[PATCH v3] wifi: mt76: mt792x: fix use-after-free in mt76_rx_poll_complete
Felix Fietkau
nbd at nbd.name
Mon Jun 1 04:12:52 PDT 2026
On 06.05.26 10:43, JB Tsai wrote:
> From: Eason Lai <Eason.Lai at mediatek.com>
>
> A use-after-free issue occurs in mt76_rx_poll_complete due to a race
> condition. The STA has already been removed, but the rx_status still
> had a pointer to the wcid in the STA.
>
> Use wcid_idx instead of storing the wcid pointer, and look up the wcid
> via rcu_dereference() by wcid_idx.
Unless I'm misreading something, it seems to me that this patch papers
over a different bug instead of fixing the root cause.
Right now the rx processing code relies on RCU to protect the wcid and
sta data structures.
The rcu lock/unlock around polling also seems correct to me.
Are the freed wcid pointers maybe related to a vif sta instead of an
actual station? The use of devm_kfree in mt7925_change_vif_links looks
suspicious to me.
Please let me know if I'm missing something here.
- Felix
More information about the Linux-mediatek
mailing list