Linux ChipIdea UDC Driver DMA/SG cleanup bug
CVE-2026-43250 Published on May 6, 2026
usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()
In the Linux kernel, the following vulnerability has been resolved:
usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()
The ChipIdea UDC driver can encounter "not page aligned sg buffer"
errors when a USB device is reconnected after being disconnected
during an active transfer. This occurs because _ep_nuke() returns
requests to the gadget layer without properly unmapping DMA buffers
or cleaning up scatter-gather bounce buffers.
Root cause:
When a disconnect happens during a multi-segment DMA transfer, the
request's num_mapped_sgs field and sgt.sgl pointer remain set with
stale values. The request is returned to the gadget driver with status
-ESHUTDOWN but still has active DMA state. If the gadget driver reuses
this request on reconnect without reinitializing it, the stale DMA
state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero
num_mapped_sgs) and attempt to use freed/invalid DMA addresses,
leading to alignment errors and potential memory corruption.
The normal completion path via _hardware_dequeue() properly calls
usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before
returning the request. The _ep_nuke() path must do the same cleanup
to ensure requests are returned in a clean, reusable state.
Fix:
Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror
the cleanup sequence in _hardware_dequeue():
- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set
- Call sglist_do_debounce() with copy=false if bounce buffer exists
This ensures that when requests are returned due to endpoint shutdown,
they don't retain stale DMA mappings. The 'false' parameter to
sglist_do_debounce() prevents copying data back (appropriate for
shutdown path where transfer was aborted).
Products Associated with CVE-2026-43250
Want to know whenever a new CVE is published for Linux Kernel? stack.watch will email you.
Affected Versions
Linux:- Version aa69a8093ff985873cb44fe1157bd6db29a20fe4 and below 1b72b834511d17f4d069d512f78671f3f210a2f1 is affected.
- Version aa69a8093ff985873cb44fe1157bd6db29a20fe4 and below f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec is affected.
- Version aa69a8093ff985873cb44fe1157bd6db29a20fe4 and below e74c436f8568af1c60942469d0a2300b3ada3857 is affected.
- Version aa69a8093ff985873cb44fe1157bd6db29a20fe4 and below cea2a1257a3b5ea3e769a445b34af13e6aa5a123 is affected.
- Version 2.6.29 is affected.
- Before 2.6.29 is unaffected.
- Version 6.12.75, <= 6.12.* is unaffected.
- Version 6.18.16, <= 6.18.* is unaffected.
- Version 6.19.6, <= 6.19.* is unaffected.
- Version 7.0, <= * is unaffected.