Linux Kernel ath10k Driver Double Free Vulnerability During Suspend

A double free vulnerability has been identified in the Linux kernel's ath10k wireless driver. This issue arises when a firmware recovery, triggered by a timeout or crash, is immediately followed by a suspend event. The recovery process calls for the driver to clean up, but if the suspend event occurs during this recovery, it can lead to a double invocation of the halt function. This, in turn, causes a crash by freeing memory that was not properly allocated. The vulnerability affects several versions of the Linux kernel where the ath10k driver is used.

Impact

Exploitation of this vulnerability leads to a kernel crash due to a double free error, where memory is freed twice without proper allocation in between, causing instability in the system.

Reproduction

The vulnerability can be reproduced by initiating a firmware recovery in the ath10k driver, which triggers a restart process. If a suspend event is then immediately applied, the restart worker thread becomes frozen, leading to a double invocation of the halt function when the driver is stopped. This sequence causes the crash by creating a double free condition in the memory management system.

Remediation

The vulnerability has been addressed by modifying the suspend process to skip the halt function when the driver is in the RESTARTING state. Users should ensure they are using a patched version of the Linux kernel that includes this fix.