CVE-2024-56599: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: avoid NULL pointer error during sdio remove When running 'rmmod ath10k', ath10k_sdio_remove() will free sdio workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON is set to yes, kernel panic will happen: Call trace: destroy_workqueue+0x1c/0x258 ath10k_sdio_remove+0x84/0x94 sdio_bus_remove+0x50/0x16c device_release_driver_internal+0x188/0x25c device_driver_detach+0x20/0x2c This is because during 'rmmod ath10k', ath10k_sdio_remove() will call ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release() will finally be called in ath10k_core_destroy(). This function will free struct cfg80211_registered_device *rdev and all its members, including wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON. After device release, destroy_workqueue() will use NULL pointer then the kernel panic happen. Call trace: ath10k_sdio_remove ->ath10k_core_unregister …… ->ath10k_core_stop ->ath10k_hif_stop ->ath10k_sdio_irq_disable ->ath10k_hif_power_down ->del_timer_sync(&ar_sdio->sleep_timer) ->ath10k_core_destroy ->ath10k_mac_destroy ->ieee80211_free_hw ->wiphy_free …… ->wiphy_dev_release ->destroy_workqueue Need to call destroy_workqueue() before ath10k_core_destroy(), free the work queue buffer first and then free pointer of work queue by ath10k_core_destroy(). This order matches the error path order in ath10k_sdio_probe(). No work will be queued on sdio workqueue between it is destroyed and ath10k_core_destroy() is called. Based on the call_stack above, the reason is: Only ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and ath10k_sdio_irq_disable() will queue work on sdio workqueue. Sleep timer will be deleted before ath10k_core_destroy() in ath10k_hif_power_down(). ath10k_sdio_irq_disable() only be called in ath10k_hif_stop(). ath10k_core_unregister() will call ath10k_hif_power_down() to stop hif bus, so ath10k_sdio_hif_tx_sg() won't be called anymore. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189
AI Analysis
Technical Summary
CVE-2024-56599 is a vulnerability in the Linux kernel's ath10k wireless driver, specifically affecting the SDIO (Secure Digital Input Output) interface implementation. The issue arises during the removal of the ath10k kernel module (via 'rmmod ath10k'), where the function ath10k_sdio_remove() attempts to free the SDIO workqueue by calling destroy_workqueue(). However, if the kernel configuration option CONFIG_INIT_ON_FREE_DEFAULT_ON is enabled, a kernel panic occurs due to a NULL pointer dereference. This happens because ath10k_sdio_remove() calls ath10k_core_destroy() before destroy_workqueue(), and ath10k_core_destroy() frees the struct cfg80211_registered_device (rdev) and its members, including the pointer to the SDIO workqueue, setting it to NULL. Subsequently, destroy_workqueue() attempts to operate on this now NULL pointer, causing the panic. The root cause is the incorrect order of resource cleanup: the workqueue should be destroyed before the core device structures are freed. The vulnerability is triggered during module unload, which is a less common operation but critical for system stability and reliability. The vulnerability was tested on QCA6174 hardware with SDIO WLAN and kernel version RMH.4.4.1-00189. The fix involves reordering the cleanup calls to destroy the workqueue prior to calling ath10k_core_destroy(), ensuring no work is queued on the workqueue after it is destroyed. This flaw does not appear to allow remote code execution or privilege escalation directly but leads to a denial of service (DoS) via kernel panic, causing system crashes or reboots when the module is removed. No known exploits are reported in the wild as of the publication date. The vulnerability affects Linux kernel versions containing the specified commit hashes, which correspond to versions including the vulnerable ath10k SDIO driver code with the described behavior.
Potential Impact
For European organizations, the primary impact of CVE-2024-56599 is a potential denial of service condition on Linux systems using the ath10k wireless driver with SDIO interface hardware, particularly during module unload operations. This could affect servers, embedded devices, or workstations that dynamically manage kernel modules or perform driver reloads for maintenance or updates. The kernel panic caused by this vulnerability leads to system crashes, which can disrupt network connectivity and availability of critical services relying on wireless communication. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can be significant in environments where uptime is critical, such as industrial control systems, telecommunications infrastructure, or enterprise wireless networks. Systems that automatically reload drivers or perform hot-swapping of wireless modules are at higher risk. Additionally, the vulnerability could be triggered unintentionally by system administrators or automated scripts, leading to unexpected downtime. Given the widespread use of Linux in European IT infrastructure, including cloud providers, telecom operators, and government agencies, any instability in wireless drivers can have cascading effects on network reliability and operational continuity. However, the requirement for module removal to trigger the issue limits the attack surface compared to vulnerabilities exploitable remotely or without privileged access.
Mitigation Recommendations
To mitigate CVE-2024-56599, European organizations should: 1. Apply the official Linux kernel patches that reorder the cleanup sequence in the ath10k_sdio_remove() function to destroy the workqueue before freeing core device structures. Monitor kernel updates and backport fixes if using long-term support (LTS) kernels. 2. Avoid unloading the ath10k kernel module on production systems unless necessary. If module removal is required, perform it during maintenance windows with proper system monitoring to quickly recover from potential crashes. 3. Review kernel configuration settings, particularly CONFIG_INIT_ON_FREE_DEFAULT_ON, and assess if disabling this option is feasible without impacting other system functions, as it influences pointer initialization behavior. 4. Implement robust system monitoring and automated recovery mechanisms to detect kernel panics and reboot systems promptly to minimize downtime. 5. For embedded or specialized devices using QCA6174 or similar SDIO WLAN hardware, coordinate with hardware vendors for firmware and driver updates that incorporate the fix. 6. Conduct thorough testing of wireless driver behavior in staging environments before deploying updates to production, ensuring that module unload operations do not cause instability. 7. Educate system administrators about the risks of unloading wireless drivers and recommend alternative approaches such as system reboots for driver updates when possible.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy, Spain
CVE-2024-56599: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: avoid NULL pointer error during sdio remove When running 'rmmod ath10k', ath10k_sdio_remove() will free sdio workqueue by destroy_workqueue(). But if CONFIG_INIT_ON_FREE_DEFAULT_ON is set to yes, kernel panic will happen: Call trace: destroy_workqueue+0x1c/0x258 ath10k_sdio_remove+0x84/0x94 sdio_bus_remove+0x50/0x16c device_release_driver_internal+0x188/0x25c device_driver_detach+0x20/0x2c This is because during 'rmmod ath10k', ath10k_sdio_remove() will call ath10k_core_destroy() before destroy_workqueue(). wiphy_dev_release() will finally be called in ath10k_core_destroy(). This function will free struct cfg80211_registered_device *rdev and all its members, including wiphy, dev and the pointer of sdio workqueue. Then the pointer of sdio workqueue will be set to NULL due to CONFIG_INIT_ON_FREE_DEFAULT_ON. After device release, destroy_workqueue() will use NULL pointer then the kernel panic happen. Call trace: ath10k_sdio_remove ->ath10k_core_unregister …… ->ath10k_core_stop ->ath10k_hif_stop ->ath10k_sdio_irq_disable ->ath10k_hif_power_down ->del_timer_sync(&ar_sdio->sleep_timer) ->ath10k_core_destroy ->ath10k_mac_destroy ->ieee80211_free_hw ->wiphy_free …… ->wiphy_dev_release ->destroy_workqueue Need to call destroy_workqueue() before ath10k_core_destroy(), free the work queue buffer first and then free pointer of work queue by ath10k_core_destroy(). This order matches the error path order in ath10k_sdio_probe(). No work will be queued on sdio workqueue between it is destroyed and ath10k_core_destroy() is called. Based on the call_stack above, the reason is: Only ath10k_sdio_sleep_timer_handler(), ath10k_sdio_hif_tx_sg() and ath10k_sdio_irq_disable() will queue work on sdio workqueue. Sleep timer will be deleted before ath10k_core_destroy() in ath10k_hif_power_down(). ath10k_sdio_irq_disable() only be called in ath10k_hif_stop(). ath10k_core_unregister() will call ath10k_hif_power_down() to stop hif bus, so ath10k_sdio_hif_tx_sg() won't be called anymore. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189
AI-Powered Analysis
Technical Analysis
CVE-2024-56599 is a vulnerability in the Linux kernel's ath10k wireless driver, specifically affecting the SDIO (Secure Digital Input Output) interface implementation. The issue arises during the removal of the ath10k kernel module (via 'rmmod ath10k'), where the function ath10k_sdio_remove() attempts to free the SDIO workqueue by calling destroy_workqueue(). However, if the kernel configuration option CONFIG_INIT_ON_FREE_DEFAULT_ON is enabled, a kernel panic occurs due to a NULL pointer dereference. This happens because ath10k_sdio_remove() calls ath10k_core_destroy() before destroy_workqueue(), and ath10k_core_destroy() frees the struct cfg80211_registered_device (rdev) and its members, including the pointer to the SDIO workqueue, setting it to NULL. Subsequently, destroy_workqueue() attempts to operate on this now NULL pointer, causing the panic. The root cause is the incorrect order of resource cleanup: the workqueue should be destroyed before the core device structures are freed. The vulnerability is triggered during module unload, which is a less common operation but critical for system stability and reliability. The vulnerability was tested on QCA6174 hardware with SDIO WLAN and kernel version RMH.4.4.1-00189. The fix involves reordering the cleanup calls to destroy the workqueue prior to calling ath10k_core_destroy(), ensuring no work is queued on the workqueue after it is destroyed. This flaw does not appear to allow remote code execution or privilege escalation directly but leads to a denial of service (DoS) via kernel panic, causing system crashes or reboots when the module is removed. No known exploits are reported in the wild as of the publication date. The vulnerability affects Linux kernel versions containing the specified commit hashes, which correspond to versions including the vulnerable ath10k SDIO driver code with the described behavior.
Potential Impact
For European organizations, the primary impact of CVE-2024-56599 is a potential denial of service condition on Linux systems using the ath10k wireless driver with SDIO interface hardware, particularly during module unload operations. This could affect servers, embedded devices, or workstations that dynamically manage kernel modules or perform driver reloads for maintenance or updates. The kernel panic caused by this vulnerability leads to system crashes, which can disrupt network connectivity and availability of critical services relying on wireless communication. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can be significant in environments where uptime is critical, such as industrial control systems, telecommunications infrastructure, or enterprise wireless networks. Systems that automatically reload drivers or perform hot-swapping of wireless modules are at higher risk. Additionally, the vulnerability could be triggered unintentionally by system administrators or automated scripts, leading to unexpected downtime. Given the widespread use of Linux in European IT infrastructure, including cloud providers, telecom operators, and government agencies, any instability in wireless drivers can have cascading effects on network reliability and operational continuity. However, the requirement for module removal to trigger the issue limits the attack surface compared to vulnerabilities exploitable remotely or without privileged access.
Mitigation Recommendations
To mitigate CVE-2024-56599, European organizations should: 1. Apply the official Linux kernel patches that reorder the cleanup sequence in the ath10k_sdio_remove() function to destroy the workqueue before freeing core device structures. Monitor kernel updates and backport fixes if using long-term support (LTS) kernels. 2. Avoid unloading the ath10k kernel module on production systems unless necessary. If module removal is required, perform it during maintenance windows with proper system monitoring to quickly recover from potential crashes. 3. Review kernel configuration settings, particularly CONFIG_INIT_ON_FREE_DEFAULT_ON, and assess if disabling this option is feasible without impacting other system functions, as it influences pointer initialization behavior. 4. Implement robust system monitoring and automated recovery mechanisms to detect kernel panics and reboot systems promptly to minimize downtime. 5. For embedded or specialized devices using QCA6174 or similar SDIO WLAN hardware, coordinate with hardware vendors for firmware and driver updates that incorporate the fix. 6. Conduct thorough testing of wireless driver behavior in staging environments before deploying updates to production, ensuring that module unload operations do not cause instability. 7. Educate system administrators about the risks of unloading wireless drivers and recommend alternative approaches such as system reboots for driver updates when possible.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-12-27T14:03:06.011Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9823c4522896dcbdf36e
Added to database: 5/21/2025, 9:08:51 AM
Last enriched: 6/28/2025, 12:24:54 PM
Last updated: 8/12/2025, 5:47:08 AM
Views: 16
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.