{"id":77150,"date":"2026-02-14T19:45:56","date_gmt":"2026-02-14T16:15:56","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-23167-nfc-nci-fix-race-between-rfkill-and-nci_unregister_device\/"},"modified":"2026-02-14T19:45:56","modified_gmt":"2026-02-14T16:15:56","slug":"cve-2026-23167-nfc-nci-fix-race-between-rfkill-and-nci_unregister_device","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-23167-nfc-nci-fix-race-between-rfkill-and-nci_unregister_device\/","title":{"rendered":"CVE-2026-23167 &#8211; nfc: nci: Fix race between rfkill and nci_unregister_device()."},"content":{"rendered":"<p>CVE ID : CVE-2026-23167<\/p>\n<p>Published :  Feb. 14, 2026, 4:15 p.m. | 14\u00a0minutes ago<\/p>\n<p>Description : In the Linux kernel, the following vulnerability has been resolved:<\/p>\n<p>nfc: nci: Fix race between rfkill and nci_unregister_device().<\/p>\n<p>syzbot reported the splat below [0] without a repro.<\/p>\n<p>It indicates that struct nci_dev.cmd_wq had been destroyed before<br \/>\nnci_close_device() was called via rfkill.<\/p>\n<p>nci_dev.cmd_wq is only destroyed in nci_unregister_device(), which<br \/>\n(I think) was called from virtual_ncidev_close() when syzbot close()d<br \/>\nan fd of virtual_ncidev.<\/p>\n<p>The problem is that nci_unregister_device() destroys nci_dev.cmd_wq<br \/>\nfirst and then calls nfc_unregister_device(), which removes the<br \/>\ndevice from rfkill by rfkill_unregister().<\/p>\n<p>So, the device is still visible via rfkill even after nci_dev.cmd_wq<br \/>\nis destroyed.<\/p>\n<p>Let&#8217;s unregister the device from rfkill first in nci_unregister_device().<\/p>\n<p>Note that we cannot call nfc_unregister_device() before<br \/>\nnci_close_device() because<\/p>\n<p>  1) nfc_unregister_device() calls device_del() which frees<br \/>\n     all memory allocated by devm_kzalloc() and linked to<br \/>\n     ndev-&gt;conn_info_list<\/p>\n<p>  2) nci_rx_work() could try to queue nci_conn_info to<br \/>\n     ndev-&gt;conn_info_list which could be leaked<\/p>\n<p>Thus, nfc_unregister_device() is split into two functions so we<br \/>\ncan remove rfkill interfaces only before nci_close_device().<\/p>\n[0]:<br \/>\nDEBUG_LOCKS_WARN_ON(1)<br \/>\nWARNING: kernel\/locking\/lockdep.c:238 at hlock_class kernel\/locking\/lockdep.c:238 [inline], CPU#0: syz.0.8675\/6349<br \/>\nWARNING: kernel\/locking\/lockdep.c:238 at check_wait_context kernel\/locking\/lockdep.c:4854 [inline], CPU#0: syz.0.8675\/6349<br \/>\nWARNING: kernel\/locking\/lockdep.c:238 at __lock_acquire+0x39d\/0x2cf0 kernel\/locking\/lockdep.c:5187, CPU#0: syz.0.8675\/6349<br \/>\nModules linked in:<br \/>\nCPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full)<br \/>\nHardware name: Google Google Compute Engine\/Google Compute Engine, BIOS Google 01\/13\/2026<br \/>\nRIP: 0010:hlock_class kernel\/locking\/lockdep.c:238 [inline]\nRIP: 0010:check_wait_context kernel\/locking\/lockdep.c:4854 [inline]\nRIP: 0010:__lock_acquire+0x3a4\/0x2cf0 kernel\/locking\/lockdep.c:5187<br \/>\nCode: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d  48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f<br \/>\nRSP: 0018:ffffc9000c767680 EFLAGS: 00010046<br \/>\nRAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000<br \/>\nRDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0<br \/>\nRBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4<br \/>\nR10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2<br \/>\nR13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30<br \/>\nFS:  00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000<br \/>\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br \/>\nCR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0<br \/>\nCall Trace:<\/p>\n<p> lock_acquire+0x106\/0x330 kernel\/locking\/lockdep.c:5868<br \/>\n touch_wq_lockdep_map+0xcb\/0x180 kernel\/workqueue.c:3940<br \/>\n __flush_workqueue+0x14b\/0x14f0 kernel\/workqueue.c:3982<br \/>\n nci_close_device+0x302\/0x630 net\/nfc\/nci\/core.c:567<br \/>\n nci_dev_down+0x3b\/0x50 net\/nfc\/nci\/core.c:639<br \/>\n nfc_dev_down+0x152\/0x290 net\/nfc\/core.c:161<br \/>\n nfc_rfkill_set_block+0x2d\/0x100 net\/nfc\/core.c:179<br \/>\n rfkill_set_block+0x1d2\/0x440 net\/rfkill\/core.c:346<br \/>\n rfkill_fop_write+0x461\/0x5a0 net\/rfkill\/core.c:1301<br \/>\n vfs_write+0x29a\/0xb90 fs\/read_write.c:684<br \/>\n ksys_write+0x150\/0x270 fs\/read_write.c:738<br \/>\n do_syscall_x64 arch\/x86\/entry\/syscall_64.c:63 [inline]\n do_syscall_64+0xe2\/0xf80 arch\/x86\/entry\/syscall_64.c:94<br \/>\n entry_SYSCALL_64_after_hwframe+0x77\/0x7f<br \/>\nRIP: 0033:0x7fa59b39acb9<br \/>\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05  3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48<br \/>\nRSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIG_RAX: 0000000000000001<br \/>\nRAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9<br \/>\nRDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007<br \/>\nRBP: 00007fa59b408bf7 R08:<br \/>\n&#8212;truncated&#8212;<\/p>\n<p>Severity: 0.0 | NA<\/p>\n<p>Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID : CVE-2026-23167 Published : Feb. 14, 2026, 4:15 p.m. | 14\u00a0minutes ago Description : In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix race between rfkill and nci_unregister_device(). syzbot reported the splat below [0] without a repro. It indicates that struct nci_dev.cmd_wq had been destroyed before nci_close_device() was called &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-77150","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/77150","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=77150"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/77150\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=77150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=77150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=77150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}