CVE-2024-56599

Summary

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath10k: avoid NULL pointer error during sdio remove

When running 'rmmod ath10k', ath10k_sdio_remove() will free sdio workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON is set to yes, kernel panic will happen: Call trace: destroy_workqueue+0x1c/0x258 ath10k_sdio_remove+0x84/0x94 sdio_bus_remove+0x50/0x16c device_release_driver_internal+0x188/0x25c device_driver_detach+0x20/0x2c

This is because during 'rmmod ath10k', ath10k_sdio_remove() will call ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release() will finally be called in ath10k_core_destroy(). This function will free struct cfg80211_registered_device *rdev and all its members, including wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON.

After device release, destroy_workqueue() will use NULL pointer then the kernel panic happen.

Call trace: ath10k_sdio_remove ->ath10k_core_unregister …… ->ath10k_core_stop ->ath10k_hif_stop ->ath10k_sdio_irq_disable ->ath10k_hif_power_down ->del_timer_sync(&ar_sdio->sleep_timer) ->ath10k_core_destroy ->ath10k_mac_destroy ->ieee80211_free_hw ->wiphy_free …… ->wiphy_dev_release ->destroy_workqueue

Need to call destroy_workqueue() before ath10k_core_destroy(), free the work queue buffer first and then free pointer of work queue by ath10k_core_destroy(). This order matches the error path order in ath10k_sdio_probe().

No work will be queued on sdio workqueue between it is destroyed and ath10k_core_destroy() is called. Based on the call_stack above, the reason is: Only ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and ath10k_sdio_irq_disable() will queue work on sdio workqueue. Sleep timer will be deleted before ath10k_core_destroy() in ath10k_hif_power_down(). ath10k_sdio_irq_disable() only be called in ath10k_hif_stop(). ath10k_core_unregister() will call ath10k_hif_power_down() to stop hif bus, so ath10k_sdio_hif_tx_sg() won't be called anymore.

Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189

Affected Software

VendorProductVersion RangeStatus
LinuxLinux5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < 27d5d217ae7ffb99dd623375a17a7d3418d9c755affected
LinuxLinux5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < 27fda36eedad9e4ec795dc481f307901d1885112affected
LinuxLinux5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < 6e5dbd1c04abf2c19b2282915e6fa48b6ccc6921affected
LinuxLinux5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < b35de9e01fc79c7baac666fb2dcb4ba7698a1d97affected
LinuxLinux5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < 543c0924d446b21f35701ca084d7feca09511220affected
LinuxLinux5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < 95c38953cb1ecf40399a676a1f85dfe2b5780a9aaffected
LinuxLinux3.11affected
LinuxLinux0 < 3.11unaffected
LinuxLinux5.10.237 <= 5.10.*unaffected
LinuxLinux5.15.181 <= 5.15.*unaffected
LinuxLinux6.1.127 <= 6.1.*unaffected
LinuxLinux6.6.70 <= 6.6.*unaffected
LinuxLinux6.12.5 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References