Linux Kernel mt76 Driver NULL Pointer Dereference Vulnerability in mt7921 PCI Removal

A kernel crash vulnerability has been identified in the Linux kernel's mt76 driver, specifically within the mt7921 PCI removal process. The issue arises from the mt7921 interrupt handler being called while the 'devm_free_irq' function is still processing. This premature freeing of the mt76 device leads to a NULL pointer dereference, causing a kernel crash. The vulnerability has been observed in Linux kernel version 5.15.14-1.fc32.qubes.x86_64.

Impact

Exploitation of this vulnerability leads to a kernel crash caused by a NULL pointer dereference, disrupting system operations and potentially causing a denial of service.

Reproduction

The vulnerability can be reproduced by removing a PCI device managed by the mt76 driver, specifically the mt7921 variant, while the system is in the process of handling interrupts for that device. This can be done by triggering a suspend operation, which initiates the device removal process, before the 'devm_free_irq' function has completed its execution. The resulting crash log will indicate a NULL pointer dereference, confirming the vulnerability's occurrence.