On 1/22/26 6:27 AM, ANANDHAKRISHNAN S wrote:
When aborting a Transfer Descriptor (TD), the xHCI driver updates the
device dequeue pointer by converting the virtual enqueue TRB pointer
into a DMA address.
Previously, the code OR-ed the ring's Dequeue Cycle State (DCS) bit into
the virtual TRB pointer before passing it to xhci_trb_virt_to_dma().
This produced an unaligned virtual address (e.g. ending in 0x...1).
Inside xhci_trb_virt_to_dma(), the offset calculation:
segment_offset = trb - seg->trbs;
operated on this unaligned pointer, resulting in an incorrect TRB index.
In wraparound cases, this caused the bounds check to fail and the
function to return 0.
As a result, a SET_DEQ_PTR command was issued with a DMA address of 0x0,
leading to controller hangs and transfer timeouts, most commonly when
aborting TDs near the end of a ring segment (e.g. index 63).
Fix this by translating the aligned virtual TRB pointer to a DMA address
first, and only then applying the DCS bit to the resulting physical
address.
Signed-off-by: ANANDHAKRISHNAN S <[email protected]>
---
Changes in v4:
- Moved the changelog below the '---' marker to prevent it from
being included in the permanent git history.
Please keep the RB tag next time.
Reviewed-by: Marek Vasut <[email protected]>
Applied, thanks.
