tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write

A deadlock can occur between nfc_unregister_device() and rfkill_fop_write()
due to lock ordering inversion between device_lock and rfkill_global_mutex.

The problematic lock order is:

Thread A (rfkill_fop_write):
rfkill_fop_write()
mutex_lock(&rfkill_global_mutex)
rfkill_set_block()
nfc_rfkill_set_block()
nfc_dev_down()
device_lock(&dev->dev) <- waits for device_lock

Thread B (nfc_unregister_device):
nfc_unregister_device()
device_lock(&dev->dev)
rfkill_unregister()
mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex

This creates a classic ABBA deadlock scenario.

Fix this by moving rfkill_unregister() and rfkill_destroy() outside the
device_lock critical section. Store the rfkill pointer in a local variable
before releasing the lock, then call rfkill_unregister() after releasing
device_lock.

This change is safe because rfkill_fop_write() holds rfkill_global_mutex
while calling the rfkill callbacks, and rfkill_unregister() also acquires
rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will
wait for any ongoing callback to complete before proceeding, and
device_del() is only called after rfkill_unregister() returns, preventing
any use-after-free.

The similar lock ordering in nfc_register_device() (device_lock ->
rfkill_global_mutex via rfkill_register) is safe because during
registration the device is not yet in rfkill_list, so no concurrent
rfkill operations can occur on this device.

Fixes: 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device")
Cc: stable@vger.kernel.org
Reported-by: syzbot+4ef89409a235d804c6c2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=4ef89409a235d804c6c2
Link: https://lore.kernel.org/all/20251217054908.178907-1-kartikey406@gmail.com/T/ [v1]
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@oss.qualcomm.com>
Link: https://patch.msgid.link/20251218012355.279940-1-kartikey406@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

authored by

Deepanshu Kartikey and committed by
Paolo Abeni 1ab526d9 a1e077a3

+7 -2
+7 -2
net/nfc/core.c
··· 1154 1154 void nfc_unregister_device(struct nfc_dev *dev) 1155 1155 { 1156 1156 int rc; 1157 + struct rfkill *rfk = NULL; 1157 1158 1158 1159 pr_debug("dev_name=%s\n", dev_name(&dev->dev)); 1159 1160 ··· 1165 1164 1166 1165 device_lock(&dev->dev); 1167 1166 if (dev->rfkill) { 1168 - rfkill_unregister(dev->rfkill); 1169 - rfkill_destroy(dev->rfkill); 1167 + rfk = dev->rfkill; 1170 1168 dev->rfkill = NULL; 1171 1169 } 1172 1170 dev->shutting_down = true; 1173 1171 device_unlock(&dev->dev); 1172 + 1173 + if (rfk) { 1174 + rfkill_unregister(rfk); 1175 + rfkill_destroy(rfk); 1176 + } 1174 1177 1175 1178 if (dev->ops->check_presence) { 1176 1179 timer_delete_sync(&dev->check_pres_timer);