In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock Thread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex This creates a classic ABBA deadlock scenario. Fix this by moving rfkill_unregister() and rfkill_destroy() outside the device_lock critical section. Store the rfkill pointer in a local variable before releasing the lock, then call rfkill_unregister() after releasing device_lock. This change is safe because rfkill_fop_write() holds rfkill_global_mutex while calling the rfkill callbacks, and rfkill_unregister() also acquires rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will wait for any ongoing callback to complete before proceeding, and device_del() is only called after rfkill_unregister() returns, preventing any use-after-free. The similar lock ordering in nfc_register_device() (device_lock -> rfkill_global_mutex via rfkill_register) is safe because during registration the device is not yet in rfkill_list, so no concurrent rfkill operations can occur on this device.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: net: nfc: corrige interbloqueo entre nfc_unregister_device y rfkill_fop_write Puede ocurrir un interbloqueo entre nfc_unregister_device() y rfkill_fop_write() debido a la inversión del orden de bloqueo entre device_lock y rfkill_global_mutex. El orden de bloqueo problemático es: Hilo A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- espera por device_lock Hilo B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- espera por rfkill_global_mutex Esto crea un escenario clásico de interbloqueo ABBA. Soluciona esto moviendo rfkill_unregister() y rfkill_destroy() fuera de la sección crítica de device_lock. Almacena el puntero rfkill en una variable local antes de liberar el bloqueo, luego llama a rfkill_unregister() después de liberar device_lock. Este cambio es seguro porque rfkill_fop_write() mantiene rfkill_global_mutex mientras llama a las retrollamadas de rfkill, y rfkill_unregister() también adquiere rfkill_global_mutex antes de la limpieza. Por lo tanto, rfkill_unregister() esperará a que cualquier retrollamada en curso se complete antes de continuar, y device_del() solo se llama después de que rfkill_unregister() retorna, previniendo cualquier uso después de liberación. El orden de bloqueo similar en nfc_register_device() (device_lock -> rfkill_global_mutex a través de rfkill_register) es seguro porque durante el registro el dispositivo aún no está en rfkill_list, por lo que no pueden ocurrir operaciones rfkill concurrentes en este dispositivo.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-667
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc1de380> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67c800> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67fa00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b8344e800> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc1dd540> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b8052f440> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b8344f840> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67eb40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc1dc480> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc1de040> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67ddc0> | Operating System |
| linux | linux_kernel | 5.16 | <built-in method update of dict object at 0x702bdd67e540> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd67e200> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bfc1deb80> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bfc336000> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd67ca40> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bfc335f00> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd67e880> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702b8344f1c0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd2f34c0> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:5.16:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:* |