{
  "id": "CVE-2024-56599",
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "published": "2024-12-27T15:15:19.307",
  "lastModified": "2025-01-23T17:15:15.623",
  "vulnStatus": "Modified",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: avoid NULL pointer error during sdio remove\n\nWhen running 'rmmod ath10k', ath10k_sdio_remove() will free sdio\nworkqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON\nis set to yes, kernel panic will happen:\nCall trace:\n destroy_workqueue+0x1c/0x258\n ath10k_sdio_remove+0x84/0x94\n sdio_bus_remove+0x50/0x16c\n device_release_driver_internal+0x188/0x25c\n device_driver_detach+0x20/0x2c\n\nThis is because during 'rmmod ath10k', ath10k_sdio_remove() will call\nath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release()\nwill finally be called in ath10k_core_destroy(). This function will free\nstruct cfg80211_registered_device *rdev and all its members, including\nwiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio\nworkqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON.\n\nAfter device release, destroy_workqueue() will use NULL pointer then the\nkernel panic happen.\n\nCall trace:\nath10k_sdio_remove\n  ->ath10k_core_unregister\n    \u2026\u2026\n    ->ath10k_core_stop\n      ->ath10k_hif_stop\n        ->ath10k_sdio_irq_disable\n    ->ath10k_hif_power_down\n      ->del_timer_sync(&ar_sdio->sleep_timer)\n  ->ath10k_core_destroy\n    ->ath10k_mac_destroy\n      ->ieee80211_free_hw\n        ->wiphy_free\n    \u2026\u2026\n          ->wiphy_dev_release\n  ->destroy_workqueue\n\nNeed to call destroy_workqueue() before ath10k_core_destroy(), free\nthe work queue buffer first and then free pointer of work queue by\nath10k_core_destroy(). This order matches the error path order in\nath10k_sdio_probe().\n\nNo work will be queued on sdio workqueue between it is destroyed and\nath10k_core_destroy() is called. Based on the call_stack above, the\nreason is:\nOnly ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and\nath10k_sdio_irq_disable() will queue work on sdio workqueue.\nSleep timer will be deleted before ath10k_core_destroy() in\nath10k_hif_power_down().\nath10k_sdio_irq_disable() only be called in ath10k_hif_stop().\nath10k_core_unregister() will call ath10k_hif_power_down() to stop hif\nbus, so ath10k_sdio_hif_tx_sg() won't be called anymore.\n\nTested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: wifi: ath10k: evitar error de puntero NULL durante la eliminaci\u00f3n de sdio Al ejecutar 'rmmod ath10k', ath10k_sdio_remove() liberar\u00e1 la cola de trabajo de sdio mediante destroy_workqueue(). Pero si CONFIG_INIT_ON_FREE_DEFAULT_ON est\u00e1 configurado en s\u00ed, se producir\u00e1 un p\u00e1nico del kernel: Rastreo de llamada: destroy_workqueue+0x1c/0x258 ath10k_sdio_remove+0x84/0x94 sdio_bus_remove+0x50/0x16c device_release_driver_internal+0x188/0x25c device_driver_detach+0x20/0x2c Esto se debe a que durante 'rmmod ath10k', ath10k_sdio_remove() llamar\u00e1 a ath10k_core_destroy() antes de destroy_workqueue(). wiphy_dev_release() finalmente se llamar\u00e1 en ath10k_core_destroy(). Esta funci\u00f3n liberar\u00e1 la estructura cfg80211_registered_device *rdev y todos sus miembros, incluidos wiphy, dev y el puntero de sdio workqueue. Luego, el puntero de sdio workqueue se establecer\u00e1 en NULL debido a CONFIG_INIT_ON_FREE_DEFAULT_ON. Despu\u00e9s de liberar el dispositivo, destroy_workqueue() usar\u00e1 el puntero NULL y luego se producir\u00e1 el p\u00e1nico del kernel. Rastreo de llamadas: ath10k_sdio_remove -&gt;ath10k_core_unregister \u2026\u2026 -&gt;ath10k_core_stop -&gt;ath10k_hif_stop -&gt;ath10k_sdio_irq_disable -&gt;ath10k_hif_power_down -&gt;del_timer_sync(&amp;ar_sdio-&gt;sleep_timer) -&gt;ath10k_core_destroy -&gt;ath10k_mac_destroy -&gt;ieee80211_free_hw -&gt;wiphy_free \u2026\u2026 -&gt;wiphy_dev_release -&gt;destroy_workqueue Es necesario llamar a destroy_workqueue() antes de ath10k_core_destroy(), primero liberar el b\u00fafer de la cola de trabajo y luego liberar el puntero de la cola de trabajo mediante ath10k_core_destroy(). Este orden coincide con el orden de la ruta de error en ath10k_sdio_probe(). No se pondr\u00e1 en cola ning\u00fan trabajo en la cola de trabajo de sdio entre su destrucci\u00f3n y la llamada a ath10k_core_destroy(). Seg\u00fan la pila de llamadas anterior, el motivo es el siguiente: solo ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() y ath10k_sdio_irq_disable() pondr\u00e1n en cola el trabajo en la cola de trabajo de sdio. El temporizador de suspensi\u00f3n se eliminar\u00e1 antes de ath10k_core_destroy() en ath10k_hif_power_down(). ath10k_sdio_irq_disable() solo se llamar\u00e1 en ath10k_hif_stop(). ath10k_core_unregister() llamar\u00e1 a ath10k_hif_power_down() para detener el bus hif, por lo que ya no se llamar\u00e1 ath10k_sdio_hif_tx_sg(). Probado en: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "attackVector": "LOCAL",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-476"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "6.12.5",
              "matchCriteriaId": "75E05E0A-C898-433A-8E50-6D9EC8646A64"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://git.kernel.org/stable/c/543c0924d446b21f35701ca084d7feca09511220",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/6e5dbd1c04abf2c19b2282915e6fa48b6ccc6921",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    },
    {
      "url": "https://git.kernel.org/stable/c/95c38953cb1ecf40399a676a1f85dfe2b5780a9a",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ]
    },
    {
      "url": "https://git.kernel.org/stable/c/b35de9e01fc79c7baac666fb2dcb4ba7698a1d97",
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"
    }
  ]
}