CVE-2025-22023

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: xhci: Don&amp;#39;t skip on Stopped - Length Invalid<br /> <br /> Up until commit d56b0b2ab142 ("usb: xhci: ensure skipped isoc TDs are<br /> returned when isoc ring is stopped") in v6.11, the driver didn&amp;#39;t skip<br /> missed isochronous TDs when handling Stoppend and Stopped - Length<br /> Invalid events. Instead, it erroneously cleared the skip flag, which<br /> would cause the ring to get stuck, as future events won&amp;#39;t match the<br /> missed TD which is never removed from the queue until it&amp;#39;s cancelled.<br /> <br /> This buggy logic seems to have been in place substantially unchanged<br /> since the 3.x series over 10 years ago, which probably speaks first<br /> and foremost about relative rarity of this case in normal usage, but<br /> by the spec I see no reason why it shouldn&amp;#39;t be possible.<br /> <br /> After d56b0b2ab142, TDs are immediately skipped when handling those<br /> Stopped events. This poses a potential problem in case of Stopped -<br /> Length Invalid, which occurs either on completed TDs (likely already<br /> given back) or Link and No-Op TRBs. Such event won&amp;#39;t be recognized<br /> as matching any TD (unless it&amp;#39;s the rare Link TRB inside a TD) and<br /> will result in skipping all pending TDs, giving them back possibly<br /> before they are done, risking isoc data loss and maybe UAF by HW.<br /> <br /> As a compromise, don&amp;#39;t skip and don&amp;#39;t clear the skip flag on this<br /> kind of event. Then the next event will skip missed TDs. A downside<br /> of not handling Stopped - Length Invalid on a Link inside a TD is<br /> that if the TD is cancelled, its actual length will not be updated<br /> to account for TRBs (silently) completed before the TD was stopped.<br /> <br /> I had no luck producing this sequence of completion events so there<br /> is no compelling demonstration of any resulting disaster. It may be<br /> a very rare, obscure condition. The sole motivation for this patch<br /> is that if such unlikely event does occur, I&amp;#39;d rather risk reporting<br /> a cancelled partially done isoc frame as empty than gamble with UAF.<br /> <br /> This will be fixed more properly by looking at Stopped event&amp;#39;s TRB<br /> pointer when making skipping decisions, but such rework is unlikely<br /> to be backported to v6.12, which will stay around for a few years.