tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

usb: core: hcd: fix accessing unmapped memory in SINGLE_STEP_SET_FEATURE test

The USB core will unmap urb->transfer_dma after SETUP stage completes.
Then the USB controller will access unmapped memory when it received
device descriptor. If iommu is equipped, the entire test can't be
completed due to the memory accessing is blocked.

Fix it by calling map_urb_for_dma() again for IN stage. To reduce
redundant map for urb->transfer_buffer, this will also set
URB_NO_TRANSFER_DMA_MAP flag before first map_urb_for_dma() to skip
dma map for urb->transfer_buffer and clear URB_NO_TRANSFER_DMA_MAP
flag before second map_urb_for_dma().

Fixes: 216e0e563d81 ("usb: core: hcd: use map_urb_for_dma for single step set feature urb")
Cc: stable <stable@kernel.org>
Reviewed-by: Jun Li <jun.li@nxp.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20250806083955.3325299-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Xu Yang and committed by
Greg Kroah-Hartman 8fe06185 f9420f47

+7 -1
+7 -1
drivers/usb/core/hcd.c
··· 2166 2166 urb->complete = usb_ehset_completion; 2167 2167 urb->status = -EINPROGRESS; 2168 2168 urb->actual_length = 0; 2169 - urb->transfer_flags = URB_DIR_IN; 2169 + urb->transfer_flags = URB_DIR_IN | URB_NO_TRANSFER_DMA_MAP; 2170 2170 usb_get_urb(urb); 2171 2171 atomic_inc(&urb->use_count); 2172 2172 atomic_inc(&urb->dev->urbnum); ··· 2230 2230 2231 2231 /* Complete remaining DATA and STATUS stages using the same URB */ 2232 2232 urb->status = -EINPROGRESS; 2233 + urb->transfer_flags &= ~URB_NO_TRANSFER_DMA_MAP; 2233 2234 usb_get_urb(urb); 2234 2235 atomic_inc(&urb->use_count); 2235 2236 atomic_inc(&urb->dev->urbnum); 2237 + if (map_urb_for_dma(hcd, urb, GFP_KERNEL)) { 2238 + usb_put_urb(urb); 2239 + goto out1; 2240 + } 2241 + 2236 2242 retval = hcd->driver->submit_single_step_set_feature(hcd, urb, 0); 2237 2243 if (!retval && !wait_for_completion_timeout(&done, 2238 2244 msecs_to_jiffies(2000))) {