Linux Kernel NFC Subsystem Deadlock Vulnerability

A deadlock vulnerability has been identified in the Linux kernel's NFC subsystem, specifically within the nfc_unregister_device() and rfkill_fop_write() functions. This deadlock arises from an inversion in lock ordering between device_lock and rfkill_global_mutex, creating a classic ABBA deadlock scenario. The issue occurs when Thread A, executing rfkill_fop_write(), acquires rfkill_global_mutex and then attempts to lock device_lock, while Thread B, running nfc_unregister_device(), locks device_lock before trying to acquire rfkill_global_mutex, leading to a standstill.

Impact

Exploitation of this vulnerability causes a deadlock, where the two threads involved are unable to proceed, potentially leading to a system hang or freeze in the context of the affected operations.

Reproduction

The deadlock can be reproduced by invoking the nfc_unregister_device() function while another thread is executing rfkill_fop_write(). This can be achieved by triggering NFC device unregistration in one thread, such as through a device removal event, while simultaneously performing an operation that requires writing to the rfkill interface, which manages wireless device power states. The lock ordering inversion will cause the first thread to wait for a lock held by the second thread, creating the deadlock.

Remediation

The vulnerability has been addressed by modifying the nfc_unregister_device() function to change the order of lock acquisition. The rfkill pointer is now stored in a local variable before releasing the device_lock, and rfkill_unregister() and rfkill_destroy() are called after the lock is released. This change ensures that the rfkill operations do not interfere with the device locking mechanism, preventing the deadlock scenario.