completed other steps. Specifically, if `nci_req_complete` gets called *before* `__nci_request` completes its setup, we have a premature completion.

This looks like a logic race. If this happens, `__nci_request` will return success but with potentially incorrect results from a previous request. This can cause driver initialization issues or other subtle bugs. Even though such races are sometimes labeled "benign" if rare and not leading to crashes, this feels like a genuine bug in how NCI requests and responses are synchronized.

So, should I fix this with `READ_ONCE`/`WRITE_ONCE`? Applying them makes KCSAN quiet. But does this fix the *logic* issue? No.

Ah, and the KCSAN report helpfully states that the value changed from 0 to 1. Which confirms that Task 2 read 0 *before* Task 1 wrote 1.

The other thing to note is that `__nci_request` uses `ndev->req_completion`, which `nci_req_complete` calls `complete()` on. Now, `__nci_request` actually calls `reinit_completion` *after* it sets `req_status = NCI_REQ_PEND`.

So, the problematic case is if Task 2 (a late response) runs between lines 140 and 142. Meaning if:
1.  Task 1 writes `req_status = 1`.
2.  Task 1 calls `reinit_completion`.
3.  Task 2 sees `req_status == 1`.
4.  Task 2 sets `req_result = result`, `req_status = 0`, calls `complete`.
5.  Task 1 calls `req(ndev, opt)`.
6.  Task 1 calls `wait_for_completion`.
7.  `wait_for_completion` returns immediately due to Task 2's `complete`.
8.  Task 1 returns `req_result` (from the late response).

That's the harmful case: `__nci_request` returns the result of the *previous* request before the response for the *current* one arrives. This logic race is *definitely* not benign. As for the data race aspect: Yes, this is a data race. There's concurrent access to a shared variable without proper synchronization.

While this may not lead to immediate memory corruption or a crash, logic errors in the kernel *often* lead to crashes down the line.

Looking again at `nci_req_complete`:

```c
77: void nci_req_complete(struct nci_dev *ndev, int result)
78: {
79: 	if (ndev->req_status == NCI_REQ_

no matches

map[Expression:KCSAN.*nfc]

map[Output:]

gemini-3-flash-preview

							input: 50707
							output: 46
							thoughts: 4329
						

**Analysis of KCSAN Report: Data Race on `req_status` in NCI Driver**

Okay, here's my thought process on this KCSAN report. The grep didn't reveal any other obvious issues. My initial focus is on the `nci_dev_up` path, specifically how `nci_open_device` and `nci_close_device` interact with `__nci_request` and the `req_status` field. I'm seeing that both opening and closing the device trigger a reset request using `__nci_request`, and that's where `req_status` becomes interesting.

In the code, I see `atomic_set(&ndev->cmd_cnt, 1);` followed by `set_bit(NCI_INIT, &ndev->flags);` and then the call to `__nci_request` within `nci_open_device`. `req_status` is critical here; if this is the initial open, it *should* be zero. `nci_close_device` also makes the same call, canceling a pending request if one exists.

The core of the problem seems to be a potential race condition. Is it harmful? That's the key question. I'm focusing on the definition of "benign" versus "non-benign" in the instructions. `req_status` is a flag, and in many situations, concurrent access to flags is benign. However, this flag *is* used for synchronization – that's a red flag. The race could lead to a logic error with the reset command returning early with the wrong result.  A subsequent command could then fail or use uninitialized data. Specifically, I'm thinking about the `nci_core_reset_rsp_packet` function and how it sets `ndev->nci_ver` based on the reset response. A race could lead to `nci_ver` being set to an old value and the driver continuing with incorrect data.  This feels harmful, as it impacts the protocol's integrity.

However, a more conservative view among some kernel developers might label this as "benign" if it doesn't cause a kernel panic, which isn't the only metric. Crucially, the definition given mentions *corruption* or *crash.* I’m also looking specifically at whether the compiler's memory access reordering could be a factor.

I'm examining the possible compiler reordering between `ndev->req_result = result;` and `ndev->req_status = NCI_REQ_DONE;` in `nci_req_complete`. I’m also focusing on if Task 1's reads of `req_result` in `__nci_request` occur before Task 2 writes it, based on the `wait_for_completion_interruptible_timeout` within `__nci_request`.  I'm confident this reordering won't be an issue, given the barriers associated with `complete()` and `wait_for_completion()`.  The problem comes from the race when the late response arrives.

The core race is between Task 1 writing `NCI_REQ_PEND` and Task 2's read of it. If a late response comes in precisely at the wrong moment, it can lead to non-deterministic behavior. This is because there's no transaction ID in the protocol. However, I've concluded it's the timing aspect, and lack of transaction ID, and not the data race alone. I'm also looking at the impact of `READ_ONCE` and `WRITE_ONCE` but those only affect compiler reordering, which is not the root of the problem.

The data race creates non-atomic transitions on how the CPU sees it as a timing issue, not a direct problem. If the response is late, the protocol already has non-deterministic behavior anyway. The crucial race concerns if Task 2 reads `req_status` and calls `complete()`, and Task 1 calls `reinit_completion`.

Specifically, if Task 2 is running after the reinit call, the complete call may be skipped. However, if Task 2 is running before, the race exists. But it’s not really a *data race* problem. It's a protocol issue. This seems benign in the sense of memory corruption, but it is not a *good* design.

I've checked if there's any risk of memory corruption related to this, I see that isn't true.

Verdict: It seems *benign* based on the KCSAN definition. There's no corruption or crash. The data race on `req_status` is a symptom of a larger logic flaw, i.e. the late responses inherent to the protocol and the lack

map[ContextFile:net/nfc/nci/core.c IncludeLines:true Name:nci_to_errno]

map[SourceCode:  23:	/* NCI status codes to Unix errno mapping */
  24:	int nci_to_errno(__u8 code)
  25:	{
  26:		switch (code) {
  27:		case NCI_STATUS_OK:
  28:			return 0;
  29:	
  30:		case NCI_STATUS_REJECTED:
  31:			return -EBUSY;
  32:	
  33:		case NCI_STATUS_RF_FRAME_CORRUPTED:
  34:			return -EBADMSG;
  35:	
  36:		case NCI_STATUS_NOT_INITIALIZED:
  37:			return -EHOSTDOWN;
  38:	
  39:		case NCI_STATUS_SYNTAX_ERROR:
  40:		case NCI_STATUS_SEMANTIC_ERROR:
  41:		case NCI_STATUS_INVALID_PARAM:
  42:		case NCI_STATUS_RF_PROTOCOL_ERROR:
  43:		case NCI_STATUS_NFCEE_PROTOCOL_ERROR:
  44:			return -EPROTO;
  45:	
  46:		case NCI_STATUS_UNKNOWN_GID:
  47:		case NCI_STATUS_UNKNOWN_OID:
  48:			return -EBADRQC;
  49:	
  50:		case NCI_STATUS_MESSAGE_SIZE_EXCEEDED:
  51:			return -EMSGSIZE;
  52:	
  53:		case NCI_STATUS_DISCOVERY_ALREADY_STARTED:
  54:			return -EALREADY;
  55:	
  56:		case NCI_STATUS_DISCOVERY_TARGET_ACTIVATION_FAILED:
  57:		case NCI_STATUS_NFCEE_INTERFACE_ACTIVATION_FAILED:
  58:			return -ECONNREFUSED;
  59:	
  60:		case NCI_STATUS_RF_TRANSMISSION_ERROR:
  61:		case NCI_STATUS_NFCEE_TRANSMISSION_ERROR:
  62:			return -ECOMM;
  63:	
  64:		case NCI_STATUS_RF_TIMEOUT_ERROR:
  65:		case NCI_STATUS_NFCEE_TIMEOUT_ERROR:
  66:			return -ETIMEDOUT;
  67:	
  68:		case NCI_STATUS_FAILED:
  69:		default:
  70:			return -ENOSYS;
  71:		}
  72:	}
 SourceFile:net/nfc/nci/lib.c]

gemini-3-flash-preview

							input: 56790
							output: 727
							thoughts: 2133
						

**Analysis of the Reported Data Race in `nci_req_complete`**

Okay, so I'm looking at this reported data race in the `nci_req_complete` function. My initial thought is, it's probably benign, but I need to be thorough. First, I have to consider the core of the issue, which is around this section of code:

```c
79: 	if (ndev->req_status == NCI_REQ_PEND) {
80: 		ndev->req_result = result;
81: 		ndev->req_status = NCI_REQ_DONE;
82: 		complete(&ndev->req_completion);
83: 	}
```

The report indicates a race condition with the `ndev->req_status` field. Now, let's break this down.  `req_status`, `req_result`, and `req_completion` are the fields potentially involved. The `complete()` call handles `req_completion`, so that's probably safe in terms of double completion. The `req_result` is written here, but the corresponding read is in `__nci_request`, which uses `wait_for_completion`, ensuring a memory barrier. So, the potential race is really isolated to `req_status`.

Is there other concurrent access? Let's consider `nci_rsp_packet`, specifically `nci_core_reset_rsp_packet` which accesses `ndev->nci_ver`:

```c
static void nci_core_reset_rsp_packet(struct nci_dev *ndev,
				      const struct sk_buff *skb)
{
...
		if (rsp->status == NCI_STATUS_OK) {
			ndev->nci_ver = rsp->nci_ver;
...
```

I see that `nci_open_device` *reads* `ndev->nci_ver`:

```c
550: 		if (ndev->nci_ver & NCI_VER_2_MASK)
```

However, `nci_open_device` reads this *after* `__nci_request` returns, and  `__nci_request` uses `wait_for_completion`. Thus, the write to `ndev->nci_ver` will be visible. Could there be a race here? Well, consider a late response. If a previous `nci_reset_req` timed out, and its response arrived after a new `nci_open_device` started.  `nci_open_device` is protected by `ndev->req_lock`, but `nci_rx_work` does *not* take that lock. Yes, it's possible for the late response in `nci_rx_work` to write to `ndev->nci_ver` while `nci_open_device` is reading it.

But, KCSAN didn't flag this. It flagged the race on `req_status`. Why? If I look at the report:  `write to 0xffff88811bfb69a0 of 4 bytes by task 6091 on cpu 1:`, `read to 0xffff88811bfb69a0 of 4 bytes by task 2331 on cpu 0:`.  If other fields were racing, it might not have been reported, or they'd be separate.

So, the issue is about `req_status`.

Now, if there is another response handler, such as `nci_rf_disc_rsp_packet`:

```c
223: 		conn_info = ndev->rf_conn_info;
224: 		if (!conn_info) {
225: 			conn_info = devm_kzalloc(&ndev->nfc_dev->dev,
226: 						 sizeof(struct nci_conn_info),
227: 						 GFP_KERNEL);
...
233: 			conn_info->conn_id = NCI_STATIC_RF_CONN_ID;
234: 			INIT_LIST_HEAD(&conn_info->list);
235: 			list_add(&conn_info->list, &ndev->conn_info_list);
236: 			ndev->rf_conn_info = conn_info;
237: 		}
```
This looks dangerous because it isn't atomic with respect to the other accesses to `


The data race occurs on the `req_status` field of the `struct nci_dev`. This field is used to track the status of a pending NCI (NFC Controller Interface) request.

### Analysis of the Race

1.  **Task 1 (`nci_dev_up` -> `__nci_request`)**: This task is initiating an NCI request (e.g., `CORE_RESET_CMD`). It sets `ndev->req_status = NCI_REQ_PEND` (value 1) before sending the command and waiting for a completion.
2.  **Task 2 (`nci_rx_work` -> `nci_req_complete`)**: This task processes incoming packets from the NFC controller. When a response packet is received, it calls `nci_req_complete`, which checks if `ndev->req_status == NCI_REQ_PEND`. If it is, it sets the result, changes the status to `NCI_REQ_DONE` (value 0), and signals the completion.

The reported race happens because `nci_req_complete` reads `req_status` without holding the `ndev->req_lock` mutex, while `__nci_request` writes to it while holding the mutex.

### Impact and Verdict

*   **Logic Race**: The race is only possible if a response packet arrives while a new request is being set up. This typically happens if a previous request timed out, and its "late" response arrives just as a new request starts. If the late response is processed between the time `req_status` is set to `NCI_REQ_PEND` and the time the new command is actually sent, the new request might be "completed" prematurely with the result of the old, late response.
*   **Data Race**: From a memory safety perspective, `req_status` is a simple 32-bit integer. On all supported Linux architectures, a 32-bit aligned read or write is atomic. The data race reported by KCSAN indicates that these accesses are concurrent and not synchronized by a common lock or atomic primitives (like `READ_ONCE`/`WRITE_ONCE`).
*   **Benign Nature**: While the logic race described above can lead to incorrect protocol behavior (e.g., assuming a reset succeeded when it hasn't yet), it does not lead to memory corruption, kernel crashes, or undefined behavior in the C sense, assuming a conservative compiler. The `req_status` field is used as a simple state flag. The synchronization of the actual data (`req_result`) is handled by the completion mechanism (`complete()` and `wait_for_completion()`), which includes the necessary memory barriers to ensure that the result is visible after the completion is signaled.

In the context of the Linux kernel, such races on status flags in network/communication drivers are often considered benign, although they should ideally be annotated with `READ_ONCE`/`WRITE_ONCE` to satisfy static and dynamic analysis tools.

### Conclusion
The data race is benign as it involves a simple status flag and does not result in memory corruption or system instability. The underlying synchronization issue with late responses is a known characteristic of the NCI implementation and is not exacerbated by the lack of explicit atomic annotations on the `req_status` field.

map[Benign:true Confident:true]

map[Benign:true Confident:true]

gemini-3-flash-preview

							input: 60692
							output: 703
							thoughts: 38
						

Here's my thought process, distilled:

**Benign Data Race Conclusion**

Okay, so the user's looking for the "why" behind my benign data race conclusion. They understand the analysis has been done – that's good; it's assumed they are familiar with this. Now, it's time to craft the definitive response, clearly articulating *why* the data race, despite its existence, is ultimately harmless in this specific context. I'll need to articulate the reasoning in a way that resonates with an expert audience: precise language, no fluff.