CVE-2021-47019 - Fixing Invalid Register Access in Linux Kernel (mt76 mt7921 Driver)

CVE-2021-47019 highlights a vulnerability in the Linux kernel, specifically related to the mt76 wireless driver for MediaTek devices, more precisely for the MT7921 chip. This bug could cause a kernel panic due to invalid register access when the system is put into suspend mode. In this post, we'll break down what the problem was, how it was fixed, how it could be exploited, and share some references for deeper exploration.

What Happened: The Bug in Plain Words

When a Linux system with an MT7921 WiFi device goes into suspend (sleep), the kernel sometimes allows an *interrupt handler* or *tasklet* to keep working. If this handler tries to access the device registers after the PCIe controller has already powered down or suspended, it will access memory that isn't available anymore. The kernel then crashes, resulting in a kernel panic (a big, unrecoverable error).

Real-World Log Messages (From Kernel Panic)

[17932.910534] mt7921e 000:01:00.: pci_pm_suspend+x/x22c returned  after 21375 usecs
...
[17933.615352] x1 : 00000000000d420 x : ffffff8269ca230
[17933.620666] Call trace:
[17933.623127]  mt76_mmio_rr+x28/xf [mt76]
[17933.627234]  mt7921_rr+x38/x44 [mt7921e]
[17933.631339]  mt7921_irq_tasklet+x54/x1d8 [mt7921e]
...
[17933.767846] Kernel panic - not syncing: Fatal exception in interrupt

This shows that after the PCIe device was suspended, an interrupt handler still touched device memory, leading to a crash.

How Could This Be Exploited?

While this issue is mainly a stability bug (not a classic remote code execution or privilege escalation bug), attackers or even rogue applications could potentially escalate problems:

- Denial-of-Service (DoS): Malicious userspace code could keep the device busy, or intentionally trigger suspend cycles, leading to frequent crashes.

The Patch: How The Fix Works

The patch disables interrupts and makes sure that any pending interrupt handlers (tasklets) are fully synchronized and completed before the PCIe controller is suspended. This prevents any late-arriving tasks from touching the device registers once the device is unavailable.

Here’s a boiled-down, illustrative version of what was fixed

// Before: suspend may occur while IRQ handlers are still running
int mt7921e_suspend(struct device *dev)
{
    // Existing suspend logic
}

// After: interrupts disabled and tasklets synchronized first
int mt7921e_suspend(struct device *dev)
{
    struct mt7921_dev *dev = dev_get_drvdata(dev);
    
    // 1. Disable IRQ for device
    disable_irq(dev->irq);
    
    // 2. Synchronize to make sure all pending IRQ handlers finished
    synchronize_irq(dev->irq); 
    
    // 3. Now, it is safe to suspend
    // Existing suspend logic
}

Key Takeaway:
The handler (suspend) disables the interrupt line and waits for all running handlers to finish, blocking any register access after suspend starts.

Upstream Commit Fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=810837ef49ec

CVE Advisory:

https://nvd.nist.gov/vuln/detail/CVE-2021-47019

Linux Kernel Mailing List Discussion:

https://lore.kernel.org/lkml/202106232255.a471YrYy-lkp@intel.com/T/

mt76 Driver Source:

https://github.com/torvalds/linux/tree/master/drivers/net/wireless/mediatek/mt76

If unlucky, you’ll see a kernel panic with a trace similar to the above.

Warning: This will crash your system, so don’t do this on a production machine!

Conclusion

CVE-2021-47019 was more about system reliability than an outright security disaster, but it’s a great example of why hardware drivers and power management code must be bulletproof. Linux maintainers responded quickly, and the field is now largely patched. If you use MediaTek’s mt76 devices, check your driver/kernel version and stay updated!

If you want to dig deeper, check out the upstream commit and follow the Linux Wireless project.

Timeline

Published on: 02/28/2024 09:15:39 UTC
Last modified on: 01/08/2025 17:01:03 UTC