nfc: nci: Fix race between rfkill and nci_unregister_device().

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

syzbot reported the splat below [0] without a repro.

It indicates that struct nci_dev.cmd_wq had been destroyed before
nci_close_device() was called via rfkill.

nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
(I think) was called from virtual_ncidev_close() when syzbot close()d
an fd of virtual_ncidev.

The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
first and then calls nfc_unregister_device(), which removes the
device from rfkill by rfkill_unregister().

So, the device is still visible via rfkill even after nci_dev.cmd_wq
is destroyed.

Let's unregister the device from rfkill first in nci_unregister_device().

Note that we cannot call nfc_unregister_device() before
nci_close_device() because

1) nfc_unregister_device() calls device_del() which frees
all memory allocated by devm_kzalloc() and linked to
ndev->conn_info_list

2) nci_rx_work() could try to queue nci_conn_info to
ndev->conn_info_list which could be leaked

Thus, nfc_unregister_device() is split into two functions so we
can remove rfkill interfaces only before nci_close_device().

[0]:
DEBUG_LOCKS_WARN_ON(1)
WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349
WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349
WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349
Modules linked in:
CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026
RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]
RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187
Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f
RSP: 0018:ffffc9000c767680 EFLAGS: 00010046
RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000
RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0
RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4
R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2
R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30
FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0
Call Trace:
<TASK>
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940
__flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982
nci_close_device+0x302/0x630 net/nfc/nci/core.c:567
nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639
nfc_dev_down+0x152/0x290 net/nfc/core.c:161
nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179
rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346
rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301
vfs_write+0x29a/0xb90 fs/read_write.c:684
ksys_write+0x150/0x270 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fa59b39acb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9
RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007
RBP: 00007fa59b408bf7 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fa59b616038 R14: 00007fa59b615fa0 R15: 00007ffc82218788
</TASK>

Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20260127040411.494931-1-kuniyu@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Kuniyuki Iwashima and committed by

Jakub Kicinski 2 months ago d2492688 a040afa3

+29 -4

3 changed files

expand all

include

net

nfc

nfc.h

net

nfc

core.c

nci

core.c

include/net/nfc/nfc.h

··· 219 219 220 220 int nfc_register_device(struct nfc_dev *dev); 221 221 222 + void nfc_unregister_rfkill(struct nfc_dev *dev); 223 + void nfc_remove_device(struct nfc_dev *dev); 222 224 void nfc_unregister_device(struct nfc_dev *dev); 223 225 224 226 /**

+24 -3

net/nfc/core.c

··· 1147 1147 EXPORT_SYMBOL(nfc_register_device); 1148 1148 1149 1149 /** 1150 - * nfc_unregister_device - unregister a nfc device in the nfc subsystem 1150 + * nfc_unregister_rfkill - unregister a nfc device in the rfkill subsystem 1151 1151 * 1152 1152 * @dev: The nfc device to unregister 1153 1153 */ 1154 - void nfc_unregister_device(struct nfc_dev *dev) 1154 + void nfc_unregister_rfkill(struct nfc_dev *dev) 1155 1155 { 1156 - int rc; 1157 1156 struct rfkill *rfk = NULL; 1157 + int rc; 1158 1158 1159 1159 pr_debug("dev_name=%s\n", dev_name(&dev->dev)); 1160 1160 ··· 1175 1175 rfkill_unregister(rfk); 1176 1176 rfkill_destroy(rfk); 1177 1177 } 1178 + } 1179 + EXPORT_SYMBOL(nfc_unregister_rfkill); 1178 1180 1181 + /** 1182 + * nfc_remove_device - remove a nfc device in the nfc subsystem 1183 + * 1184 + * @dev: The nfc device to remove 1185 + */ 1186 + void nfc_remove_device(struct nfc_dev *dev) 1187 + { 1179 1188 if (dev->ops->check_presence) { 1180 1189 timer_delete_sync(&dev->check_pres_timer); 1181 1190 cancel_work_sync(&dev->check_pres_work); ··· 1196 1187 nfc_devlist_generation++; 1197 1188 device_del(&dev->dev); 1198 1189 mutex_unlock(&nfc_devlist_mutex); 1190 + } 1191 + EXPORT_SYMBOL(nfc_remove_device); 1192 + 1193 + /** 1194 + * nfc_unregister_device - unregister a nfc device in the nfc subsystem 1195 + * 1196 + * @dev: The nfc device to unregister 1197 + */ 1198 + void nfc_unregister_device(struct nfc_dev *dev) 1199 + { 1200 + nfc_unregister_rfkill(dev); 1201 + nfc_remove_device(dev); 1199 1202 } 1200 1203 EXPORT_SYMBOL(nfc_unregister_device); 1201 1204

+3 -1

net/nfc/nci/core.c

··· 1303 1303 { 1304 1304 struct nci_conn_info *conn_info, *n; 1305 1305 1306 + nfc_unregister_rfkill(ndev->nfc_dev); 1307 + 1306 1308 /* This set_bit is not protected with specialized barrier, 1307 1309 * However, it is fine because the mutex_lock(&ndev->req_lock); 1308 1310 * in nci_close_device() will help to emit one. ··· 1322 1320 /* conn_info is allocated with devm_kzalloc */ 1323 1321 } 1324 1322 1325 - nfc_unregister_device(ndev->nfc_dev); 1323 + nfc_remove_device(ndev->nfc_dev); 1326 1324 } 1327 1325 EXPORT_SYMBOL(nci_unregister_device); 1328 1326