CVE-2024-57981

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci: Fix NULL pointer dereference on certain command aborts<br /> <br /> If a command is queued to the final usable TRB of a ring segment, the<br /> enqueue pointer is advanced to the subsequent link TRB and no further.<br /> If the command is later aborted, when the abort completion is handled<br /> the dequeue pointer is advanced to the first TRB of the next segment.<br /> <br /> If no further commands are queued, xhci_handle_stopped_cmd_ring() sees<br /> the ring pointers unequal and assumes that there is a pending command,<br /> so it calls xhci_mod_cmd_timer() which crashes if cur_cmd was NULL.<br /> <br /> Don&amp;#39;t attempt timer setup if cur_cmd is NULL. The subsequent doorbell<br /> ring likely is unnecessary too, but it&amp;#39;s harmless. Leave it alone.<br /> <br /> This is probably Bug 219532, but no confirmation has been received.<br /> <br /> The issue has been independently reproduced and confirmed fixed using<br /> a USB MCU programmed to NAK the Status stage of SET_ADDRESS forever.<br /> Everything continued working normally after several prevented crashes.