IM
IronMonkey Threat Research

CVE-2025-71079 MEDIUM

Published: 2026-01-13 | Last Modified: 2026-07-14 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&dev->dev) <- waits for device_lock Thread B (nfc_unregister_device): nfc_unregister_device() device_lock(&dev->dev) rfkill_unregister() mutex_lock(&rfkill_global_mutex) <- waits for rfkill_global_mutex This creates a classic ABBA deadlock scenario. Fix this by moving rfkill_unregister() and rfkill_destroy() outside the device_lock critical section. Store the rfkill pointer in a local variable before releasing the lock, then call rfkill_unregister() after releasing device_lock. This change is safe because rfkill_fop_write() holds rfkill_global_mutex while calling the rfkill callbacks, and rfkill_unregister() also acquires rfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will wait for any ongoing callback to complete before proceeding, and device_del() is only called after rfkill_unregister() returns, preventing any use-after-free. The similar lock ordering in nfc_register_device() (device_lock -> rfkill_global_mutex via rfkill_register) is safe because during registration the device is not yet in rfkill_list, so no concurrent rfkill operations can occur on this device.

Additional Descriptions (1)

En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: net: nfc: corrige interbloqueo entre nfc_unregister_device y rfkill_fop_write Puede ocurrir un interbloqueo entre nfc_unregister_device() y rfkill_fop_write() debido a la inversión del orden de bloqueo entre device_lock y rfkill_global_mutex. El orden de bloqueo problemático es: Hilo A (rfkill_fop_write): rfkill_fop_write() mutex_lock(&amp;rfkill_global_mutex) rfkill_set_block() nfc_rfkill_set_block() nfc_dev_down() device_lock(&amp;dev-&gt;dev) &lt;- espera por device_lock Hilo B (nfc_unregister_device): nfc_unregister_device() device_lock(&amp;dev-&gt;dev) rfkill_unregister() mutex_lock(&amp;rfkill_global_mutex) &lt;- espera por rfkill_global_mutex Esto crea un escenario clásico de interbloqueo ABBA. Soluciona esto moviendo rfkill_unregister() y rfkill_destroy() fuera de la sección crítica de device_lock. Almacena el puntero rfkill en una variable local antes de liberar el bloqueo, luego llama a rfkill_unregister() después de liberar device_lock. Este cambio es seguro porque rfkill_fop_write() mantiene rfkill_global_mutex mientras llama a las retrollamadas de rfkill, y rfkill_unregister() también adquiere rfkill_global_mutex antes de la limpieza. Por lo tanto, rfkill_unregister() esperará a que cualquier retrollamada en curso se complete antes de continuar, y device_del() solo se llama después de que rfkill_unregister() retorna, previniendo cualquier uso después de liberación. El orden de bloqueo similar en nfc_register_device() (device_lock -&gt; rfkill_global_mutex a través de rfkill_register) es seguro porque durante el registro el dispositivo aún no está en rfkill_list, por lo que no pueden ocurrir operaciones rfkill concurrentes en este dispositivo.

CVSS Metrics

Base Score: 5.5 (MEDIUM)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 3.6

Weaknesses

Source Type Description
[email protected] Primary
en CWE-667

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702bfc1de380> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd67c800> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd67fa00> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b8344e800> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bfc1dd540> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b8052f440> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702b8344f840> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd67eb40> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bfc1dc480> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bfc1de040> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd67ddc0> Operating System
linux linux_kernel 5.16 <built-in method update of dict object at 0x702bdd67e540> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdd67e200> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bfc1deb80> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bfc336000> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdd67ca40> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bfc335f00> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdd67e880> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702b8344f1c0> Operating System
linux linux_kernel 6.19 <built-in method update of dict object at 0x702bdd2f34c0> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:5.16:-:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:*

References

Notification
Message here