CVE-2026-43250

Summary

In the Linux kernel, the following vulnerability has been resolved:

usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()

The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because _ep_nuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers.

Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's num_mapped_sgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero num_mapped_sgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption.

The normal completion path via _hardware_dequeue() properly calls usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before returning the request. The _ep_nuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state.

Fix: Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror the cleanup sequence in _hardware_dequeue():

  • Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set
  • Call sglist_do_debounce() with copy=false if bounce buffer exists

This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglist_do_debounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxaa69a8093ff985873cb44fe1157bd6db29a20fe4 < 1b72b834511d17f4d069d512f78671f3f210a2f1affected
LinuxLinuxaa69a8093ff985873cb44fe1157bd6db29a20fe4 < f4fbf2d4750d12ac8525d2efac1016fa0d84d4ecaffected
LinuxLinuxaa69a8093ff985873cb44fe1157bd6db29a20fe4 < e74c436f8568af1c60942469d0a2300b3ada3857affected
LinuxLinuxaa69a8093ff985873cb44fe1157bd6db29a20fe4 < cea2a1257a3b5ea3e769a445b34af13e6aa5a123affected
LinuxLinux2.6.29affected
LinuxLinux0 < 2.6.29unaffected
LinuxLinux6.12.75 <= 6.12.*unaffected
LinuxLinux6.18.16 <= 6.18.*unaffected
LinuxLinux6.19.6 <= 6.19.*unaffected
LinuxLinux7.0 <= *unaffected

Weaknesses

References