๐Ÿ” CVE Alert

CVE-2024-56599

UNKNOWN 0.0

wifi: ath10k: avoid NULL pointer error during sdio remove

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: avoid NULL pointer error during sdio remove When running 'rmmod ath10k', ath10k_sdio_remove() will free sdio workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON is set to yes, kernel panic will happen: Call trace: destroy_workqueue+0x1c/0x258 ath10k_sdio_remove+0x84/0x94 sdio_bus_remove+0x50/0x16c device_release_driver_internal+0x188/0x25c device_driver_detach+0x20/0x2c This is because during 'rmmod ath10k', ath10k_sdio_remove() will call ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release() will finally be called in ath10k_core_destroy(). This function will free struct cfg80211_registered_device *rdev and all its members, including wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON. After device release, destroy_workqueue() will use NULL pointer then the kernel panic happen. Call trace: ath10k_sdio_remove ->ath10k_core_unregister โ€ฆโ€ฆ ->ath10k_core_stop ->ath10k_hif_stop ->ath10k_sdio_irq_disable ->ath10k_hif_power_down ->del_timer_sync(&ar_sdio->sleep_timer) ->ath10k_core_destroy ->ath10k_mac_destroy ->ieee80211_free_hw ->wiphy_free โ€ฆโ€ฆ ->wiphy_dev_release ->destroy_workqueue Need to call destroy_workqueue() before ath10k_core_destroy(), free the work queue buffer first and then free pointer of work queue by ath10k_core_destroy(). This order matches the error path order in ath10k_sdio_probe(). No work will be queued on sdio workqueue between it is destroyed and ath10k_core_destroy() is called. Based on the call_stack above, the reason is: Only ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and ath10k_sdio_irq_disable() will queue work on sdio workqueue. Sleep timer will be deleted before ath10k_core_destroy() in ath10k_hif_power_down(). ath10k_sdio_irq_disable() only be called in ath10k_hif_stop(). ath10k_core_unregister() will call ath10k_hif_power_down() to stop hif bus, so ath10k_sdio_hif_tx_sg() won't be called anymore. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189

Vendor linux
Product linux
Ecosystems
Industries
Technology
Published Dec 27, 2024
Last Updated May 11, 2026
Stay Ahead of the Next One

Get instant alerts for linux linux

Be the first to know when new unknown vulnerabilities affecting linux linux are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Linux / Linux
5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < 27d5d217ae7ffb99dd623375a17a7d3418d9c755 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < 27fda36eedad9e4ec795dc481f307901d1885112 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < 6e5dbd1c04abf2c19b2282915e6fa48b6ccc6921 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < b35de9e01fc79c7baac666fb2dcb4ba7698a1d97 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < 543c0924d446b21f35701ca084d7feca09511220 5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5 < 95c38953cb1ecf40399a676a1f85dfe2b5780a9a
Linux / Linux
3.11

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
git.kernel.org: https://git.kernel.org/stable/c/27d5d217ae7ffb99dd623375a17a7d3418d9c755 git.kernel.org: https://git.kernel.org/stable/c/27fda36eedad9e4ec795dc481f307901d1885112 git.kernel.org: https://git.kernel.org/stable/c/6e5dbd1c04abf2c19b2282915e6fa48b6ccc6921 git.kernel.org: https://git.kernel.org/stable/c/b35de9e01fc79c7baac666fb2dcb4ba7698a1d97 git.kernel.org: https://git.kernel.org/stable/c/543c0924d446b21f35701ca084d7feca09511220 git.kernel.org: https://git.kernel.org/stable/c/95c38953cb1ecf40399a676a1f85dfe2b5780a9a lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html