CVE-2026-31509

Name	CVE-2026-31509
Description	In the Linux kernel, the following vulnerability has been resolved: nfc: nci: fix circular locking dependency in nci_close_device nci_close_device() flushes rx_wq and tx_wq while holding req_lock. This causes a circular locking dependency because nci_rx_work() running on rx_wq can end up taking req_lock too: nci_rx_work -> nci_rx_data_packet -> nci_data_exchange_complete -> __sk_destruct -> rawsock_destruct -> nfc_deactivate_target -> nci_deactivate_target -> nci_request -> mutex_lock(&ndev->req_lock) Move the flush of rx_wq after req_lock has been released. This should safe (I think) because NCI_UP has already been cleared and the transport is closed, so the work will see it and return -ENETDOWN. NIPA has been hitting this running the nci selftest with a debug kernel on roughly 4% of the runs.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-4561-1, DSA-6238-1, DSA-6243-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
linux (PTS)	bullseye	5.10.223-1	vulnerable
	bullseye (security)	5.10.251-4	vulnerable
	bookworm	6.1.159-1	vulnerable
	bookworm (security)	6.1.170-3	fixed
	trixie	6.12.73-1	vulnerable
	trixie (security)	6.12.86-1	fixed
	forky, sid	7.0.4-1	fixed
linux-6.1 (PTS)	bullseye (security)	6.1.170-3~deb11u1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
linux	source	bookworm	6.1.170-1	DSA-6243-1
linux	source	trixie	6.12.85-1	DSA-6238-1
linux	source	(unstable)	6.19.11-1
linux-6.1	source	bullseye	6.1.170-1~deb11u1	DLA-4561-1

https://git.kernel.org/linus/4527025d440ce84bf56e75ce1df2e84cb8178616 (7.0-rc6)