CVE-2024-26892

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26892
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26892.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26892
Downstream
Related
Published
2024-04-17T10:27:44Z
Modified
2025-10-15T09:53:53.121172Z
Summary
wifi: mt76: mt7921e: fix use-after-free in free_irq()
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: mt76: mt7921e: fix use-after-free in free_irq()

From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test to make sure the shared irq handler should be able to handle the unexpected event after deregistration. For this case, let's apply MT76_REMOVED flag to indicate the device was removed and do not run into the resource access anymore.

BUG: KASAN: use-after-free in mt7921irqhandler+0xd8/0x100 [mt7921e] Read of size 8 at addr ffff88824a7d3b78 by task rmmod/11115 CPU: 28 PID: 11115 Comm: rmmod Tainted: G W L 5.17.0 #10 Hardware name: Micro-Star International Co., Ltd. MS-7D73/MPG B650I EDGE WIFI (MS-7D73), BIOS 1.81 01/05/2024 Call Trace: <TASK> dumpstacklvl+0x6f/0xa0 printaddressdescription.constprop.0+0x1f/0x190 ? mt7921irqhandler+0xd8/0x100 [mt7921e] ? mt7921irqhandler+0xd8/0x100 [mt7921e] kasanreport.cold+0x7f/0x11b ? mt7921irqhandler+0xd8/0x100 [mt7921e] mt7921irqhandler+0xd8/0x100 [mt7921e] freeirq+0x627/0xaa0 devmfreeirq+0x94/0xd0 ? devmrequestanycontextirq+0x160/0x160 ? kobjectput+0x18d/0x4a0 mt7921pciremove+0x153/0x190 [mt7921e] pcideviceremove+0xa2/0x1d0 _devicereleasedriver+0x346/0x6e0 driverdetach+0x1ef/0x2c0 busremovedriver+0xe7/0x2d0 ? _checkobjectsize+0x57/0x310 pciunregisterdriver+0x26/0x250 _dosysdeletemodule+0x307/0x510 ? freemodule+0x6a0/0x6a0 ? fpregsassertstateconsistent+0x4b/0xb0 ? rcureadlockschedheld+0x10/0x70 ? syscallenterfromusermode+0x20/0x70 ? tracehardirqson+0x1c/0x130 dosyscall64+0x5c/0x80 ? tracehardirqsonprepare+0x72/0x160 ? dosyscall64+0x68/0x80 ? tracehardirqsonprepare+0x72/0x160 entrySYSCALL64afterhwframe+0x44/0xae

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9270270d62191b7549296721e8d5f3dc0df01563
Fixed
c7dd42fbebcfb02bef070fd48f774d6412d0b49d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9270270d62191b7549296721e8d5f3dc0df01563
Fixed
bfe1adf1606f76c180324e53b130f0e76d5cc6c3
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9270270d62191b7549296721e8d5f3dc0df01563
Fixed
bfeaef901194c5923ce3330272786eff2fac513a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9270270d62191b7549296721e8d5f3dc0df01563
Fixed
c957280ef6ab6bdf559a91ae693a6b34310697e3
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
a76eaaaafd8b408238d7865bbbbd311f08988f3d
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
95e41ac30a0d0b3637f0b3c93235a7a107a2fb7f

Affected versions

v5.*

v5.10.1
v5.10.10
v5.10.11
v5.10.12
v5.10.13
v5.10.14
v5.10.15
v5.10.16
v5.10.17
v5.10.18
v5.10.19
v5.10.2
v5.10.3
v5.10.4
v5.10.5
v5.10.6
v5.10.7
v5.10.8
v5.10.9
v5.11.1
v5.11.10
v5.11.11
v5.11.12
v5.11.13
v5.11.14
v5.11.15
v5.11.16
v5.11.17
v5.11.18
v5.11.19
v5.11.2
v5.11.20
v5.11.21
v5.11.3
v5.11.4
v5.11.5
v5.11.6
v5.11.7
v5.11.8
v5.11.9
v5.12.1
v5.12.10
v5.12.11
v5.12.12
v5.12.13
v5.12.14
v5.12.15
v5.12.16
v5.12.17
v5.12.18
v5.12.19
v5.12.2
v5.12.3
v5.12.4
v5.12.5
v5.12.6
v5.12.7
v5.12.8
v5.12.9
v5.13.1
v5.13.10
v5.13.11
v5.13.12
v5.13.13
v5.13.14
v5.13.15
v5.13.16
v5.13.17
v5.13.18
v5.13.2
v5.13.3
v5.13.4
v5.13.5
v5.13.6
v5.13.7
v5.13.8
v5.13.9
v5.14.1
v5.14.10
v5.14.11
v5.14.12
v5.14.13
v5.14.14
v5.14.15
v5.14.16
v5.14.17
v5.14.18
v5.14.19
v5.14.2
v5.14.20
v5.14.3
v5.14.4
v5.14.5
v5.14.6
v5.14.7
v5.14.8
v5.14.9
v5.15.1
v5.15.10
v5.15.11
v5.15.12
v5.15.13
v5.15.14
v5.15.15
v5.15.16
v5.15.17
v5.15.18
v5.15.19
v5.15.2
v5.15.3
v5.15.4
v5.15.5
v5.15.6
v5.15.7
v5.15.8
v5.15.9
v5.16.1
v5.16.10
v5.16.11
v5.16.12
v5.16.13
v5.16.14
v5.16.15
v5.16.16
v5.16.17
v5.16.18
v5.16.19
v5.16.2
v5.16.20
v5.16.3
v5.16.4
v5.16.5
v5.16.6
v5.16.7
v5.16.8
v5.16.9
v5.17.1
v5.17.10
v5.17.11
v5.17.12
v5.17.13
v5.17.14
v5.17.2
v5.17.3
v5.17.4
v5.17.5
v5.17.6
v5.17.7
v5.17.8
v5.17.9
v5.18.1
v5.18.10
v5.18.11
v5.18.12
v5.18.13
v5.18.14
v5.18.15
v5.18.16
v5.18.17
v5.18.18
v5.18.19
v5.18.2
v5.18.3
v5.18.4
v5.18.5
v5.18.6
v5.18.7
v5.18.8
v5.18.9
v5.19.1
v5.19.10
v5.19.11
v5.19.12
v5.19.13
v5.19.14
v5.19.15
v5.19.16
v5.19.2
v5.19.3
v5.19.4
v5.19.5
v5.19.6
v5.19.7
v5.19.8
v5.19.9
v5.6.1
v5.6.10
v5.6.11
v5.6.12
v5.6.13
v5.6.14
v5.6.15
v5.6.16
v5.6.17
v5.6.18
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.6.7
v5.6.8
v5.6.9
v5.7.1
v5.7.10
v5.7.11
v5.7.12
v5.7.13
v5.7.14
v5.7.15
v5.7.16
v5.7.2
v5.7.3
v5.7.4
v5.7.5
v5.7.6
v5.7.7
v5.7.8
v5.7.9
v5.8.1
v5.8.10
v5.8.11
v5.8.12
v5.8.13
v5.8.14
v5.8.15
v5.8.16
v5.8.17
v5.8.18
v5.8.2
v5.8.3
v5.8.4
v5.8.5
v5.8.6
v5.8.7
v5.8.8
v5.8.9
v5.9.1
v5.9.10
v5.9.11
v5.9.12
v5.9.13
v5.9.14
v5.9.15
v5.9.16
v5.9.2
v5.9.3
v5.9.4
v5.9.5
v5.9.6
v5.9.7
v5.9.8
v5.9.9

v6.*

v6.0.1
v6.0.10
v6.0.11
v6.0.12
v6.0.13
v6.0.14
v6.0.15
v6.0.16
v6.0.17
v6.0.18
v6.0.2
v6.0.3
v6.0.4
v6.0.5
v6.0.6
v6.0.7
v6.0.8
v6.0.9
v6.1.1
v6.1.10
v6.1.11
v6.1.12
v6.1.13
v6.1.14
v6.1.15
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.8
v6.1.9
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.10
v6.10.11
v6.10.12
v6.10.13
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.11.10
v6.11.11
v6.11.2
v6.11.3
v6.11.4
v6.11.5
v6.11.6
v6.11.7
v6.11.8
v6.11.9
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.2
v6.12.3
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.13.1
v6.13.10
v6.13.11
v6.13.12
v6.13.2
v6.13.3
v6.13.4
v6.13.5
v6.13.6
v6.13.7
v6.13.8
v6.13.9
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.14.1
v6.14.10
v6.14.11
v6.14.2
v6.14.3
v6.14.4
v6.14.5
v6.14.6
v6.14.7
v6.14.8
v6.14.9
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.10
v6.15.11
v6.15.2
v6.15.3
v6.15.4
v6.15.5
v6.15.6
v6.15.7
v6.15.8
v6.15.9
v6.16
v6.16-rc1
v6.16-rc2
v6.16-rc3
v6.16-rc4
v6.16-rc5
v6.16-rc6
v6.16-rc7
v6.16.1
v6.16.10
v6.16.11
v6.16.12
v6.16.2
v6.16.3
v6.16.4
v6.16.5
v6.16.6
v6.16.7
v6.16.8
v6.16.9
v6.17
v6.17-rc1
v6.17-rc2
v6.17-rc3
v6.17-rc4
v6.17-rc5
v6.17-rc6
v6.17-rc7
v6.17.1
v6.17.2
v6.2.1
v6.2.10
v6.2.11
v6.2.12
v6.2.13
v6.2.14
v6.2.15
v6.2.16
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.7
v6.2.8
v6.2.9
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.3.1
v6.3.10
v6.3.11
v6.3.12
v6.3.13
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.3.8
v6.3.9
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.4.1
v6.4.10
v6.4.11
v6.4.12
v6.4.13
v6.4.14
v6.4.15
v6.4.16
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.5.1
v6.5.10
v6.5.11
v6.5.12
v6.5.13
v6.5.2
v6.5.3
v6.5.4
v6.5.5
v6.5.6
v6.5.7
v6.5.8
v6.5.9
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.10
v6.7.11
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.7.9
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.8.1
v6.8.10
v6.8.11
v6.8.2
v6.8.3
v6.8.4
v6.8.5
v6.8.6
v6.8.7
v6.8.8
v6.8.9
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.10
v6.9.11
v6.9.12
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6
v6.9.7
v6.9.8
v6.9.9

Database specific

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7dd42fbebcfb02bef070fd48f774d6412d0b49d",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "93119016344350514052052733866104559705",
                    "47284752152123597158297910768413314480",
                    "243081213298886592022393481803733533160"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26892-094d3f9a"
        },
        {
            "signature_version": "v1",
            "target": {
                "function": "mt7921_pci_remove",
                "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7dd42fbebcfb02bef070fd48f774d6412d0b49d",
            "deprecated": false,
            "digest": {
                "length": 274.0,
                "function_hash": "110939045375814040277840709596430819004"
            },
            "id": "CVE-2024-26892-15a6f37f"
        },
        {
            "signature_version": "v1",
            "target": {
                "function": "mt7921_pci_remove",
                "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bfe1adf1606f76c180324e53b130f0e76d5cc6c3",
            "deprecated": false,
            "digest": {
                "length": 274.0,
                "function_hash": "110939045375814040277840709596430819004"
            },
            "id": "CVE-2024-26892-44067f43"
        },
        {
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7dd42fbebcfb02bef070fd48f774d6412d0b49d",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "142739325769602084744920920259403998869",
                    "339274191393047382779877967041553034728",
                    "107368446590577617933642538866635433543",
                    "148581937847550515789760482844132968716"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26892-44174179"
        },
        {
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bfe1adf1606f76c180324e53b130f0e76d5cc6c3",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "93119016344350514052052733866104559705",
                    "47284752152123597158297910768413314480",
                    "243081213298886592022393481803733533160"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26892-7114648e"
        },
        {
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c957280ef6ab6bdf559a91ae693a6b34310697e3",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "142739325769602084744920920259403998869",
                    "339274191393047382779877967041553034728",
                    "107368446590577617933642538866635433543",
                    "148581937847550515789760482844132968716"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26892-afa17c85"
        },
        {
            "signature_version": "v1",
            "target": {
                "function": "mt792x_irq_handler",
                "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c957280ef6ab6bdf559a91ae693a6b34310697e3",
            "deprecated": false,
            "digest": {
                "length": 282.0,
                "function_hash": "6636836414823761035227429771163215020"
            },
            "id": "CVE-2024-26892-bbc0f8c0"
        },
        {
            "signature_version": "v1",
            "target": {
                "function": "mt792x_irq_handler",
                "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bfe1adf1606f76c180324e53b130f0e76d5cc6c3",
            "deprecated": false,
            "digest": {
                "length": 282.0,
                "function_hash": "6636836414823761035227429771163215020"
            },
            "id": "CVE-2024-26892-c9d6bf60"
        },
        {
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bfe1adf1606f76c180324e53b130f0e76d5cc6c3",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "142739325769602084744920920259403998869",
                    "339274191393047382779877967041553034728",
                    "107368446590577617933642538866635433543",
                    "148581937847550515789760482844132968716"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26892-ca494be9"
        },
        {
            "signature_version": "v1",
            "target": {
                "function": "mt7921_pci_remove",
                "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c957280ef6ab6bdf559a91ae693a6b34310697e3",
            "deprecated": false,
            "digest": {
                "length": 274.0,
                "function_hash": "110939045375814040277840709596430819004"
            },
            "id": "CVE-2024-26892-e0c99e30"
        },
        {
            "signature_version": "v1",
            "target": {
                "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c957280ef6ab6bdf559a91ae693a6b34310697e3",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "93119016344350514052052733866104559705",
                    "47284752152123597158297910768413314480",
                    "243081213298886592022393481803733533160"
                ],
                "threshold": 0.9
            },
            "id": "CVE-2024-26892-e1a4072e"
        },
        {
            "signature_version": "v1",
            "target": {
                "function": "mt792x_irq_handler",
                "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7dd42fbebcfb02bef070fd48f774d6412d0b49d",
            "deprecated": false,
            "digest": {
                "length": 282.0,
                "function_hash": "6636836414823761035227429771163215020"
            },
            "id": "CVE-2024-26892-e727819a"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.4.0
Fixed
6.6.23
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.11
Type
ECOSYSTEM
Events
Introduced
6.8.0
Fixed
6.8.2