CVE-2026-43250

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()<br /> <br /> The ChipIdea UDC driver can encounter "not page aligned sg buffer"<br /> errors when a USB device is reconnected after being disconnected<br /> during an active transfer. This occurs because _ep_nuke() returns<br /> requests to the gadget layer without properly unmapping DMA buffers<br /> or cleaning up scatter-gather bounce buffers.<br /> <br /> Root cause:<br /> When a disconnect happens during a multi-segment DMA transfer, the<br /> request&amp;#39;s num_mapped_sgs field and sgt.sgl pointer remain set with<br /> stale values. The request is returned to the gadget driver with status<br /> -ESHUTDOWN but still has active DMA state. If the gadget driver reuses<br /> this request on reconnect without reinitializing it, the stale DMA<br /> state causes _hardware_enqueue() to skip DMA mapping (seeing non-zero<br /> num_mapped_sgs) and attempt to use freed/invalid DMA addresses,<br /> leading to alignment errors and potential memory corruption.<br /> <br /> The normal completion path via _hardware_dequeue() properly calls<br /> usb_gadget_unmap_request_by_dev() and sglist_do_debounce() before<br /> returning the request. The _ep_nuke() path must do the same cleanup<br /> to ensure requests are returned in a clean, reusable state.<br /> <br /> Fix:<br /> Add DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror<br /> the cleanup sequence in _hardware_dequeue():<br /> - Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set<br /> - Call sglist_do_debounce() with copy=false if bounce buffer exists<br /> <br /> This ensures that when requests are returned due to endpoint shutdown,<br /> they don&amp;#39;t retain stale DMA mappings. The &amp;#39;false&amp;#39; parameter to<br /> sglist_do_debounce() prevents copying data back (appropriate for<br /> shutdown path where transfer was aborted).