{"id":"CVE-2026-43250","summary":"usb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: udc: fix DMA and SG cleanup in _ep_nuke()\n\nThe ChipIdea UDC driver can encounter \"not page aligned sg buffer\"\nerrors when a USB device is reconnected after being disconnected\nduring an active transfer. This occurs because _ep_nuke() returns\nrequests to the gadget layer without properly unmapping DMA buffers\nor cleaning up scatter-gather bounce buffers.\n\nRoot cause:\nWhen a disconnect happens during a multi-segment DMA transfer, the\nrequest's num_mapped_sgs field and sgt.sgl pointer remain set with\nstale values. The request is returned to the gadget driver with status\n-ESHUTDOWN but still has active DMA state. If the gadget driver reuses\nthis request on reconnect without reinitializing it, the stale DMA\nstate causes _hardware_enqueue() to skip DMA mapping (seeing non-zero\nnum_mapped_sgs) and attempt to use freed/invalid DMA addresses,\nleading to alignment errors and potential memory corruption.\n\nThe normal completion path via _hardware_dequeue() properly calls\nusb_gadget_unmap_request_by_dev() and sglist_do_debounce() before\nreturning the request. The _ep_nuke() path must do the same cleanup\nto ensure requests are returned in a clean, reusable state.\n\nFix:\nAdd DMA unmapping and bounce buffer cleanup to _ep_nuke() to mirror\nthe cleanup sequence in _hardware_dequeue():\n- Call usb_gadget_unmap_request_by_dev() if num_mapped_sgs is set\n- Call sglist_do_debounce() with copy=false if bounce buffer exists\n\nThis ensures that when requests are returned due to endpoint shutdown,\nthey don't retain stale DMA mappings. The 'false' parameter to\nsglist_do_debounce() prevents copying data back (appropriate for\nshutdown path where transfer was aborted).","modified":"2026-06-18T03:56:13.791130709Z","published":"2026-05-06T11:28:41.158Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43250.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1b72b834511d17f4d069d512f78671f3f210a2f1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cea2a1257a3b5ea3e769a445b34af13e6aa5a123"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e74c436f8568af1c60942469d0a2300b3ada3857"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43250.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43250"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"aa69a8093ff985873cb44fe1157bd6db29a20fe4"},{"fixed":"1b72b834511d17f4d069d512f78671f3f210a2f1"},{"fixed":"f4fbf2d4750d12ac8525d2efac1016fa0d84d4ec"},{"fixed":"e74c436f8568af1c60942469d0a2300b3ada3857"},{"fixed":"cea2a1257a3b5ea3e769a445b34af13e6aa5a123"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43250.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.29"},{"fixed":"6.12.75"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.16"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"6.19.6"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-43250.json"}}],"schema_version":"1.7.5"}