CVE-2025-71079
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write
A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex.
The problematic lock order is:
Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock
Thread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex
This creates a classic ABBA deadlock scenario.
Fix this by moving rfkill_unregister() and rfkill_destroy() outside the device_lock critical section. Store the rfkill pointer in a local variable before releasing the lock, then call rfkill_unregister() after releasing device_lock.
This change is safe because rfkill_fop_write() holds rfkill_global_mutex while calling the rfkill callbacks, and rfkill_unregister() also acquires rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will wait for any ongoing callback to complete before proceeding, and device_del() is only called after rfkill_unregister() returns, preventing any use-after-free.
The similar lock ordering in nfc_register_device() (device_lock -> rfkill_global_mutex via rfkill_register) is safe because during registration the device is not yet in rfkill_list, so no concurrent rfkill operations can occur on this device.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 73a0d12114b4bc1a9def79a623264754b9df698e < 2e0831e9fc46a06daa6d4d8d57a2738e343130c3 | affected |
| Linux | Linux | 8a9c61c3ef187d8891225f9b932390670a43a0d3 < e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012 | affected |
| Linux | Linux | 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 < ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5 | affected |
| Linux | Linux | 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 < 6b93c8ab6f6cda8818983a4ae3fcf84b023037b4 | affected |
| Linux | Linux | 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 < 8fc4632fb508432895430cd02b38086bdd649083 | affected |
| Linux | Linux | 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 < f3a8a7c1aa278f2378b2f3a10500c6674dffdfda | affected |
| Linux | Linux | 3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 < 1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5 | affected |
| Linux | Linux | 5ef16d2d172ee56714cff37cd005b98aba08ef5a | affected |
| Linux | Linux | ff169909eac9e00bf1aa0af739ba6ddfb1b1d135 | affected |
| Linux | Linux | 47244ac0b65bd74cc70007d8e1bac68bd2baad19 | affected |
| Linux | Linux | c45cea83e13699bdfd47842e04d09dd43af4c371 | affected |
| Linux | Linux | 307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6 | affected |
| Linux | Linux | 5.10.82 < 5.10.248 | affected |
| Linux | Linux | 5.15.5 < 5.15.198 | affected |
| Linux | Linux | 4.4.293 < 4.5 | affected |
| Linux | Linux | 4.9.291 < 4.10 | affected |
| Linux | Linux | 4.14.256 < 4.15 | affected |
| Linux | Linux | 4.19.218 < 4.20 | affected |
| Linux | Linux | 5.4.162 < 5.5 | affected |
| Linux | Linux | 5.16 | affected |
| Linux | Linux | 0 < 5.16 | unaffected |
| Linux | Linux | 5.10.248 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.198 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.160 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.120 <= 6.6.* | unaffected |
| Linux | Linux | 6.12.64 <= 6.12.* | unaffected |
| Linux | Linux | 6.18.4 <= 6.18.* | unaffected |
| Linux | Linux | 6.19 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/2e0831e9fc46a06daa6d4d8d57a2738e343130c3
- https://git.kernel.org/stable/c/e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012
- https://git.kernel.org/stable/c/ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5
- https://git.kernel.org/stable/c/6b93c8ab6f6cda8818983a4ae3fcf84b023037b4
- https://git.kernel.org/stable/c/8fc4632fb508432895430cd02b38086bdd649083
- https://git.kernel.org/stable/c/f3a8a7c1aa278f2378b2f3a10500c6674dffdfda
- https://git.kernel.org/stable/c/1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.