mirror of
https://github.com/torvalds/linux.git
synced 2026-03-08 01:04:41 +01:00
cea2a1257a
The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers. Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption. The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state. Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue(): - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set - Call sglist_do_debounce() with copy=false if bounce buffer exists This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted). Signed-off-by: Mario Peter <mario.peter@leica-geosystems.com> Reviewed-by: Xu Yang <xu.yang_2@nxp.com> Acked-by: Peter Chen <peter.chen@kernel.org> Link: https://patch.msgid.link/20260108165902.795354-1-mario.peter@leica-geosystems.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|---|---|---|
| .. | ||
| bits.h | ||
| ci.h | ||
| ci_hdrc_imx.c | ||
| ci_hdrc_imx.h | ||
| ci_hdrc_msm.c | ||
| ci_hdrc_npcm.c | ||
| ci_hdrc_pci.c | ||
| ci_hdrc_tegra.c | ||
| ci_hdrc_usb2.c | ||
| core.c | ||
| debug.c | ||
| host.c | ||
| host.h | ||
| Kconfig | ||
| Makefile | ||
| otg.c | ||
| otg.h | ||
| otg_fsm.c | ||
| otg_fsm.h | ||
| trace.c | ||
| trace.h | ||
| udc.c | ||
| udc.h | ||
| ulpi.c | ||
| usbmisc_imx.c | ||