[PATCH v2] usb: xhci: fix DMA address corruption in abort_td

Marek Vasut marek.vasut at mailbox.org
Wed Jan 21 12:09:58 CET 2026 

On 1/21/26 11:12 AM, ANANDHAKRISHNAN S wrote:
> When aborting a Transfer Descriptor (TD), the xHCI driver updates the
> device dequeue pointer by converting the virtual enqueue TRB pointer
> into a DMA address.
> 
> Previously, the code OR-ed the ring's Dequeue Cycle State (DCS) bit into
> the virtual TRB pointer before passing it to xhci_trb_virt_to_dma().
> This produced an unaligned virtual address (e.g. ending in 0x...1).
> 
> Inside xhci_trb_virt_to_dma(), the offset calculation:
> 
> segment_offset = trb - seg->trbs;
> 
> operated on this unaligned pointer, resulting in an incorrect TRB index.
> In wraparound cases, this caused the bounds check to fail and the
> function to return 0.
> 
> As a result, a SET_DEQ_PTR command was issued with a DMA address of 0x0,
> leading to controller hangs and transfer timeouts, most commonly when
> aborting TDs near the end of a ring segment (e.g. index 63).
> 
> Fix this by translating the aligned virtual TRB pointer to a DMA address
> first, and only then applying the DCS bit to the resulting physical
> address.
> 
> Changes in v2:
> - Apply the same fix to reset_ep()
> - Simplify cycle bit handling to a single mask operation
> 
> Signed-off-by: ANANDHAKRISHNAN S <anandhakrishnan.s at dicortech.com>
> ---
>   drivers/usb/host/xhci-ring.c | 10 ++++------
>   1 file changed, 4 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
> index 34eb4536f0e..229882a9dbd 100644
> --- a/drivers/usb/host/xhci-ring.c
> +++ b/drivers/usb/host/xhci-ring.c
> @@ -523,9 +523,8 @@ static void reset_ep(struct usb_device *udev, int ep_index)
>   	field = le32_to_cpu(event->trans_event.flags);
>   	BUG_ON(TRB_TO_SLOT_ID(field) != udev->slot_id);
>   	xhci_acknowledge_event(ctrl);
> -
> -	addr = xhci_trb_virt_to_dma(ring->enq_seg,
> -		(void *)((uintptr_t)ring->enqueue | ring->cycle_state));
> +	addr = xhci_trb_virt_to_dma(ring->enq_seg, ring->enqueue);
> +	addr = (addr & ~0x1ULL) | ring->cycle_state;

Can addr actually ever have bit(0) set ? If not, addr & ~0x1ULL is not 
needed and you can literally addr = xhci_trb_virt_to_dma(ring->enq_seg, 
ring->enqueue) | ring->cycle_state;

More information about the U-Boot mailing list