In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921e: fix use-after-free in free_irq()
From commit a304e1b82808 ("[PATCH] Debug shared irqs"), there is a test to make sure the shared irq handler should be able to handle the unexpected event after deregistration. For this case, let's apply MT76_REMOVED flag to indicate the device was removed and do not run into the resource access anymore.
BUG: KASAN: use-after-free in mt7921irqhandler+0xd8/0x100 [mt7921e] Read of size 8 at addr ffff88824a7d3b78 by task rmmod/11115 CPU: 28 PID: 11115 Comm: rmmod Tainted: G W L 5.17.0 #10 Hardware name: Micro-Star International Co., Ltd. MS-7D73/MPG B650I EDGE WIFI (MS-7D73), BIOS 1.81 01/05/2024 Call Trace: <TASK> dumpstacklvl+0x6f/0xa0 printaddressdescription.constprop.0+0x1f/0x190 ? mt7921irqhandler+0xd8/0x100 [mt7921e] ? mt7921irqhandler+0xd8/0x100 [mt7921e] kasanreport.cold+0x7f/0x11b ? mt7921irqhandler+0xd8/0x100 [mt7921e] mt7921irqhandler+0xd8/0x100 [mt7921e] freeirq+0x627/0xaa0 devmfreeirq+0x94/0xd0 ? devmrequestanycontextirq+0x160/0x160 ? kobjectput+0x18d/0x4a0 mt7921pciremove+0x153/0x190 [mt7921e] pcideviceremove+0xa2/0x1d0 _devicereleasedriver+0x346/0x6e0 driverdetach+0x1ef/0x2c0 busremovedriver+0xe7/0x2d0 ? _checkobjectsize+0x57/0x310 pciunregisterdriver+0x26/0x250 _dosysdeletemodule+0x307/0x510 ? freemodule+0x6a0/0x6a0 ? fpregsassertstateconsistent+0x4b/0xb0 ? rcureadlockschedheld+0x10/0x70 ? syscallenterfromusermode+0x20/0x70 ? tracehardirqson+0x1c/0x130 dosyscall64+0x5c/0x80 ? tracehardirqsonprepare+0x72/0x160 ? dosyscall64+0x68/0x80 ? tracehardirqsonprepare+0x72/0x160 entrySYSCALL64afterhwframe+0x44/0xae
{ "vanir_signatures": [ { "signature_version": "v1", "target": { "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7dd42fbebcfb02bef070fd48f774d6412d0b49d", "deprecated": false, "digest": { "line_hashes": [ "93119016344350514052052733866104559705", "47284752152123597158297910768413314480", "243081213298886592022393481803733533160" ], "threshold": 0.9 }, "id": "CVE-2024-26892-094d3f9a" }, { "signature_version": "v1", "target": { "function": "mt7921_pci_remove", "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7dd42fbebcfb02bef070fd48f774d6412d0b49d", "deprecated": false, "digest": { "length": 274.0, "function_hash": "110939045375814040277840709596430819004" }, "id": "CVE-2024-26892-15a6f37f" }, { "signature_version": "v1", "target": { "function": "mt7921_pci_remove", "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bfe1adf1606f76c180324e53b130f0e76d5cc6c3", "deprecated": false, "digest": { "length": 274.0, "function_hash": "110939045375814040277840709596430819004" }, "id": "CVE-2024-26892-44067f43" }, { "signature_version": "v1", "target": { "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7dd42fbebcfb02bef070fd48f774d6412d0b49d", "deprecated": false, "digest": { "line_hashes": [ "142739325769602084744920920259403998869", "339274191393047382779877967041553034728", "107368446590577617933642538866635433543", "148581937847550515789760482844132968716" ], "threshold": 0.9 }, "id": "CVE-2024-26892-44174179" }, { "signature_version": "v1", "target": { "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bfe1adf1606f76c180324e53b130f0e76d5cc6c3", "deprecated": false, "digest": { "line_hashes": [ "93119016344350514052052733866104559705", "47284752152123597158297910768413314480", "243081213298886592022393481803733533160" ], "threshold": 0.9 }, "id": "CVE-2024-26892-7114648e" }, { "signature_version": "v1", "target": { "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c957280ef6ab6bdf559a91ae693a6b34310697e3", "deprecated": false, "digest": { "line_hashes": [ "142739325769602084744920920259403998869", "339274191393047382779877967041553034728", "107368446590577617933642538866635433543", "148581937847550515789760482844132968716" ], "threshold": 0.9 }, "id": "CVE-2024-26892-afa17c85" }, { "signature_version": "v1", "target": { "function": "mt792x_irq_handler", "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c957280ef6ab6bdf559a91ae693a6b34310697e3", "deprecated": false, "digest": { "length": 282.0, "function_hash": "6636836414823761035227429771163215020" }, "id": "CVE-2024-26892-bbc0f8c0" }, { "signature_version": "v1", "target": { "function": "mt792x_irq_handler", "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bfe1adf1606f76c180324e53b130f0e76d5cc6c3", "deprecated": false, "digest": { "length": 282.0, "function_hash": "6636836414823761035227429771163215020" }, "id": "CVE-2024-26892-c9d6bf60" }, { "signature_version": "v1", "target": { "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bfe1adf1606f76c180324e53b130f0e76d5cc6c3", "deprecated": false, "digest": { "line_hashes": [ "142739325769602084744920920259403998869", "339274191393047382779877967041553034728", "107368446590577617933642538866635433543", "148581937847550515789760482844132968716" ], "threshold": 0.9 }, "id": "CVE-2024-26892-ca494be9" }, { "signature_version": "v1", "target": { "function": "mt7921_pci_remove", "file": "drivers/net/wireless/mediatek/mt76/mt7921/pci.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c957280ef6ab6bdf559a91ae693a6b34310697e3", "deprecated": false, "digest": { "length": 274.0, "function_hash": "110939045375814040277840709596430819004" }, "id": "CVE-2024-26892-e0c99e30" }, { "signature_version": "v1", "target": { "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c957280ef6ab6bdf559a91ae693a6b34310697e3", "deprecated": false, "digest": { "line_hashes": [ "93119016344350514052052733866104559705", "47284752152123597158297910768413314480", "243081213298886592022393481803733533160" ], "threshold": 0.9 }, "id": "CVE-2024-26892-e1a4072e" }, { "signature_version": "v1", "target": { "function": "mt792x_irq_handler", "file": "drivers/net/wireless/mediatek/mt76/mt792x_dma.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c7dd42fbebcfb02bef070fd48f774d6412d0b49d", "deprecated": false, "digest": { "length": 282.0, "function_hash": "6636836414823761035227429771163215020" }, "id": "CVE-2024-26892-e727819a" } ] }