DEBIAN-CVE-2026-23167

In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix race between rfkill and nciunregisterdevice(). syzbot reported the splat below [0] without a repro. It indicates that struct ncidev.cmdwq had been destroyed before nciclosedevice() was called via rfkill. ncidev.cmdwq is only destroyed in nciunregisterdevice(), which (I think) was called from virtualncidevclose() when syzbot close()d an fd of virtualncidev. The problem is that nciunregisterdevice() destroys ncidev.cmdwq first and then calls nfcunregisterdevice(), which removes the device from rfkill by rfkillunregister(). So, the device is still visible via rfkill even after ncidev.cmdwq is destroyed. Let's unregister the device from rfkill first in nciunregisterdevice(). Note that we cannot call nfcunregisterdevice() before nciclosedevice() because 1) nfcunregisterdevice() calls devicedel() which frees all memory allocated by devmkzalloc() and linked to ndev->conninfolist 2) ncirxwork() could try to queue nciconninfo to ndev->conninfolist which could be leaked Thus, nfcunregisterdevice() is split into two functions so we can remove rfkill interfaces only before nciclosedevice(). [0]: DEBUGLOCKSWARNON(1) WARNING: kernel/locking/lockdep.c:238 at hlockclass kernel/locking/lockdep.c:238 [inline], CPU#0: syz.0.8675/6349 WARNING: kernel/locking/lockdep.c:238 at checkwaitcontext kernel/locking/lockdep.c:4854 [inline], CPU#0: syz.0.8675/6349 WARNING: kernel/locking/lockdep.c:238 at __lockacquire+0x39d/0x2cf0 kernel/locking/lockdep.c:5187, CPU#0: syz.0.8675/6349 Modules linked in: CPU: 0 UID: 0 PID: 6349 Comm: syz.0.8675 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/13/2026 RIP: 0010:hlockclass kernel/locking/lockdep.c:238 [inline] RIP: 0010:checkwaitcontext kernel/locking/lockdep.c:4854 [inline] RIP: 0010:__lockacquire+0x3a4/0x2cf0 kernel/locking/lockdep.c:5187 Code: 18 00 4c 8b 74 24 08 75 27 90 e8 17 f2 fc 02 85 c0 74 1c 83 3d 50 e0 4e 0e 00 75 13 48 8d 3d 43 f7 51 0e 48 c7 c6 8b 3a de 8d <67> 48 0f b9 3a 90 31 c0 0f b6 98 c4 00 00 00 41 8b 45 20 25 ff 1f RSP: 0018:ffffc9000c767680 EFLAGS: 00010046 RAX: 0000000000000001 RBX: 0000000000040000 RCX: 0000000000080000 RDX: ffffc90013080000 RSI: ffffffff8dde3a8b RDI: ffffffff8ff24ca0 RBP: 0000000000000003 R08: ffffffff8fef35a3 R09: 1ffffffff1fde6b4 R10: dffffc0000000000 R11: fffffbfff1fde6b5 R12: 00000000000012a2 R13: ffff888030338ba8 R14: ffff888030338000 R15: ffff888030338b30 FS: 00007fa5995f66c0(0000) GS:ffff8881256f8000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7e72f842d0 CR3: 00000000485a0000 CR4: 00000000003526f0 Call Trace: <TASK> lockacquire+0x106/0x330 kernel/locking/lockdep.c:5868 touchwqlockdep_map+0xcb/0x180 kernel/workqueue.c:3940 _flushworkqueue+0x14b/0x14f0 kernel/workqueue.c:3982 nciclosedevice+0x302/0x630 net/nfc/nci/core.c:567 ncidevdown+0x3b/0x50 net/nfc/nci/core.c:639 nfcdevdown+0x152/0x290 net/nfc/core.c:161 nfcrfkillsetblock+0x2d/0x100 net/nfc/core.c:179 rfkillsetblock+0x1d2/0x440 net/rfkill/core.c:346 rfkillfopwrite+0x461/0x5a0 net/rfkill/core.c:1301 vfswrite+0x29a/0xb90 fs/readwrite.c:684 ksyswrite+0x150/0x270 fs/readwrite.c:738 dosyscallx64 arch/x86/entry/syscall64.c:63 [inline] dosyscall64+0xe2/0xf80 arch/x86/entry/syscall64.c:94 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7fa59b39acb9 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa5995f6028 EFLAGS: 00000246 ORIGRAX: 0000000000000001 RAX: ffffffffffffffda RBX: 00007fa59b615fa0 RCX: 00007fa59b39acb9 RDX: 0000000000000008 RSI: 0000200000000080 RDI: 0000000000000007 RBP: 00007fa59b408bf7 R08: ---truncated---