lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <5cb165de-12ef-4e6a-ab8a-aefb53bf9f23@kernel.org>
Date: Wed, 17 Dec 2025 09:57:47 +0100
From: Krzysztof Kozlowski <krzk@...nel.org>
To: Deepanshu Kartikey <kartikey406@...il.com>
Cc: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
 pabeni@...hat.com, horms@...nel.org, netdev@...r.kernel.org,
 linux-kernel@...r.kernel.org,
 syzbot+4ef89409a235d804c6c2@...kaller.appspotmail.com
Subject: Re: [PATCH] net: nfc: fix deadlock between nfc_unregister_device and
 rfkill_fop_write

On 17/12/2025 09:11, Deepanshu Kartikey wrote:
> 
> rfkill_set_block() calls ops->set_block() (i.e., nfc_rfkill_set_block)
> without releasing rfkill_global_mutex.
> 
> Since rfkill_unregister() also acquires rfkill_global_mutex:
> 
> void rfkill_unregister(struct rfkill *rfkill)
> {
>     ...
>     mutex_lock(&rfkill_global_mutex);
>     rfkill_send_events(rfkill, RFKILL_OP_DEL);
>     list_del_init(&rfkill->node);
>     ...
>     mutex_unlock(&rfkill_global_mutex);
> }
> 
> The unregister path cannot proceed past rfkill_unregister() until any
> ongoing callback completes. Since device_del() is called after
> rfkill_unregister() returns, no UAF should be possible.

Indeed, that's correct. Please mention this briefly in commit msg. The
same as other ABBA remark in register path.


Best regards,
Krzysztof

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ