CVE-2025-71079

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write

A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex.

The problematic lock order is:

Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock

Thread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex

This creates a classic ABBA deadlock scenario.

Fix this by moving rfkill_unregister() and rfkill_destroy() outside the device_lock critical section. Store the rfkill pointer in a local variable before releasing the lock, then call rfkill_unregister() after releasing device_lock.

This change is safe because rfkill_fop_write() holds rfkill_global_mutex while calling the rfkill callbacks, and rfkill_unregister() also acquires rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will wait for any ongoing callback to complete before proceeding, and device_del() is only called after rfkill_unregister() returns, preventing any use-after-free.

The similar lock ordering in nfc_register_device() (device_lock -> rfkill_global_mutex via rfkill_register) is safe because during registration the device is not yet in rfkill_list, so no concurrent rfkill operations can occur on this device.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux73a0d12114b4bc1a9def79a623264754b9df698e < 2e0831e9fc46a06daa6d4d8d57a2738e343130c3affected
LinuxLinux8a9c61c3ef187d8891225f9b932390670a43a0d3 < e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012affected
LinuxLinux3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 < ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5affected
LinuxLinux3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 < 6b93c8ab6f6cda8818983a4ae3fcf84b023037b4affected
LinuxLinux3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 < 8fc4632fb508432895430cd02b38086bdd649083affected
LinuxLinux3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 < f3a8a7c1aa278f2378b2f3a10500c6674dffdfdaaffected
LinuxLinux3e3b5dfcd16a3e254aab61bd1e8c417dd4503102 < 1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5affected
LinuxLinux5ef16d2d172ee56714cff37cd005b98aba08ef5aaffected
LinuxLinuxff169909eac9e00bf1aa0af739ba6ddfb1b1d135affected
LinuxLinux47244ac0b65bd74cc70007d8e1bac68bd2baad19affected
LinuxLinuxc45cea83e13699bdfd47842e04d09dd43af4c371affected
LinuxLinux307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6affected
LinuxLinux5.10.82 < 5.10.248affected
LinuxLinux5.15.5 < 5.15.198affected
LinuxLinux4.4.293 < 4.5affected
LinuxLinux4.9.291 < 4.10affected
LinuxLinux4.14.256 < 4.15affected
LinuxLinux4.19.218 < 4.20affected
LinuxLinux5.4.162 < 5.5affected
LinuxLinux5.16affected
LinuxLinux0 < 5.16unaffected
LinuxLinux5.10.248 <= 5.10.*unaffected
LinuxLinux5.15.198 <= 5.15.*unaffected
LinuxLinux6.1.160 <= 6.1.*unaffected
LinuxLinux6.6.120 <= 6.6.*unaffected
LinuxLinux6.12.64 <= 6.12.*unaffected
LinuxLinux6.18.4 <= 6.18.*unaffected
LinuxLinux6.19 <= *unaffected

Weaknesses

References