Re: [PATCH] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write

From: Krzysztof Kozlowski <krzk@kernel.org>
Date: 2025-12-17 08:57:51
Also in: lkml

On 17/12/2025 09:11, Deepanshu Kartikey wrote:

rfkill_set_block() calls ops->set_block() (i.e., nfc_rfkill_set_block)
without releasing rfkill_global_mutex.

Since rfkill_unregister() also acquires rfkill_global_mutex:

void rfkill_unregister(struct rfkill *rfkill)
{
    ...
    mutex_lock(&rfkill_global_mutex);
    rfkill_send_events(rfkill, RFKILL_OP_DEL);
    list_del_init(&rfkill->node);
    ...
    mutex_unlock(&rfkill_global_mutex);
}

The unregister path cannot proceed past rfkill_unregister() until any
ongoing callback completes. Since device_del() is called after
rfkill_unregister() returns, no UAF should be possible.

Indeed, that's correct. Please mention this briefly in commit msg. The
same as other ABBA remark in register path.


Best regards,
Krzysztof

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help