CVE-2024-56599

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath10k: avoid NULL pointer error during sdio remove<br /> <br /> When running &amp;#39;rmmod ath10k&amp;#39;, ath10k_sdio_remove() will free sdio<br /> workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON<br /> is set to yes, kernel panic will happen:<br /> Call trace:<br /> destroy_workqueue+0x1c/0x258<br /> ath10k_sdio_remove+0x84/0x94<br /> sdio_bus_remove+0x50/0x16c<br /> device_release_driver_internal+0x188/0x25c<br /> device_driver_detach+0x20/0x2c<br /> <br /> This is because during &amp;#39;rmmod ath10k&amp;#39;, ath10k_sdio_remove() will call<br /> ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release()<br /> will finally be called in ath10k_core_destroy(). This function will free<br /> struct cfg80211_registered_device *rdev and all its members, including<br /> wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio<br /> workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON.<br /> <br /> After device release, destroy_workqueue() will use NULL pointer then the<br /> kernel panic happen.<br /> <br /> Call trace:<br /> ath10k_sdio_remove<br /> -&gt;ath10k_core_unregister<br /> ……<br /> -&gt;ath10k_core_stop<br /> -&gt;ath10k_hif_stop<br /> -&gt;ath10k_sdio_irq_disable<br /> -&gt;ath10k_hif_power_down<br /> -&gt;del_timer_sync(&amp;ar_sdio-&gt;sleep_timer)<br /> -&gt;ath10k_core_destroy<br /> -&gt;ath10k_mac_destroy<br /> -&gt;ieee80211_free_hw<br /> -&gt;wiphy_free<br /> ……<br /> -&gt;wiphy_dev_release<br /> -&gt;destroy_workqueue<br /> <br /> Need to call destroy_workqueue() before ath10k_core_destroy(), free<br /> the work queue buffer first and then free pointer of work queue by<br /> ath10k_core_destroy(). This order matches the error path order in<br /> ath10k_sdio_probe().<br /> <br /> No work will be queued on sdio workqueue between it is destroyed and<br /> ath10k_core_destroy() is called. Based on the call_stack above, the<br /> reason is:<br /> Only ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and<br /> ath10k_sdio_irq_disable() will queue work on sdio workqueue.<br /> Sleep timer will be deleted before ath10k_core_destroy() in<br /> ath10k_hif_power_down().<br /> ath10k_sdio_irq_disable() only be called in ath10k_hif_stop().<br /> ath10k_core_unregister() will call ath10k_hif_power_down() to stop hif<br /> bus, so ath10k_sdio_hif_tx_sg() won&amp;#39;t be called anymore.<br /> <br /> Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189