{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-56599","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-12-27T14:03:06.011Z","datePublished":"2024-12-27T14:51:05.866Z","dateUpdated":"2025-11-03T20:50:35.314Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-09-15T12:14:27.498Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath10k: avoid NULL pointer error during sdio remove\n\nWhen running 'rmmod ath10k', ath10k_sdio_remove() will free sdio\nworkqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON\nis set to yes, kernel panic will happen:\nCall trace:\n destroy_workqueue+0x1c/0x258\n ath10k_sdio_remove+0x84/0x94\n sdio_bus_remove+0x50/0x16c\n device_release_driver_internal+0x188/0x25c\n device_driver_detach+0x20/0x2c\n\nThis is because during 'rmmod ath10k', ath10k_sdio_remove() will call\nath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release()\nwill finally be called in ath10k_core_destroy(). This function will free\nstruct cfg80211_registered_device *rdev and all its members, including\nwiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio\nworkqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON.\n\nAfter device release, destroy_workqueue() will use NULL pointer then the\nkernel panic happen.\n\nCall trace:\nath10k_sdio_remove\n  ->ath10k_core_unregister\n    ……\n    ->ath10k_core_stop\n      ->ath10k_hif_stop\n        ->ath10k_sdio_irq_disable\n    ->ath10k_hif_power_down\n      ->del_timer_sync(&ar_sdio->sleep_timer)\n  ->ath10k_core_destroy\n    ->ath10k_mac_destroy\n      ->ieee80211_free_hw\n        ->wiphy_free\n    ……\n          ->wiphy_dev_release\n  ->destroy_workqueue\n\nNeed to call destroy_workqueue() before ath10k_core_destroy(), free\nthe work queue buffer first and then free pointer of work queue by\nath10k_core_destroy(). This order matches the error path order in\nath10k_sdio_probe().\n\nNo work will be queued on sdio workqueue between it is destroyed and\nath10k_core_destroy() is called. Based on the call_stack above, the\nreason is:\nOnly ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and\nath10k_sdio_irq_disable() will queue work on sdio workqueue.\nSleep timer will be deleted before ath10k_core_destroy() in\nath10k_hif_power_down().\nath10k_sdio_irq_disable() only be called in ath10k_hif_stop().\nath10k_core_unregister() will call ath10k_hif_power_down() to stop hif\nbus, so ath10k_sdio_hif_tx_sg() won't be called anymore.\n\nTested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/ath/ath10k/sdio.c"],"versions":[{"version":"5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5","lessThan":"27d5d217ae7ffb99dd623375a17a7d3418d9c755","status":"affected","versionType":"git"},{"version":"5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5","lessThan":"27fda36eedad9e4ec795dc481f307901d1885112","status":"affected","versionType":"git"},{"version":"5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5","lessThan":"6e5dbd1c04abf2c19b2282915e6fa48b6ccc6921","status":"affected","versionType":"git"},{"version":"5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5","lessThan":"b35de9e01fc79c7baac666fb2dcb4ba7698a1d97","status":"affected","versionType":"git"},{"version":"5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5","lessThan":"543c0924d446b21f35701ca084d7feca09511220","status":"affected","versionType":"git"},{"version":"5e3dd157d7e70f0e3cea3f2573ed69fb156a19d5","lessThan":"95c38953cb1ecf40399a676a1f85dfe2b5780a9a","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/net/wireless/ath/ath10k/sdio.c"],"versions":[{"version":"3.11","status":"affected"},{"version":"0","lessThan":"3.11","status":"unaffected","versionType":"semver"},{"version":"5.10.237","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.181","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.127","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.70","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.12.5","lessThanOrEqual":"6.12.*","status":"unaffected","versionType":"semver"},{"version":"6.13","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.11","versionEndExcluding":"5.10.237"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.11","versionEndExcluding":"5.15.181"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.11","versionEndExcluding":"6.1.127"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.11","versionEndExcluding":"6.6.70"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.11","versionEndExcluding":"6.12.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"3.11","versionEndExcluding":"6.13"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/27d5d217ae7ffb99dd623375a17a7d3418d9c755"},{"url":"https://git.kernel.org/stable/c/27fda36eedad9e4ec795dc481f307901d1885112"},{"url":"https://git.kernel.org/stable/c/6e5dbd1c04abf2c19b2282915e6fa48b6ccc6921"},{"url":"https://git.kernel.org/stable/c/b35de9e01fc79c7baac666fb2dcb4ba7698a1d97"},{"url":"https://git.kernel.org/stable/c/543c0924d446b21f35701ca084d7feca09511220"},{"url":"https://git.kernel.org/stable/c/95c38953cb1ecf40399a676a1f85dfe2b5780a9a"}],"title":"wifi: ath10k: avoid NULL pointer error during sdio remove","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T20:50:35.314Z"}}]}}