Linux Kernel NFC NCI Device Unregistration Race Condition Vulnerability

A race condition vulnerability has been identified in the Linux kernel's NFC (Near Field Communication) subsystem, specifically within the NCI (NFC Controller Interface) protocol implementation. This vulnerability arises during the unregistration of NFC devices, where the command workqueue associated with the NCI device can be prematurely destroyed before the device is fully closed. The issue was reported by syzbot and is related to the order of operations when removing a device from the rfkill subsystem, which manages wireless device states.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where a destroyed workqueue is still referenced, potentially causing memory corruption or other undefined behavior.

Reproduction

The vulnerability can be reproduced by closing a file descriptor associated with a virtual NCI device while the device is being unregistered. This can be done using the rfkill interface to block the device, which triggers the unregistration process before the device is fully closed, leading to the race condition.

Remediation

The vulnerability has been addressed in upstream Linux kernel commits. Users should upgrade to a version that includes these commits to mitigate the issue.