[PATCH v3] usb: xhci: fix DMA address corruption in abort_td
Marek Vasut
marek.vasut at mailbox.org
Wed Jan 21 19:07:30 CET 2026
On 1/21/26 6:06 PM, ANANDHAKRISHNAN S wrote:
> When aborting a Transfer Descriptor (TD), the xHCI driver updates the
> device dequeue pointer by converting the virtual enqueue TRB pointer
> into a DMA address.
>
> Previously, the code OR-ed the ring's Dequeue Cycle State (DCS) bit into
> the virtual TRB pointer before passing it to xhci_trb_virt_to_dma().
> This produced an unaligned virtual address (e.g. ending in 0x...1).
>
> Inside xhci_trb_virt_to_dma(), the offset calculation:
>
> segment_offset = trb - seg->trbs;
>
> operated on this unaligned pointer, resulting in an incorrect TRB index.
> In wraparound cases, this caused the bounds check to fail and the
> function to return 0.
>
> As a result, a SET_DEQ_PTR command was issued with a DMA address of 0x0,
> leading to controller hangs and transfer timeouts, most commonly when
> aborting TDs near the end of a ring segment (e.g. index 63).
>
> Fix this by translating the aligned virtual TRB pointer to a DMA address
> first, and only then applying the DCS bit to the resulting physical
> address.
>
> Changes in v3:
The changelog should be below --- , else it gets included in the commit
when it is applied.
> - Simplified the DMA address calculation by removing the redundant
> bit(0) mask (& ~0x1ULL), as XHCI guarantees the address is already
> aligned.
>
> Changes in v2:
> - Apply the same fix to reset_ep()
> - Simplify cycle bit handling to a single mask operation
>
> Signed-off-by: ANANDHAKRISHNAN S <anandhakrishnan.s at dicortech.com>
> ---
i.e. patch changelog goes HERE
> drivers/usb/host/xhci-ring.c | 10 ++++------
> 1 file changed, 4 insertions(+), 6 deletions(-)
Reviewed-by: Marek Vasut <marek.vasut at mailbox.org>
More information about the U-Boot
mailing list