CVE-2022-49476 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
mt76: mt7921: fix kernel crash at mt7921_pci_remove
The crash log shown it is possible that mt7921_irq_handler is called while devm_free_irq is being handled so mt76_free_device need to be postponed until devm_free_irq is completed to solve the crash we free the mt76 device too early.
[ 9299.339655] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 9299.339705] #PF: supervisor read access in kernel mode
[ 9299.339735] #PF: error_code(0x0000) - not-present page
[ 9299.339768] PGD 0 P4D 0
[ 9299.339786] Oops: 0000 [#1] SMP PTI
[ 9299.339812] CPU: 1 PID: 1624 Comm: prepare-suspend Not tainted 5.15.14-1.fc32.qubes.x86_64 #1
[ 9299.339863] Hardware name: Xen HVM domU, BIOS 4.14.3 01/20/2022
[ 9299.339901] RIP: 0010:mt7921_irq_handler+0x1e/0x70 [mt7921e]
[ 9299.340048] RSP: 0018:ffffa81b80c27cb0 EFLAGS: 00010082
[ 9299.340081] RAX: 0000000000000000 RBX: ffff98a4cb752020 RCX: ffffffffa96211c5
[ 9299.340123] RDX: 0000000000000000 RSI: 00000000000d4204 RDI: ffff98a4cb752020
[ 9299.340165] RBP: ffff98a4c28a62a4 R08: ffff98a4c37a96c0 R09: 0000000080150011
[ 9299.340207] R10: 0000000040000000 R11: 0000000000000000 R12: ffff98a4c4eaa080
[ 9299.340249] R13: ffff98a4c28a6360 R14: ffff98a4cb752020 R15: ffff98a4c28a6228
[ 9299.340297] FS: 00007260840d3740(0000) GS:ffff98a4ef700000(0000) knlGS:0000000000000000
[ 9299.340345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9299.340383] CR2: 0000000000000008 CR3: 0000000004c56001 CR4: 0000000000770ee0
[ 9299.340432] PKRU: 55555554
[ 9299.340449] Call Trace:
[ 9299.340467]
[ 9299.340485] __free_irq+0x221/0x350
[ 9299.340527] free_irq+0x30/0x70
[ 9299.340553] devm_free_irq+0x55/0x80
[ 9299.340579] mt7921_pci_remove+0x2f/0x40 [mt7921e]
[ 9299.340616] pci_device_remove+0x3b/0xa0
[ 9299.340651] __device_release_driver+0x17a/0x240
[ 9299.340686] device_driver_detach+0x3c/0xa0
[ 9299.340714] unbind_store+0x113/0x130
[ 9299.340740] kernfs_fop_write_iter+0x124/0x1b0
[ 9299.340775] new_sync_write+0x15c/0x1f0
[ 9299.340806] vfs_write+0x1d2/0x270
[ 9299.340831] ksys_write+0x67/0xe0
[ 9299.340857] do_syscall_64+0x3b/0x90
[ 9299.340887] entry_SYSCALL_64_after_hwframe+0x44/0xae
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/26/2025
The vulnerability CVE-2022-49476 represents a critical kernel NULL pointer dereference issue affecting the mt7921 wireless driver in the Linux kernel version 5.15.14 and earlier. This flaw occurs during the device removal process when the system attempts to free interrupt resources while an interrupt handler is still executing, creating a race condition that leads to system crashes. The technical root cause stems from improper resource management where the mt76 device structure is freed prematurely before the devm_free_irq function completes its execution, resulting in a kernel panic when the mt7921_irq_handler attempts to access freed memory at address 0x0000000000000008.
The crash manifestation demonstrates a classic kernel memory management issue where the kernel's interrupt handling mechanism conflicts with device removal procedures. The call trace reveals that mt7921_irq_handler is invoked during the execution of devm_free_irq, which is part of the device removal sequence initiated by mt7921_pci_remove. This sequence violates the fundamental principle of proper resource cleanup ordering where interrupt handlers must complete before associated hardware resources are freed. The kernel's NULL pointer dereference occurs because the device structure that the interrupt handler expects to access has already been deallocated, leaving only a null reference at the memory location that was previously occupied by the mt76 device structure.
This vulnerability directly impacts system stability and availability, particularly in virtualized environments like Qubes OS where device management occurs frequently during system suspend/resume operations. The operational consequences extend beyond simple crashes to potentially compromise the entire system's integrity, as kernel panics can lead to data loss, system hangs, and denial of service conditions. The issue is particularly concerning in embedded systems and virtual machines where wireless connectivity is critical for system operation, as the device removal process may occur during normal system operations such as suspend/resume cycles or when devices are dynamically removed from the system.
The fix for CVE-2022-49476 addresses the fundamental race condition by ensuring proper ordering of resource cleanup operations. This remediation aligns with the Common Weakness Enumeration (CWE) category CWE-362, which describes Race Conditions, and specifically addresses the improper resource management pattern that leads to concurrent access violations. The solution follows ATT&CK framework technique T1490, which relates to Deobfuscation of Files or Information, by properly managing the deinitialization sequence to prevent unintended access patterns. Security practitioners should implement this kernel patch immediately, particularly in environments where wireless devices undergo frequent removal operations or where system stability is paramount. The mitigation strategy requires updating to kernel versions containing the fix, and system administrators should monitor for similar race conditions in other device drivers that may exhibit comparable resource management issues during interrupt handling and device removal sequences.