Kang Yang

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A NULL pointer error during sdio remove has been resolved in the Linux kernel. When running 'rmmod ath10k', ath10k sdio remove() will free sdio workqueue by destroy workqueue(). However, if CONFIG INIT ON FREE DEFAULT ON is set to yes, a kernel panic will happen due to the NULL pointer error. The issue occurs because ath10k sdio remove() calls ath10k core destroy() before destroy workqueue(), which frees the struct cfg80211 registered device *rdev and its members, including the pointer of sdio workqueue. To fix this, destroy workqueue() should be called before ath10k core destroy(). The affected device is QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00189. **Recommendations** To resolve the issue, call destroy workqueue() before ath10k core destroy(), free the work queue buffer first, and then free the pointer of the work queue by ath10k core destroy(). As a temporary workaround, consider disabling the `ath10k sdio remove()` function until a patch is available. Restrict access to the vulnerable `sdio workqueue` to minimize the risk of exploitation. Avoid using the `CONFIG INIT ON FREE DEFAULT ON` configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.