Re: [PATCH] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write

From: Krzysztof Kozlowski
Date: Wed Dec 17 2025 - 04:04:12 EST

Next message: Chen Ridong: "[PATCH -next 0/6] cpuset: further separate v1 and v2 implementations"
Previous message: Sumit Garg: "Re: [PATCH v1 00/17] tee: Use bus callbacks instead of driver callbacks"
In reply to: Deepanshu Kartikey: "Re: [PATCH] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 17/12/2025 09:11, Deepanshu Kartikey wrote:
>
> rfkill_set_block() calls ops->set_block() (i.e., nfc_rfkill_set_block)
> without releasing rfkill_global_mutex.
>
> Since rfkill_unregister() also acquires rfkill_global_mutex:
>
> void rfkill_unregister(struct rfkill *rfkill)
> {
> ...
> mutex_lock(&rfkill_global_mutex);
> rfkill_send_events(rfkill, RFKILL_OP_DEL);
> list_del_init(&rfkill->node);
> ...
> mutex_unlock(&rfkill_global_mutex);
> }
>
> The unregister path cannot proceed past rfkill_unregister() until any
> ongoing callback completes. Since device_del() is called after
> rfkill_unregister() returns, no UAF should be possible.

Indeed, that's correct. Please mention this briefly in commit msg. The
same as other ABBA remark in register path.

Best regards,
Krzysztof

Next message: Chen Ridong: "[PATCH -next 0/6] cpuset: further separate v1 and v2 implementations"
Previous message: Sumit Garg: "Re: [PATCH v1 00/17] tee: Use bus callbacks instead of driver callbacks"
In reply to: Deepanshu Kartikey: "Re: [PATCH] net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]