CVE-2025-39790

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bus: mhi: host: Detect events pointing to unexpected TREs<br /> <br /> When a remote device sends a completion event to the host, it contains a<br /> pointer to the consumed TRE. The host uses this pointer to process all of<br /> the TREs between it and the host&amp;#39;s local copy of the ring&amp;#39;s read pointer.<br /> This works when processing completion for chained transactions, but can<br /> lead to nasty results if the device sends an event for a single-element<br /> transaction with a read pointer that is multiple elements ahead of the<br /> host&amp;#39;s read pointer.<br /> <br /> For instance, if the host accesses an event ring while the device is<br /> updating it, the pointer inside of the event might still point to an old<br /> TRE. If the host uses the channel&amp;#39;s xfer_cb() to directly free the buffer<br /> pointed to by the TRE, the buffer will be double-freed.<br /> <br /> This behavior was observed on an ep that used upstream EP stack without<br /> &amp;#39;commit 6f18d174b73d ("bus: mhi: ep: Update read pointer only after buffer<br /> is written")&amp;#39;. Where the device updated the events ring pointer before<br /> updating the event contents, so it left a window where the host was able to<br /> access the stale data the event pointed to, before the device had the<br /> chance to update them. The usual pattern was that the host received an<br /> event pointing to a TRE that is not immediately after the last processed<br /> one, so it got treated as if it was a chained transaction, processing all<br /> of the TREs in between the two read pointers.<br /> <br /> This commit aims to harden the host by ensuring transactions where the<br /> event points to a TRE that isn&amp;#39;t local_rp + 1 are chained.<br /> <br /> [mani: added stable tag and reworded commit message]