CVE-2024-26659

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> xhci: handle isoc Babble and Buffer Overrun events properly<br /> <br /> xHCI 4.9 explicitly forbids assuming that the xHC has released its<br /> ownership of a multi-TRB TD when it reports an error on one of the<br /> early TRBs. Yet the driver makes such assumption and releases the TD,<br /> allowing the remaining TRBs to be freed or overwritten by new TDs.<br /> <br /> The xHC should also report completion of the final TRB due to its IOC<br /> flag being set by us, regardless of prior errors. This event cannot<br /> be recognized if the TD has already been freed earlier, resulting in<br /> "Transfer event TRB DMA ptr not part of current TD" error message.<br /> <br /> Fix this by reusing the logic for processing isoc Transaction Errors.<br /> This also handles hosts which fail to report the final completion.<br /> <br /> Fix transfer length reporting on Babble errors. They may be caused by<br /> device malfunction, no guarantee that the buffer has been filled.