[PATCH] usb: xhci: fix DMA address corruption in abort_td

Marek Vasut marek.vasut at mailbox.org
Tue Jan 20 23:43:46 CET 2026 

On 1/20/26 3:50 PM, ANANDHAKRISHNAN S wrote:
> When aborting a Transfer Descriptor (TD), the xHCI driver updates the
> device dequeue pointer by converting the virtual enqueue TRB pointer
> into a DMA address.

reset_ep() seems to have the same problem ?

> Previously, the code OR-ed the ring's Dequeue Cycle State (DCS) bit into
> the virtual TRB pointer before passing it to xhci_trb_virt_to_dma().
> This produced an unaligned virtual address (e.g. ending in 0x...1).
> 
> Inside xhci_trb_virt_to_dma(), the offset calculation:
> 
> segment_offset = trb - seg->trbs;
> 
> operated on this unaligned pointer, resulting in an incorrect TRB index.
> In wraparound cases, this caused the bounds check to fail and the
> function to return 0.
> 
> As a result, a SET_DEQ_PTR command was issued with a DMA address of 0x0,
> leading to controller hangs and transfer timeouts, most commonly when
> aborting TDs near the end of a ring segment (e.g. index 63).
> 
> Fix this by translating the aligned virtual TRB pointer to a DMA address
> first, and only then applying the DCS bit to the resulting physical
> address.
> 
> Signed-off-by: ANANDHAKRISHNAN S <anandhakrishnan.s at dicortech.com>
> ---
>   drivers/usb/host/xhci-ring.c | 8 +++++---
>   1 file changed, 5 insertions(+), 3 deletions(-)
> 
> diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
> index 34eb4536f0e..9e0ff71710a 100644
> --- a/drivers/usb/host/xhci-ring.c
> +++ b/drivers/usb/host/xhci-ring.c
> @@ -582,9 +582,11 @@ static void abort_td(struct usb_device *udev, int ep_index)
>   		TRB_TO_SLOT_ID(le32_to_cpu(event->event_cmd.flags)) != udev->slot_id ||
>   		(comp != COMP_SUCCESS && comp != COMP_CTX_STATE));
>   	xhci_acknowledge_event(ctrl);
> -
> -	addr = xhci_trb_virt_to_dma(ring->enq_seg,
> -		(void *)((uintptr_t)ring->enqueue | ring->cycle_state));

-		(void *)((uintptr_t)ring->enqueue | ring->cycle_state));
+		(void *)(uintptr_t)ring->enqueue) | ring->cycle_state;

cycle_state is already either 0 or 1, isn't it ?

> +	addr = xhci_trb_virt_to_dma(ring->enq_seg, ring->enqueue);
> +	if (ring->cycle_state)
> +		addr |= 0x1ULL;
> +	else
> +		addr &= ~0x1ULL;
>   	xhci_queue_command(ctrl, addr, udev->slot_id, ep_index, TRB_SET_DEQ);
>   	event = xhci_wait_for_event(ctrl, TRB_COMPLETION);
>   	if (!event)

More information about the U-Boot mailing list