CVE-2024-40979

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath12k: fix kernel crash during resume

Currently during resume, QMI target memory is not properly handled, resulting in kernel crash in case DMA remap is not supported:

BUG: Bad page state in process kworker/u16:54 pfn:36e80 page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36e80 page dumped because: nonzero refcount Call Trace: badpage freepageisbadreport _freepagesok _freepages dmadirectfree dmafreeattrs ath12kqmifreetargetmemchunk ath12kqmimsgmemrequest_cb

The reason is: Once ath12k module is loaded, firmware sends memory request to host. In case DMA remap not supported, ath12k refuses the first request due to failure in allocating with large segment size:

ath12kpci 0000:04:00.0: qmi firmware request memory request ath12kpci 0000:04:00.0: qmi mem seg type 1 size 7077888 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 8454144 ath12kpci 0000:04:00.0: qmi dma allocation failed (7077888 B type 1), will try later with small size ath12kpci 0000:04:00.0: qmi delays memrequest 2 ath12k_pci 0000:04:00.0: qmi firmware request memory request

Later firmware comes back with more but small segments and allocation succeeds:

ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 262144 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 1 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 524288 ath12kpci 0000:04:00.0: qmi mem seg type 4 size 65536 ath12k_pci 0000:04:00.0: qmi mem seg type 1 size 524288

Now ath12k is working. If suspend is triggered, firmware will be reloaded during resume. As same as before, firmware requests two large segments at first. In ath12kqmimsgmemrequest_cb() segment count and size are assigned:

ab->qmi.mem_seg_count == 2
ab->qmi.target_mem[0].size == 7077888
ab->qmi.target_mem[1].size == 8454144

Then allocation failed like before and ath12kqmifreetargetmem_chunk() is called to free all allocated segments. Note the first segment is skipped because its v.addr is cleared due to allocation failure:

chunk->v.addr = dma_alloc_coherent()

Also note that this leaks that segment because it has not been freed.

While freeing the second segment, a size of 8454144 is passed to dmafreecoherent(). However remember that this segment is allocated at the first time firmware is loaded, before suspend. So its real size is 524288, much smaller than 8454144. As a result kernel found we are freeing some memory which is in use and thus cras ---truncated---