{"id":"CVE-2025-71079","summary":"net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write\n\nA deadlock can occur between nfc_unregister_device() and rfkill_fop_write()\ndue to lock ordering inversion between device_lock and rfkill_global_mutex.\n\nThe problematic lock order is:\n\nThread A (rfkill_fop_write):\n  rfkill_fop_write()\n    mutex_lock(&rfkill_global_mutex)\n      rfkill_set_block()\n        nfc_rfkill_set_block()\n          nfc_dev_down()\n            device_lock(&dev-\u003edev)    \u003c- waits for device_lock\n\nThread B (nfc_unregister_device):\n  nfc_unregister_device()\n    device_lock(&dev-\u003edev)\n      rfkill_unregister()\n        mutex_lock(&rfkill_global_mutex)  \u003c- waits for rfkill_global_mutex\n\nThis creates a classic ABBA deadlock scenario.\n\nFix this by moving rfkill_unregister() and rfkill_destroy() outside the\ndevice_lock critical section. Store the rfkill pointer in a local variable\nbefore releasing the lock, then call rfkill_unregister() after releasing\ndevice_lock.\n\nThis change is safe because rfkill_fop_write() holds rfkill_global_mutex\nwhile calling the rfkill callbacks, and rfkill_unregister() also acquires\nrfkill_global_mutex before cleanup. Therefore, rfkill_unregister() will\nwait for any ongoing callback to complete before proceeding, and\ndevice_del() is only called after rfkill_unregister() returns, preventing\nany use-after-free.\n\nThe similar lock ordering in nfc_register_device() (device_lock -\u003e\nrfkill_global_mutex via rfkill_register) is safe because during\nregistration the device is not yet in rfkill_list, so no concurrent\nrfkill operations can occur on this device.","modified":"2026-03-31T17:29:30.045971Z","published":"2026-01-13T15:34:44.136Z","related":["MGASA-2026-0017","MGASA-2026-0018","SUSE-SU-2026:0447-1","SUSE-SU-2026:0472-1","SUSE-SU-2026:0587-1","SUSE-SU-2026:20477-1","SUSE-SU-2026:20498-1","SUSE-SU-2026:20555-1","SUSE-SU-2026:20599-1","SUSE-SU-2026:20615-1","SUSE-SU-2026:20845-1","SUSE-SU-2026:20876-1","openSUSE-SU-2026:20287-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71079.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2e0831e9fc46a06daa6d4d8d57a2738e343130c3"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6b93c8ab6f6cda8818983a4ae3fcf84b023037b4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8fc4632fb508432895430cd02b38086bdd649083"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f3a8a7c1aa278f2378b2f3a10500c6674dffdfda"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/71xxx/CVE-2025-71079.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-71079"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"73a0d12114b4bc1a9def79a623264754b9df698e"},{"fixed":"2e0831e9fc46a06daa6d4d8d57a2738e343130c3"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8a9c61c3ef187d8891225f9b932390670a43a0d3"},{"fixed":"e02a1c33f10a0ed3aba855ab8ae2b6c4c5be8012"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3e3b5dfcd16a3e254aab61bd1e8c417dd4503102"},{"fixed":"ee41f4f3ccf8cd6ba3732e867abbec7e6d8d12e5"},{"fixed":"6b93c8ab6f6cda8818983a4ae3fcf84b023037b4"},{"fixed":"8fc4632fb508432895430cd02b38086bdd649083"},{"fixed":"f3a8a7c1aa278f2378b2f3a10500c6674dffdfda"},{"fixed":"1ab526d97a57e44d26fadcc0e9adeb9c0c0182f5"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"5ef16d2d172ee56714cff37cd005b98aba08ef5a"},{"last_affected":"ff169909eac9e00bf1aa0af739ba6ddfb1b1d135"},{"last_affected":"47244ac0b65bd74cc70007d8e1bac68bd2baad19"},{"last_affected":"c45cea83e13699bdfd47842e04d09dd43af4c371"},{"last_affected":"307d2e6cebfca9d92f86c8e2c8e3dd4a8be46ba6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71079.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.10.248"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.160"},{"fixed":"6.6.120"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.12.64"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.18.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-71079.json"}}],"schema_version":"1.7.5"}