The Linux kernel’s mt76 Wi-Fi driver, specifically for mt7921 PCIe devices, suffered a serious bug: if the firmware failed to download (whether missing, corrupted, or unreadable), the entire system could crash with a dramatic kernel panic. This flaw, tracked as CVE-2021-47027, could lock users out and require a hard reboot—posing a big risk for reliability, especially on laptops and embedded devices relying on these Mediatek chips.

- Practical advice for sysadmins/developers.

What’s Supposed to Happen

For PCIe Wi-Fi chips like the Mediatek mt7921, the driver loads firmware into the chip at initialization. If something goes wrong, it should abort the probe process, clean up, and leave the system running.

What Actually Happened

*If* the firmware was missing or failed to load, the probe cleanup path tried to free MSI IRQs (PCI interrupt resources) *that had never been allocated*. This led to a BUG in the PCI core’s drivers/pci/msi.c, followed by a kernel panic—taking down the whole machine.

Relevant kernel log dump

[    9.444758] kernel BUG at drivers/pci/msi.c:375!
[    9.449363] Internal error: Oops - BUG:  [#1] PREEMPT SMP
...
[    9.697385] Kernel panic - not syncing: Fatal exception
[    9.702599] SMP: stopping secondary CPUs

Let's see the root cause with a simplified code snippet from the mt7921_pci_probe() function

int mt7921_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
{
    ...
    ret = mt76_run_firmware(&dev->mt76);
    if (ret)
        goto err_free_irq_vectors;
    ...
err_free_irq_vectors:
    pci_free_irq_vectors(pdev);   // <-- Not safe if no IRQs were set up!
    ...
}

Problem:
If mt76_run_firmware fails before IRQ vectors are ever allocated, but pci_free_irq_vectors is called anyway, PCI’s core code will hit an out-of-bounds check and call BUG().

The log excerpt from a real system

[    9.444758] kernel BUG at drivers/pci/msi.c:375!
[    9.505814] pc : free_msi_irqs+x180/x184
...
[    9.697385] Kernel panic - not syncing: Fatal exception

mt7921_pci_probe

> Key Point:
The probe function tried to “free” an IRQ that was never set up—akin to freeing memory you never allocated.

The Fix: Safe Cleanup

Patch summary:
The driver now only releases PCI IRQ vectors if they were actually set up.

Fixed snippet:

int mt7921_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
{
    int irq_setup = ; // Track if IRQs were set up
    ...
    // Allocate IRQ vectors
    ret = pci_alloc_irq_vectors(pdev, ...);
    if (ret < )
        goto err;
    irq_setup = 1;

    ret = mt76_run_firmware(&dev->mt76);
    if (ret)
        goto err_cleanup;

    ...

err_cleanup:
    if (irq_setup)
        pci_free_irq_vectors(pdev);
    ...
}

What changed:

Only free them during cleanup if they exist.

- Prevents double-free/"freeing non-existent" bugs.

Full patch reference:
- Upstream patch commit

Exploit Details

Is this a security bug?
- No direct remote exploit: there is *no* path for an attacker to exploit this over the network or via user tools alone, unless they can control kernel module loading or manipulate firmware files on disk.
- Denial of Service (DoS): A local attacker (or a careless user/sysadmin) could intentionally remove or corrupt the firmware, trigger a module reload, and crash the entire system (*especially dangerous on shared servers or appliances*).

Remove or corrupt firmware blob

rm /lib/firmware/mediatek/WIFI_MT7921_patch_mcu_1_1_hdr.bin
# Unload/reload mt7921e module

`

If the device driver is set to auto-load on boot, the system could crash during startup, breaking devices for all users.

Kernel version:

- Most mainline kernels before May 2021
- Many Android/linux laptops with Mediatek Wi-Fi before late 2021.

Dmesg output:

- Look for kernel BUG at drivers/pci/msi.c:375!

Update your kernel

- Use a release with the patch (Linux 5.14+), or check your distro’s kernel changelog for CVE-2021-47027.
2. Do not remove/corrupt required firmware blobs

References

- CVE-2021-47027 Mitre CVE entry
- Kernel Patch Commit (git.kernel.org)
- Linux Kernel PCI Subsystem
- mt76 driver source code (mt76 GitHub)

TL;DR

CVE-2021-47027 was a major bug in the Linux kernel's mt76 driver for the Mediatek mt7921 PCI Wi-Fi chip. Missing or bad firmware could bring down the whole system with a kernel panic. The issue is now patched—update your kernel to stay safe and stable!

Have similar Mediatek hardware?
> Double-check your firmware files and keep your kernel up to date!
This is a classic example of how a simple error-handling bug can have disastrous side effects in the kernel.


Questions? Drop them in the comments below, or see the official patch notes and CVE entry for more technical details.

Timeline

Published on: 02/28/2024 09:15:39 UTC
Last modified on: 01/10/2025 18:24:08 UTC