From: Simon Horman <horms@kernel.org>
To: Kuniyuki Iwashima <kuniyu@google.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Ilan Elias <ilane@ti.com>, Kuniyuki Iwashima <kuni1840@gmail.com>,
netdev@vger.kernel.org,
syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com
Subject: Re: [PATCH v2 net] nfc: nci: Fix race between rfkill and nci_unregister_device().
Date: Wed, 28 Jan 2026 17:16:23 +0000 [thread overview]
Message-ID: <aXpEZ4F9341XjuBq@horms.kernel.org> (raw)
In-Reply-To: <20260127040411.494931-1-kuniyu@google.com>
On Tue, Jan 27, 2026 at 04:03:59AM +0000, Kuniyuki Iwashima wrote:
> syzbot reported the splat below [0] without a repro.
>
> It indicates that struct nci_dev.cmd_wq had been destroyed before
> nci_close_device() was called via rfkill.
>
> nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which
> (I think) was called from virtual_ncidev_close() when syzbot close()d
> an fd of virtual_ncidev.
>
> The problem is that nci_unregister_device() destroys nci_dev.cmd_wq
> first and then calls nfc_unregister_device(), which removes the
> device from rfkill by rfkill_unregister().
>
> So, the device is still visible via rfkill even after nci_dev.cmd_wq
> is destroyed.
>
> Let's unregister the device from rfkill first in nci_unregister_device().
>
> Note that we cannot call nfc_unregister_device() before
> nci_close_device() because
>
> 1) nfc_unregister_device() calls device_del() which frees
> all memory allocated by devm_kzalloc() and linked to
> ndev->conn_info_list
>
> 2) nci_rx_work() could try to queue nci_conn_info to
> ndev->conn_info_list which could be leaked
>
> Thus, nfc_unregister_device() is split into two functions so we
> can remove rfkill interfaces only before nci_close_device().
...
> Fixes: 6a2968aaf50c ("NFC: basic NCI protocol implementation")
> Reported-by: syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/695e7f56.050a0220.1c677c.036c.GAE@google.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> ---
> v2:
> * Split nfc_unregister_device() and remove rfkill only
> before nci_close_device()
>
> v1: https://lore.kernel.org/netdev/20260126071359.2693214-1-kuniyu@google.com/
Reviewed-by: Simon Horman <horms@kernel.org>
...
next prev parent reply other threads:[~2026-01-28 17:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-27 4:03 [PATCH v2 net] nfc: nci: Fix race between rfkill and nci_unregister_device() Kuniyuki Iwashima
2026-01-28 17:16 ` Simon Horman [this message]
2026-01-29 3:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aXpEZ4F9341XjuBq@horms.kernel.org \
--to=horms@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=ilane@ti.com \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=kuniyu@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+f9c5fd1a0874f9069dce@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.