diff options
| author | ANANDHAKRISHNAN S <[email protected]> | 2026-01-22 10:57:54 +0530 |
|---|---|---|
| committer | Marek Vasut <[email protected]> | 2026-01-25 10:40:42 +0100 |
| commit | ba94fb3003bd4155284c00c1b37613dd8e284816 (patch) | |
| tree | 1a464aab3215a15aef6af23be4a786cc3f8c6771 /drivers | |
| parent | 8de6e8f8a076d2c9b6d38d8563db135c167077ec (diff) | |
usb: xhci: fix DMA address corruption in abort_td
When aborting a Transfer Descriptor (TD), the xHCI driver updates the
device dequeue pointer by converting the virtual enqueue TRB pointer
into a DMA address.
Previously, the code OR-ed the ring's Dequeue Cycle State (DCS) bit into
the virtual TRB pointer before passing it to xhci_trb_virt_to_dma().
This produced an unaligned virtual address (e.g. ending in 0x...1).
Inside xhci_trb_virt_to_dma(), the offset calculation:
segment_offset = trb - seg->trbs;
operated on this unaligned pointer, resulting in an incorrect TRB index.
In wraparound cases, this caused the bounds check to fail and the
function to return 0.
As a result, a SET_DEQ_PTR command was issued with a DMA address of 0x0,
leading to controller hangs and transfer timeouts, most commonly when
aborting TDs near the end of a ring segment (e.g. index 63).
Fix this by translating the aligned virtual TRB pointer to a DMA address
first, and only then applying the DCS bit to the resulting physical
address.
Reviewed-by: Marek Vasut <[email protected]>
Signed-off-by: ANANDHAKRISHNAN S <[email protected]>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/usb/host/xhci-ring.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 34eb4536f0e..6f5c4ec97b6 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -523,9 +523,8 @@ static void reset_ep(struct usb_device *udev, int ep_index) field = le32_to_cpu(event->trans_event.flags); BUG_ON(TRB_TO_SLOT_ID(field) != udev->slot_id); xhci_acknowledge_event(ctrl); - - addr = xhci_trb_virt_to_dma(ring->enq_seg, - (void *)((uintptr_t)ring->enqueue | ring->cycle_state)); + addr = xhci_trb_virt_to_dma(ring->enq_seg, ring->enqueue) | + ring->cycle_state; xhci_queue_command(ctrl, addr, udev->slot_id, ep_index, TRB_SET_DEQ); event = xhci_wait_for_event(ctrl, TRB_COMPLETION); if (!event) @@ -582,9 +581,8 @@ static void abort_td(struct usb_device *udev, int ep_index) TRB_TO_SLOT_ID(le32_to_cpu(event->event_cmd.flags)) != udev->slot_id || (comp != COMP_SUCCESS && comp != COMP_CTX_STATE)); xhci_acknowledge_event(ctrl); - - addr = xhci_trb_virt_to_dma(ring->enq_seg, - (void *)((uintptr_t)ring->enqueue | ring->cycle_state)); + addr = xhci_trb_virt_to_dma(ring->enq_seg, ring->enqueue) | + ring->cycle_state; xhci_queue_command(ctrl, addr, udev->slot_id, ep_index, TRB_SET_DEQ); event = xhci_wait_for_event(ctrl, TRB_COMPLETION); if (!event) |