cve-2024-40927
Vulnerability from cvelistv5
Published
2024-07-12 12:25
Modified
2024-11-05 09:33
Severity ?
Summary
xhci: Handle TD clearing for multiple streams case
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:39:55.945Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-40927",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:05:11.586761Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:03.177Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/host/xhci-ring.c",
            "drivers/usb/host/xhci.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "26460c1afa31",
              "status": "affected",
              "version": "e9df17eb1408",
              "versionType": "git"
            },
            {
              "lessThan": "633f72cb6124",
              "status": "affected",
              "version": "e9df17eb1408",
              "versionType": "git"
            },
            {
              "lessThan": "949be4ec5835",
              "status": "affected",
              "version": "e9df17eb1408",
              "versionType": "git"
            },
            {
              "lessThan": "61593dc413c3",
              "status": "affected",
              "version": "e9df17eb1408",
              "versionType": "git"
            },
            {
              "lessThan": "5ceac4402f5d",
              "status": "affected",
              "version": "e9df17eb1408",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/host/xhci-ring.c",
            "drivers/usb/host/xhci.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.35"
            },
            {
              "lessThan": "2.6.35",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.95",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.35",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Handle TD clearing for multiple streams case\n\nWhen multiple streams are in use, multiple TDs might be in flight when\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\neach, to ensure everything is reset properly and the caches cleared.\nChange the logic so that any N\u003e1 TDs found active for different streams\nare deferred until after the first one is processed, calling\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\nqueue another command until we are done with all of them. Also change\nthe error/\"should never happen\" paths to ensure we at least clear any\naffected TDs, even if we can\u0027t issue a command to clear the hardware\ncache, and complain loudly with an xhci_warn() if this ever happens.\n\nThis problem case dates back to commit e9df17eb1408 (\"USB: xhci: Correct\nassumptions about number of rings per endpoint.\") early on in the XHCI\ndriver\u0027s life, when stream support was first added.\nIt was then identified but not fixed nor made into a warning in commit\n674f8438c121 (\"xhci: split handling halted endpoints into two steps\"),\nwhich added a FIXME comment for the problem case (without materially\nchanging the behavior as far as I can tell, though the new logic made\nthe problem more obvious).\n\nThen later, in commit 94f339147fc3 (\"xhci: Fix failure to give back some\ncached cancelled URBs.\"), it was acknowledged again.\n\n[Mathias: commit 94f339147fc3 (\"xhci: Fix failure to give back some cached\ncancelled URBs.\") was a targeted regression fix to the previously mentioned\npatch. Users reported issues with usb stuck after unmounting/disconnecting\nUAS devices. This rolled back the TD clearing of multiple streams to its\noriginal state.]\n\nApparently the commit author was aware of the problem (yet still chose\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\nadded to log the problem condition, and the remaining issue was mentioned\nin the commit description. The choice of making the log type xhci_dbg()\nfor what is, at this point, a completely unhandled and known broken\ncondition is puzzling and unfortunate, as it guarantees that no actual\nusers would see the log in production, thereby making it nigh\nundebuggable (indeed, even if you turn on DEBUG, the message doesn\u0027t\nreally hint at there being a problem at all).\n\nIt took me *months* of random xHC crashes to finally find a reliable\nrepro and be able to do a deep dive debug session, which could all have\nbeen avoided had this unhandled, broken condition been actually reported\nwith a warning, as it should have been as a bug intentionally left in\nunfixed (never mind that it shouldn\u0027t have been left in at all).\n\n\u003e Another fix to solve clearing the caches of all stream rings with\n\u003e cancelled TDs is needed, but not as urgent.\n\n3 years after that statement and 14 years after the original bug was\nintroduced, I think it\u0027s finally time to fix it. And maybe next time\nlet\u0027s not leave bugs unfixed (that are actually worse than the original\nbug), and let\u0027s actually get people to review kernel commits please.\n\nFixes xHC crashes and IOMMU faults with UAS devices when handling\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX \u003e /dev/null` in a loop.\nAt least in the case of JMicron controllers, the read errors end up\nhaving to cancel two TDs (for two queued requests to different streams)\nand the one that didn\u0027t get cleared properly ends up faulting the xHC\nentirely when it tries to access DMA pages that have since been unmapped,\nreferred to by the stale TDs. This normally happens quickly (after two\nor three loops). After this fix, I left the `cat` in a loop running\novernight and experienced no xHC failures, with all read errors\nrecovered properly. Repro\u0027d and tested on an Apple M1 Mac Mini\n(dwc3 host).\n\nOn systems without an IOMMU, this bug would instead silently corrupt\nfreed memory, making this a\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:33:18.847Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228"
        },
        {
          "url": "https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518"
        },
        {
          "url": "https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577"
        }
      ],
      "title": "xhci: Handle TD clearing for multiple streams case",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-40927",
    "datePublished": "2024-07-12T12:25:07.101Z",
    "dateReserved": "2024-07-12T12:17:45.583Z",
    "dateUpdated": "2024-11-05T09:33:18.847Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-40927\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-07-12T13:15:15.477\",\"lastModified\":\"2024-07-12T16:34:58.687\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nxhci: Handle TD clearing for multiple streams case\\n\\nWhen multiple streams are in use, multiple TDs might be in flight when\\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\\neach, to ensure everything is reset properly and the caches cleared.\\nChange the logic so that any N\u003e1 TDs found active for different streams\\nare deferred until after the first one is processed, calling\\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\\nqueue another command until we are done with all of them. Also change\\nthe error/\\\"should never happen\\\" paths to ensure we at least clear any\\naffected TDs, even if we can\u0027t issue a command to clear the hardware\\ncache, and complain loudly with an xhci_warn() if this ever happens.\\n\\nThis problem case dates back to commit e9df17eb1408 (\\\"USB: xhci: Correct\\nassumptions about number of rings per endpoint.\\\") early on in the XHCI\\ndriver\u0027s life, when stream support was first added.\\nIt was then identified but not fixed nor made into a warning in commit\\n674f8438c121 (\\\"xhci: split handling halted endpoints into two steps\\\"),\\nwhich added a FIXME comment for the problem case (without materially\\nchanging the behavior as far as I can tell, though the new logic made\\nthe problem more obvious).\\n\\nThen later, in commit 94f339147fc3 (\\\"xhci: Fix failure to give back some\\ncached cancelled URBs.\\\"), it was acknowledged again.\\n\\n[Mathias: commit 94f339147fc3 (\\\"xhci: Fix failure to give back some cached\\ncancelled URBs.\\\") was a targeted regression fix to the previously mentioned\\npatch. Users reported issues with usb stuck after unmounting/disconnecting\\nUAS devices. This rolled back the TD clearing of multiple streams to its\\noriginal state.]\\n\\nApparently the commit author was aware of the problem (yet still chose\\nto submit it): It was still mentioned as a FIXME, an xhci_dbg() was\\nadded to log the problem condition, and the remaining issue was mentioned\\nin the commit description. The choice of making the log type xhci_dbg()\\nfor what is, at this point, a completely unhandled and known broken\\ncondition is puzzling and unfortunate, as it guarantees that no actual\\nusers would see the log in production, thereby making it nigh\\nundebuggable (indeed, even if you turn on DEBUG, the message doesn\u0027t\\nreally hint at there being a problem at all).\\n\\nIt took me *months* of random xHC crashes to finally find a reliable\\nrepro and be able to do a deep dive debug session, which could all have\\nbeen avoided had this unhandled, broken condition been actually reported\\nwith a warning, as it should have been as a bug intentionally left in\\nunfixed (never mind that it shouldn\u0027t have been left in at all).\\n\\n\u003e Another fix to solve clearing the caches of all stream rings with\\n\u003e cancelled TDs is needed, but not as urgent.\\n\\n3 years after that statement and 14 years after the original bug was\\nintroduced, I think it\u0027s finally time to fix it. And maybe next time\\nlet\u0027s not leave bugs unfixed (that are actually worse than the original\\nbug), and let\u0027s actually get people to review kernel commits please.\\n\\nFixes xHC crashes and IOMMU faults with UAS devices when handling\\nerrors/faults. Easiest repro is to use `hdparm` to mark an early sector\\n(e.g. 1024) on a disk as bad, then `cat /dev/sdX \u003e /dev/null` in a loop.\\nAt least in the case of JMicron controllers, the read errors end up\\nhaving to cancel two TDs (for two queued requests to different streams)\\nand the one that didn\u0027t get cleared properly ends up faulting the xHC\\nentirely when it tries to access DMA pages that have since been unmapped,\\nreferred to by the stale TDs. This normally happens quickly (after two\\nor three loops). After this fix, I left the `cat` in a loop running\\novernight and experienced no xHC failures, with all read errors\\nrecovered properly. Repro\u0027d and tested on an Apple M1 Mac Mini\\n(dwc3 host).\\n\\nOn systems without an IOMMU, this bug would instead silently corrupt\\nfreed memory, making this a\\n---truncated---\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/26460c1afa311524f588e288a4941432f0de6228\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/5ceac4402f5d975e5a01c806438eb4e554771577\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/61593dc413c3655e4328a351555235bc3089486a\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/633f72cb6124ecda97b641fbc119340bd88d51a9\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/949be4ec5835e0ccb3e2a8ab0e46179cb5512518\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.