CVE-2026-23167
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/02/2026
Last modified:
14/02/2026
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nfc: nci: Fix race between rfkill and nci_unregister_device().<br />
<br />
syzbot reported the splat below [0] without a repro.<br />
<br />
It indicates that struct nci_dev.cmd_wq had been destroyed before<br />
nci_close_device() was called via rfkill.<br />
<br />
nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which<br />
(I think) was called from virtual_ncidev_close() when syzbot close()d<br />
an fd of virtual_ncidev.<br />
<br />
The problem is that nci_unregister_device() destroys nci_dev.cmd_wq<br />
first and then calls nfc_unregister_device(), which removes the<br />
device from rfkill by rfkill_unregister().<br />
<br />
So, the device is still visible via rfkill even after nci_dev.cmd_wq<br />
is destroyed.<br />
<br />
Let&#39;s unregister the device from rfkill first in nci_unregister_device().<br />
<br />
Note that we cannot call nfc_unregister_device() before<br />
nci_close_device() because<br />
<br />
1) nfc_unregister_device() calls device_del() which frees<br />
all memory allocated by devm_kzalloc() and linked to<br />
ndev->conn_info_list<br />
<br />
2) nci_rx_work() could try to queue nci_conn_info to<br />
ndev->conn_info_list which could be leaked<br />
<br />
Thus, nfc_unregister_device() is split into two functions so we<br />
can remove rfkill interfaces only before nci_close_device().<br />
<br />
[0]:<br />
DEBUG_LOCKS_WARN_ON(1)<br />
WARNING: kernel/locking/lockdep.c:238 at hlock_class kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349<br />
WARNING: kernel/locking/lockdep.c:238 at check_wait_context kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349<br />
WARNING: kernel/locking/lockdep.c:238 at __lock_acquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349<br />
Modules linked in:<br />
CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026<br />
RIP: 0010:hlock_class kernel/locking/lockdep.c:238 [inline]<br />
RIP: 0010:check_wait_context kernel/locking/lockdep.c:4854 [inline]<br />
RIP: 0010:__lock_acquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187<br />
Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f<br />
RSP: 0018:ffffc9000c767680 EFLAGS: 00010046<br />
RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000<br />
RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0<br />
RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4<br />
R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2<br />
R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30<br />
FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0<br />
Call Trace:<br />
<br />
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868<br />
touch_wq_lockdep_map+0xcb/0x180 kernel/workqueue.c:3940<br />
__flush_workqueue+0x14b/0x14f0 kernel/workqueue.c:3982<br />
nci_close_device+0x302/0x630 net/nfc/nci/core.c:567<br />
nci_dev_down+0x3b/0x50 net/nfc/nci/core.c:639<br />
nfc_dev_down+0x152/0x290 net/nfc/core.c:161<br />
nfc_rfkill_set_block+0x2d/0x100 net/nfc/core.c:179<br />
rfkill_set_block+0x1d2/0x440 net/rfkill/core.c:346<br />
rfkill_fop_write+0x461/0x5a0 net/rfkill/core.c:1301<br />
vfs_write+0x29a/0xb90 fs/read_write.c:684<br />
ksys_write+0x150/0x270 fs/read_write.c:738<br />
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]<br />
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94<br />
entry_SYSCALL_64_after_hwframe+0x77/0x7f<br />
RIP: 0033:0x7fa59b39acb9<br />
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48<br />
RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001<br />
RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9<br />
RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007<br />
RBP: 00007fa59b408bf7 R08: <br />
---truncated---
Impact
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/126cd30cad37bc7c2c85fe2df2a522d4edf0a5c5
- https://git.kernel.org/stable/c/546eba0b10989de9ccc7fd619e874a30561e2b88
- https://git.kernel.org/stable/c/8ea4d96419fb20f15a52ce657d49f1e7c91eb7ac
- https://git.kernel.org/stable/c/c3369fc5e6120a72169e71acd72e987907a682af
- https://git.kernel.org/stable/c/cd4412d5905ee580e96c48360dc98fcd9e6f3208
- https://git.kernel.org/stable/c/d2492688bb9fed6ab6e313682c387ae71a66ebae
- https://git.kernel.org/stable/c/eaa5da5130deda26420273d4610cf6e4f794ed75