Linux Kernel xHCI Sideband Endpoint Removal Vulnerability

A vulnerability in the Linux kernel's xHCI sideband endpoint removal process can lead to a crash. The issue arises because the function xhci_sideband_remove_endpoint() incorrectly assumes that the endpoint is active and has a valid transfer ring. This can result in dereferencing a non-existent transfer ring during operation. The problem was reported by Lianqin, who identified the crash during suspend and wake-up stress testing. The vulnerability occurs when the endpoint and its transfer ring are left in an undefined state, such as after xHCI is reinitialized following a power loss, or during device re-enumeration, disconnection, or if the endpoint has already been dropped.

Impact

The vulnerability can cause a system crash, particularly during suspend and wake-up cycles, by attempting to access a freed or non-existent transfer ring associated with a sideband endpoint.

Remediation

Users can apply the latest patches from the Linux kernel stable tree to address this vulnerability.