CVE-2022-50714
Description
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7921e: fix rmmod crash in driver reload test
In insmod/rmmod stress test, the following crash dump shows up immediately. The problem is caused by missing mt76_dev in mt7921_pci_remove(). We should make sure the drvdata is ready before probe() finished.
[168.862789] ================================================================== [168.862797] BUG: KASAN: user-memory-access in try_to_grab_pending+0x59/0x480 [168.862805] Write of size 8 at addr 0000000000006df0 by task rmmod/5361 [168.862812] CPU: 7 PID: 5361 Comm: rmmod Tainted: G OE 5.19.0-rc6 #1 [168.862816] Hardware name: Intel(R) Client Systems NUC8i7BEH/NUC8BEB, 05/04/2020 [168.862820] Call Trace: [168.862822] [168.862825] dump_stack_lvl+0x49/0x63 [168.862832] print_report.cold+0x493/0x6b7 [168.862845] kasan_report+0xa7/0x120 [168.862857] kasan_check_range+0x163/0x200 [168.862861] __kasan_check_write+0x14/0x20 [168.862866] try_to_grab_pending+0x59/0x480 [168.862870] __cancel_work_timer+0xbb/0x340 [168.862898] cancel_work_sync+0x10/0x20 [168.862902] mt7921_pci_remove+0x61/0x1c0 [mt7921e] [168.862909] pci_device_remove+0xa3/0x1d0 [168.862914] device_remove+0xc4/0x170 [168.862920] device_release_driver_internal+0x163/0x300 [168.862925] driver_detach+0xc7/0x1a0 [168.862930] bus_remove_driver+0xeb/0x2d0 [168.862935] driver_unregister+0x71/0xb0 [168.862939] pci_unregister_driver+0x30/0x230 [168.862944] mt7921_pci_driver_exit+0x10/0x1b [mt7921e] [168.862949] __x64_sys_delete_module+0x2f9/0x4b0 [168.862968] do_syscall_64+0x38/0x90 [168.862973] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Test steps: 1. insmode 2. do not ifup 3. rmmod quickly (within 1 second)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing drvdata initialization in mt7921_pci_remove() causes use-after-free on driver unload when rmmod is issued before probe completion.
Vulnerability
Details
A use-after-free vulnerability exists in the mt7921e wireless driver within the Linux kernel. During a driver reload stress test (insmod/rmmod), the system experiences a crash due to a missing mt76_dev pointer in mt7921_pci_remove(). The driver's drvdata is not fully ready until probe() finishes, but remove() can be called immediately after probe() is invoked, leading to an attempt to access freed memory.
Attack
Vector and Conditions
The issue is triggered through a local attack vector. An attacker with the ability to load and unload kernel modules on the system can exploit this bug. The specific test steps are: 1) Insert the module (insmod), 2) do not bring the interface up (ifup), and 3) remove the module quickly (within 1 second after insertion). This race condition causes remove() to execute before probe() has completed initializing the device's data structures.
Impact
The crash manifests as a kernel panic, leading to a denial of service (DoS) condition for the affected system. The root cause is a user-memory-access (KASAN report) during a write operation to an invalid address, specifically during try_to_grab_pending() while attempting to cancel work items. This can result in system instability or complete unavailability of the device.
Mitigation
A patch has been upstreamed to the Linux kernel stable trees [1][2]. The fix ensures that drvdata is properly set up before remove() can be called, preventing the use-after-free. System administrators should apply the updated kernel version containing the commit identified by b5a62d612b7b or ccda3ebdae71.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
31034d8e08508ccda3ebdae71b5a62d612b7bVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.