CVE-2024-40979

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-40979
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40979.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-40979
Downstream
Related
Published
2024-07-12T12:32:14Z
Modified
2025-10-15T12:27:12.290482Z
Summary
wifi: ath12k: fix kernel crash during resume
Details

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix kernel crash during resume

Currently during resume, QMI target memory is not properly handled, resulting in kernel crash in case DMA remap is not supported:

BUG: Bad page state in process kworker/u16:54 pfn:36e80 page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80 page dumped because: nonzero refcount Call Trace: badpage freepageisbadreport _freepagesok _freepages dmadirectfree dmafreeattrs ath12kqmifreetargetmemchunk ath12kqmimsgmemrequest_cb

The reason is: Once ath12k module is loaded, firmware sends memory request to host. In case DMA remap not supported, ath12k refuses the first request due to failure in allocating with large segment size:

ath12kpci 0000:04:00.0: qmi firmware request memory request ath12kpci 0000:04:00.0: qmi mem seg type 1 size 7077888 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 8454144 ath12kpci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size ath12kpci 0000:04:00.0: qmi delays memrequest 2 ath12k_pci 0000:04:00.0: qmi firmware request memory request

Later firmware comes back with more but small segments and allocation succeeds:

ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 262144 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 65536 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288

Now ath12k is working. If suspend is triggered, firmware will be reloaded during resume. As same as before, firmware requests two large segments at first. In ath12kqmimsgmemrequest_cb() segment count and size are assigned:

ab->qmi.mem_seg_count == 2
ab->qmi.target_mem[0].size == 7077888
ab->qmi.target_mem[1].size == 8454144

Then allocation failed like before and ath12kqmifreetargetmem_chunk() is called to free all allocated segments. Note the first segment is skipped because its v.addr is cleared due to allocation failure:

chunk->v.addr = dma_alloc_coherent()

Also note that this leaks that segment because it has not been freed.

While freeing the second segment, a size of 8454144 is passed to dmafreecoherent(). However remember that this segment is allocated at the first time firmware is loaded, before suspend. So its real size is 524288, much smaller than 8454144. As a result kernel found we are freeing some memory which is in use and thus cras ---truncated---

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d889913205cf7ebda905b1e62c5867ed4e39f6c2
Fixed
bb50a4e711ff95348ad53641acb1306d89eb4c3a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
d889913205cf7ebda905b1e62c5867ed4e39f6c2
Fixed
303c017821d88ebad887814114d4e5966d320b28

Affected versions

v6.*

v6.1
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7
v6.9.1
v6.9.2
v6.9.3
v6.9.4
v6.9.5
v6.9.6

Database specific

{
    "vanir_signatures": [
        {
            "id": "CVE-2024-40979-0bc4051f",
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/qmi.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "236963816486318778690915024514995131406",
                    "113901718060040004509110938248824981854",
                    "7228309175732546311642358720268403572",
                    "290540269078540299926145189031271707619",
                    "31107597496863296907168592030449625977",
                    "8885840704529572666820144815388289088",
                    "172486118793646976060128739382327251998",
                    "148969343270947530346953711277342303173",
                    "55344077609379946644010199068969989667",
                    "234834642926878850341997438210399131075",
                    "68288003252994546330521989036443533975",
                    "190590650828510419533718425002242966359",
                    "209727034673829429196835934506648050286",
                    "19102114583317390363802262891630062746",
                    "251409376227298245747450221665325133770",
                    "338462718391408357718063633686517199823",
                    "250183637004433204428316845715369322731",
                    "243917446846499331770052023084308300270",
                    "33070635557515392736478625982247058020",
                    "52536783552538169857137379515452382776",
                    "139724096331973588145432065105273675806",
                    "143514016712070658294934355288794867578",
                    "202039480667126712774985011208986567563",
                    "174033238746719160321886083153934483818",
                    "140507219883296454851237694956569215682"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@303c017821d88ebad887814114d4e5966d320b28"
        },
        {
            "id": "CVE-2024-40979-195244ba",
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/core.c",
                "function": "ath12k_core_reset"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1479.0,
                "function_hash": "128138964459570866722735598248649025644"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb50a4e711ff95348ad53641acb1306d89eb4c3a"
        },
        {
            "id": "CVE-2024-40979-195a6a33",
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/core.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "61127723184276295447799105868828539541",
                    "298761510692702647986044451893946792399",
                    "112254005411355196622732938069399267734",
                    "206310615757236982622950090729017480353"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@303c017821d88ebad887814114d4e5966d320b28"
        },
        {
            "id": "CVE-2024-40979-3485981c",
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/qmi.c",
                "function": "ath12k_qmi_m3_load"
            },
            "signature_version": "v1",
            "digest": {
                "length": 922.0,
                "function_hash": "235731285036181995293127206680269720429"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@303c017821d88ebad887814114d4e5966d320b28"
        },
        {
            "id": "CVE-2024-40979-3d5dea91",
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/qmi.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "236963816486318778690915024514995131406",
                    "113901718060040004509110938248824981854",
                    "7228309175732546311642358720268403572",
                    "290540269078540299926145189031271707619",
                    "31107597496863296907168592030449625977",
                    "8885840704529572666820144815388289088",
                    "172486118793646976060128739382327251998",
                    "148969343270947530346953711277342303173",
                    "55344077609379946644010199068969989667",
                    "234834642926878850341997438210399131075",
                    "68288003252994546330521989036443533975",
                    "190590650828510419533718425002242966359",
                    "209727034673829429196835934506648050286",
                    "19102114583317390363802262891630062746",
                    "251409376227298245747450221665325133770",
                    "338462718391408357718063633686517199823",
                    "250183637004433204428316845715369322731",
                    "243917446846499331770052023084308300270",
                    "33070635557515392736478625982247058020",
                    "52536783552538169857137379515452382776",
                    "139724096331973588145432065105273675806",
                    "143514016712070658294934355288794867578",
                    "202039480667126712774985011208986567563",
                    "174033238746719160321886083153934483818",
                    "140507219883296454851237694956569215682"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb50a4e711ff95348ad53641acb1306d89eb4c3a"
        },
        {
            "id": "CVE-2024-40979-3db69546",
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/qmi.c",
                "function": "ath12k_qmi_alloc_target_mem_chunk"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1020.0,
                "function_hash": "124356537405351871272609034829509171943"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@303c017821d88ebad887814114d4e5966d320b28"
        },
        {
            "id": "CVE-2024-40979-446757d9",
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/core.c",
                "function": "ath12k_core_reset"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1479.0,
                "function_hash": "128138964459570866722735598248649025644"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@303c017821d88ebad887814114d4e5966d320b28"
        },
        {
            "id": "CVE-2024-40979-5d4e7e85",
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/qmi.h"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "52253671931342259686537726210513894980",
                    "36583703228476939428626835316755818279",
                    "250052616907476864824808632545340783003",
                    "246172850560408386271768294983968225376"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb50a4e711ff95348ad53641acb1306d89eb4c3a"
        },
        {
            "id": "CVE-2024-40979-87fba3b1",
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/qmi.c",
                "function": "ath12k_qmi_free_target_mem_chunk"
            },
            "signature_version": "v1",
            "digest": {
                "length": 402.0,
                "function_hash": "94884789956843489216531885641030136643"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb50a4e711ff95348ad53641acb1306d89eb4c3a"
        },
        {
            "id": "CVE-2024-40979-974445ab",
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/qmi.c",
                "function": "ath12k_qmi_free_target_mem_chunk"
            },
            "signature_version": "v1",
            "digest": {
                "length": 402.0,
                "function_hash": "94884789956843489216531885641030136643"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@303c017821d88ebad887814114d4e5966d320b28"
        },
        {
            "id": "CVE-2024-40979-985cc9e9",
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/qmi.c",
                "function": "ath12k_qmi_m3_load"
            },
            "signature_version": "v1",
            "digest": {
                "length": 922.0,
                "function_hash": "235731285036181995293127206680269720429"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb50a4e711ff95348ad53641acb1306d89eb4c3a"
        },
        {
            "id": "CVE-2024-40979-aef71801",
            "signature_type": "Function",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/qmi.c",
                "function": "ath12k_qmi_alloc_target_mem_chunk"
            },
            "signature_version": "v1",
            "digest": {
                "length": 1020.0,
                "function_hash": "124356537405351871272609034829509171943"
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb50a4e711ff95348ad53641acb1306d89eb4c3a"
        },
        {
            "id": "CVE-2024-40979-db059513",
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/core.c"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "61127723184276295447799105868828539541",
                    "298761510692702647986044451893946792399",
                    "112254005411355196622732938069399267734",
                    "206310615757236982622950090729017480353"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb50a4e711ff95348ad53641acb1306d89eb4c3a"
        },
        {
            "id": "CVE-2024-40979-dcb5553c",
            "signature_type": "Line",
            "target": {
                "file": "drivers/net/wireless/ath/ath12k/qmi.h"
            },
            "signature_version": "v1",
            "digest": {
                "line_hashes": [
                    "52253671931342259686537726210513894980",
                    "36583703228476939428626835316755818279",
                    "250052616907476864824808632545340783003",
                    "246172850560408386271768294983968225376"
                ],
                "threshold": 0.9
            },
            "deprecated": false,
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@303c017821d88ebad887814114d4e5966d320b28"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.3.0
Fixed
6.9.7