CVE-2026-23009

EPSS 0.02%
Veröffentlicht 25.01.2026 14:36:22
Zuletzt bearbeitet 25.03.2026 19:53:47
Quelle 416baaa9-dc9f-4396-8d5f-8c081f
CVE-Watchlists
Login
Unerledigt
Login

xhci: sideband: don't dereference freed ring when removing sideband endpoint

In the Linux kernel, the following vulnerability has been resolved:

xhci: sideband: don't dereference freed ring when removing sideband endpoint

xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is
running and has a valid transfer ring.

Lianqin reported a crash during suspend/wake-up stress testing, and
found the cause to be dereferencing a non-existing transfer ring
'ep->ring' during xhci_sideband_remove_endpoint().

The endpoint and its ring may be in unknown state if this function
is called after xHCI was reinitialized in resume (lost power), or if
device is being re-enumerated, disconnected or endpoint already dropped.

Fix this by both removing unnecessary ring access, and by checking
ep->ring exists before dereferencing it. Also make sure endpoint is
running before attempting to stop it.

Remove the xhci_initialize_ring_info() call during sideband endpoint
removal as is it only initializes ring structure enqueue, dequeue and
cycle state values to their starting values without changing actual
hardware enqueue, dequeue and cycle state. Leaving them out of sync
is worse than leaving it as it is. The endpoint will get freed in after
this in most usecases.

If the (audio) class driver want's to reuse the endpoint after offload
then it is up to the class driver to ensure endpoint is properly set up.