In the Linux kernel, the following vulnerability has been resolved:
usb: chipidea: udc: fix DMA and SG cleanup in epnuke()
The ChipIdea UDC driver can encounter "not page aligned sg buffer" errors when a USB device is reconnected after being disconnected during an active transfer. This occurs because epnuke() returns requests to the gadget layer without properly unmapping DMA buffers or cleaning up scatter-gather bounce buffers.
Root cause: When a disconnect happens during a multi-segment DMA transfer, the request's nummappedsgs field and sgt.sgl pointer remain set with stale values. The request is returned to the gadget driver with status -ESHUTDOWN but still has active DMA state. If the gadget driver reuses this request on reconnect without reinitializing it, the stale DMA state causes hardwareenqueue() to skip DMA mapping (seeing non-zero nummappedsgs) and attempt to use freed/invalid DMA addresses, leading to alignment errors and potential memory corruption.
The normal completion path via hardwaredequeue() properly calls usbgadgetunmaprequestbydev() and sglistdo_debounce() before returning the request. The epnuke() path must do the same cleanup to ensure requests are returned in a clean, reusable state.
Fix: Add DMA unmapping and bounce buffer cleanup to epnuke() to mirror the cleanup sequence in hardwaredequeue(): - Call usbgadgetunmaprequestbydev() if nummappedsgs is set - Call sglistdo_debounce() with copy=false if bounce buffer exists
This ensures that when requests are returned due to endpoint shutdown, they don't retain stale DMA mappings. The 'false' parameter to sglistdodebounce() prevents copying data back (appropriate for shutdown path where transfer was aborted).
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43250.json",
"cna_assigner": "Linux"
}