CVE-2022-49479: 
Linux Kernel vulnerability analysis and mitigation

A use-after-free race condition vulnerability was discovered in the Linux kernel's mt76 wireless driver (CVE-2022-49479). The vulnerability exists in the tx status handling during station removal. The issue was discovered in April 2022 and patched in May 2022 (Kernel Commit).

The vulnerability occurs due to a race window where ongoing tx activity can lead to a socket buffer (skb) being added to the status tracking idr after that idr has already been cleaned up. This keeps the wireless client ID (wcid) linked in the status poll list incorrectly. The issue stems from the mt76txstatusskbadd function not properly checking if the wcid pointer is still valid in dev->wcid before adding status skbs (Kernel Commit).

This vulnerability could lead to memory corruption and potential system crashes due to use-after-free conditions when removing wireless stations in systems using the mt76 wireless driver (Kernel Commit).

The issue was fixed by adding additional checks in mt76txstatusskbadd to verify that the wcid pointer is still valid in dev->wcid before adding status skbs. The fix also includes proper locking around the wcid pointer access using spinlockbh. Users should update to patched kernel versions that include the fix (Kernel Commit).