"value":"In the Linux kernel, the following vulnerability has been resolved:\n\nxhci: Handle TD clearing for multiple streams case\n\nWhen multiple streams are in use, multiple TDs might be in flight when\nan endpoint is stopped. We need to issue a Set TR Dequeue Pointer for\neach, to ensure everything is reset properly and the caches cleared.\nChange the logic so that any N>1 TDs found active for different streams\nare deferred until after the first one is processed, calling\nxhci_invalidate_cancelled_tds() again from xhci_handle_cmd_set_deq() to\nqueue another command until we are done with all of them. Also change\nthe error/\"should never happen\" paths to ensure we at least clear any\naffected TDs, even if we can't issue a command to clear the hardware\ncache, and complain loudly with an xhci_warn() if this ever happens.\n\nThis problem case dates back to commit e9df17eb1408 (\"USB: xhci: Correct\nassumptions about number of rings per endpoint.\") early on in the XHCI\ndriver's life, when stream support was first added.\nIt was then identified but not fixed nor made into a warning in commit\n674f8438c121 (\"xhci: split handling halted endpoints into two steps\"),\nwhich added a FIXME comment for the problem case (without materially\nchanging the behavior as far as I can tell, though the new logic made\nthe problem more obvious).\n\nThen later, in commit 94f339147fc3 (\"xhci: Fix failure to give back some\ncached cancelled URBs.\"), it was acknowledged again.\n\n[Mathias: commit 94f339147fc3 (\"xhci: Fix failure to give back some cached\ncancelled URBs.\")wasatargetedregressionfixtothepreviouslymentioned\npatch.Usersreportedissueswithusbstuckafterunmounting/disconnecting\nUASdevices.ThisrolledbacktheTDclearingofmultiplestreamstoits\noriginalstate.]\n\nApparentlythecommitauthorwasawareoftheproblem(yetstillchose\ntosubmitit):ItwasstillmentionedasaFIXME,anxhci_dbg()was\naddedtologtheproblemcondition,andtheremainingissuewasmentioned\ninthecommitdescription.Thechoiceofmakingthelogtypexhci_dbg()\nforwhatis,atthispoint,acompletelyunhandledandknownbroken\nconditionispuzzlingandunfortunate,asitguaranteesthatnoactual\nuserswouldseetheloginproduction,therebymakingitnigh\nundebuggable(indeed,evenifyouturnonDEBUG,themessagedoesn't\nreallyhintattherebeingaproblematall).\n\nIttookme*months*ofrandomxHCcrashestofinallyfindareliable\nreproandbeabletodoadeepdivedebugsession,whichcouldallhave\nbeenavoidedhadthisunhandled,brokenconditionbeenactuallyreported\nwithawarning,asitshouldhavebeenasabugintentionallyleftin\nunfixed(nevermindthatitshouldn'thavebeenleftinatall).\n\n>Anotherfixtosolveclearingthecachesofallstreamringswith\n>cancelledTDsisneeded,butnotasurgent.\n\n3yearsafterthatstatementand14yearsaftertheoriginalbugwas\nintroduced,Ithinkit'sfinallytimetofixit.Andmaybenexttime\nlet'snotleavebugsunfixed(thatareactuallyworsethantheoriginal\nbug),andlet'sactuallygetpeopletoreviewkernelcommitsplease.\n\nFixesxHCcrashesandIOMMUfaultswithUASdeviceswhenhandling\nerrors/faults.Easiestreproistouse`hdparm`tomarkanearlysector\n(e.g.1024)onadiskasbad,then`cat/dev/sdX>/dev/null`inaloop.\nAtleastinthecaseofJMicroncontrollers,thereaderrorsendup\nhavingtocanceltwoTDs(fortwoqueuedrequeststodifferentstreams)\nandtheonethatdidn'tgetclearedproperlyendsupfaultingthexHC\nentirelywhenittriestoaccessDMApagesthathavesincebeenunmapped,\nreferredtobythestaleTDs.Thisnormallyhappensquickly(aftertwo\northreeloops).Afterthisfix,Ileftthe`cat`inalooprunning\novernightandexperiencednoxHCfailures,withallreaderrors\nrecoveredproperly.Repro'dandtestedonanAppleM1MacMini\n(dwc3host).\n\nOnsystemswithoutanIOMMU,thisbugwouldinsteadsilentlycorrupt\nfreedmemory,makingthisa\n---truncated--
