When aborting a Transfer Descriptor (TD), the xHCI driver updates the device dequeue pointer by converting the virtual enqueue TRB pointer into a DMA address.
Previously, the code OR-ed the ring's Dequeue Cycle State (DCS) bit into the virtual TRB pointer before passing it to xhci_trb_virt_to_dma(). This produced an unaligned virtual address (e.g. ending in 0x...1). Inside xhci_trb_virt_to_dma(), the offset calculation: segment_offset = trb - seg->trbs; operated on this unaligned pointer, resulting in an incorrect TRB index. In wraparound cases, this caused the bounds check to fail and the function to return 0. As a result, a SET_DEQ_PTR command was issued with a DMA address of 0x0, leading to controller hangs and transfer timeouts, most commonly when aborting TDs near the end of a ring segment (e.g. index 63). Fix this by translating the aligned virtual TRB pointer to a DMA address first, and only then applying the DCS bit to the resulting physical address. Signed-off-by: ANANDHAKRISHNAN S <[email protected]> --- drivers/usb/host/xhci-ring.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 34eb4536f0e..9e0ff71710a 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -582,9 +582,11 @@ static void abort_td(struct usb_device *udev, int ep_index) TRB_TO_SLOT_ID(le32_to_cpu(event->event_cmd.flags)) != udev->slot_id || (comp != COMP_SUCCESS && comp != COMP_CTX_STATE)); xhci_acknowledge_event(ctrl); - - addr = xhci_trb_virt_to_dma(ring->enq_seg, - (void *)((uintptr_t)ring->enqueue | ring->cycle_state)); + addr = xhci_trb_virt_to_dma(ring->enq_seg, ring->enqueue); + if (ring->cycle_state) + addr |= 0x1ULL; + else + addr &= ~0x1ULL; xhci_queue_command(ctrl, addr, udev->slot_id, ep_index, TRB_SET_DEQ); event = xhci_wait_for_event(ctrl, TRB_COMPLETION); if (!event) -- 2.25.1
