Linux Kernel USB XHCI Driver Isochronous TD Handling Vulnerability

A vulnerability in the Linux kernel's USB xHCI driver affects versions through 6.11. The issue arises in the handling of isochronous Transfer Descriptors (TDs) when the isochronous ring is stopped or when a 'Stopped - Length Invalid' event occurs. Prior to the patch in version 6.11, the driver incorrectly cleared the skip flag for missed TDs, causing the ring to become stuck. The missed TDs would remain in the queue until cancelled, leading to potential data loss. After the patch, TDs are correctly skipped when the ring is stopped, but this creates a new issue with 'Stopped - Length Invalid' events, which can cause pending TDs to be skipped prematurely, risking isochronous data loss and possibly leading to a use-after-free condition by the hardware.

Impact

The vulnerability could result in a use-after-free condition by the hardware, potentially allowing for memory management errors or exploitation.