Re: [BUG] Unloading mt7921e module cause use-after-free

Deren Wu (武德仁) <Deren.Wu@xxxxxxxxxxxx> · Fri, 12 Jan 2024 05:33:48 +0000

On Wed, 2024-01-10 at 20:15 +0500, Mikhail Gavrilov wrote:
>  	 
>  Greetings,
> For bug reproduction just type:
> # rmmod mt7921e
> 
> Backtrace:
> BUG: KASAN: use-after-free in
> tasklet_action_common.isra.0+0x6a4/0x7a0
> Read of size 8 at addr ffff888146806748 by task ksoftirqd/5/48
> CPU: 5 PID: 48 Comm: ksoftirqd/5 Tainted: G        W    L    -------
> ---  6.8.0-0.rc0.20240109git9f8413c4a66f.1.fc40.x86_64+debug #1
> Hardware name: Micro-Star International Co., Ltd. MS-7D73/MPG B650I
> EDGE WIFI (MS-7D73), BIOS 1.81 01/05/2024
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0x76/0xd0
>  print_report+0xcf/0x670
>  ? tasklet_action_common.isra.0+0x6a4/0x7a0
>  kasan_report+0xa6/0xe0
>  ? tasklet_action_common.isra.0+0x6a4/0x7a0
>  tasklet_action_common.isra.0+0x6a4/0x7a0
>  __do_softirq+0x215/0x8b9
>  ? __pfx___do_softirq+0x10/0x10
>  ? run_ksoftirqd+0x73/0x80
>  ? __pfx_run_ksoftirqd+0x10/0x10
>  run_ksoftirqd+0x4b/0x80
>  smpboot_thread_fn+0x56d/0x900
>  ? __kthread_parkme+0xbd/0x1f0
>  ? __pfx_smpboot_thread_fn+0x10/0x10
>  kthread+0x2f2/0x3d0
>  ? _raw_spin_unlock_irq+0x28/0x60
>  ? __pfx_kthread+0x10/0x10
>  ret_from_fork+0x31/0x70
>  ? __pfx_kthread+0x10/0x10
>  ret_from_fork_asm+0x1b/0x30
>  </TASK>
> 

Hi Mikhail,

I can reproduce a similar problem when CONFI_DEBUG_SHIRQ is enabled.

Pleaese try this patch in mainline kernel (6.7+)
---
--- a/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/pci.c
@@ -387,6 +387,7 @@ static void mt7921_pci_remove(struct pci_dev *pdev)
        struct mt792x_dev *dev = container_of(mdev, struct mt792x_dev,
mt76);

        mt7921e_unregister_device(dev);
+       set_bit(MT76_REMOVED, &mdev->phy.state);
        devm_free_irq(&pdev->dev, pdev->irq, dev);
        mt76_free_device(&dev->mt76);
        pci_free_irq_vectors(pdev);

diff --git a/drivers/net/wireless/mediatek/mt76/mt792x_dma.c
b/drivers/net/wireless/mediatek/mt76/mt792x_dma.c
index 488326ce5ed4..3893dbe866fe 100644
--- a/drivers/net/wireless/mediatek/mt76/mt792x_dma.c
+++ b/drivers/net/wireless/mediatek/mt76/mt792x_dma.c
@@ -12,6 +12,8 @@ irqreturn_t mt792x_irq_handler(int irq, void
*dev_instance)
 {
        struct mt792x_dev *dev = dev_instance;

+       if (test_bit(MT76_REMOVED, &dev->mt76.phy.state))
+               return IRQ_NONE;
        mt76_wr(dev, dev->irq_map->host_irq_enable, 0);

        if (!test_bit(MT76_STATE_INITIALIZED, &dev->mphy.state))









