[PATCH v3] wifi: mt76: mt792x: fix use-after-free in mt76_rx_poll_complete

[Eason Lai (賴易聖)]

After looking into the mac80211 STA removal flow, I didn't notice that synchronize_net() is invoked after mt76_sta_pre_rcu_remove().
You are right. I will check mt7925_change_vif_links(). Thanks for the suggestion.

Best regards,
Eason

-----Original Message-----
From: Felix Fietkau <nbd at nbd.name> 
Sent: Monday, June 1, 2026 7:13 PM
To: JB Tsai (蔡志彬) <Jb.Tsai at mediatek.com>; lorenzo at kernel.org
Cc: linux-wireless at vger.kernel.org; linux-mediatek at lists.infradead.org; Deren Wu (武德仁) <Deren.Wu at mediatek.com>; Sean Wang <Sean.Wang at mediatek.com>; Quan Zhou (周全) <Quan.Zhou at mediatek.com>; Ryder Lee <Ryder.Lee at mediatek.com>; Leon Yen (顏良儒) <Leon.Yen at mediatek.com>; Litien Chang (張立典) <Litien.Chang at mediatek.com>; Eason Lai (賴易聖) <Eason.Lai at mediatek.com>
Subject: Re: [PATCH v3] wifi: mt76: mt792x: fix use-after-free in mt76_rx_poll_complete

On 06.05.26 10:43, JB Tsai wrote:
> From: Eason Lai <Eason.Lai at mediatek.com>
> 
> A use-after-free issue occurs in mt76_rx_poll_complete due to a race 
> condition. The STA has already been removed, but the rx_status still 
> had a pointer to the wcid in the STA.
> 
> Use wcid_idx instead of storing the wcid pointer, and look up the wcid 
> via rcu_dereference() by wcid_idx.
Unless I'm misreading something, it seems to me that this patch papers over a different bug instead of fixing the root cause.
Right now the rx processing code relies on RCU to protect the wcid and sta data structures.
The rcu lock/unlock around polling also seems correct to me.

Are the freed wcid pointers maybe related to a vif sta instead of an actual station? The use of devm_kfree in mt7925_change_vif_links looks suspicious to me.

Please let me know if I'm missing something here.

- Felix