This is an automated email from the ASF dual-hosted git repository.

xiaoxiang781216 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/nuttx.git

commit cc77be145a9a5aa6ffc617bef591d014595347bd
Author: Ricard Rosson <[email protected]>
AuthorDate: Wed Jul 8 22:04:35 2026 +0100

    arch/rp2040: clamp bulk OUT read length to the endpoint max packet size
    
    rp2040_epread() armed the DPSRAM buffer-control register with the full
    usbdev request length.  That length is only correct for requests no
    larger than the buffer-control LEN field, which is 10 bits wide (max
    1023 bytes).  Class drivers that post larger read requests -- e.g.
    cdcncm allocates a 16 KiB NTB read buffer -- overflow LEN: 16384 & 0x3ff
    is 0, and the high bits corrupt the neighbouring control flags.  The
    controller then sees a zero-length available buffer and completes the
    transfer immediately with zero bytes, over and over, so no OUT data is
    ever received (cdcncm floods "Wrong NTH SIGN, skblen 0").
    
    The receive path already accumulates a request across multiple packets:
    rp2040_rxcomplete() copies each packet, advances xfrd and re-arms via
    rp2040_rdrequest() until the request is satisfied or a short packet
    arrives.  So the buffer only ever needs to be armed for a single
    maximum-size packet.  Clamp nbytes accordingly.  This matches the
    transmit path, which already chunks to ep.maxpacket in rp2040_wrrequest.
    
    Bulk classes with small reads (cdcacm, usbmsc) were unaffected because
    their request lengths already fit in LEN, which is why the defect only
    showed up on cdcncm.
    
    Validated on raspberrypi-pico (RP2040): a CONFIG_NET_CDCNCM device that
    previously received nothing now passes traffic in both directions with
    0% packet loss.
    
    Co-Authored-By: Claude Fable 5 <[email protected]>
    Claude-Session: https://claude.ai/code/session_01AHJRvWeBMTHwzpwjaUg4HW
    Signed-off-by: Ricard Rosson <[email protected]>
---
 arch/arm/src/rp2040/rp2040_usbdev.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/arch/arm/src/rp2040/rp2040_usbdev.c 
b/arch/arm/src/rp2040/rp2040_usbdev.c
index 4211f789531..3be598b60a7 100644
--- a/arch/arm/src/rp2040/rp2040_usbdev.c
+++ b/arch/arm/src/rp2040/rp2040_usbdev.c
@@ -536,6 +536,20 @@ static int rp2040_epread(struct rp2040_ep_s *privep, 
uint16_t nbytes)
   uint32_t val;
   irqstate_t flags;
 
+  /* The hardware receives a single USB packet into the buffer, and the
+   * buffer-control LEN field is only 10 bits wide.  Arm the buffer for at
+   * most one maximum-size packet; rp2040_rxcomplete accumulates the request
+   * across multiple packets and re-arms until it is satisfied or a short
+   * packet arrives.  Passing the full (possibly multi-kByte) request length
+   * would overflow LEN and corrupt the neighbouring control bits, making the
+   * transfer complete immediately with zero bytes.
+   */
+
+  if (nbytes > privep->ep.maxpacket)
+    {
+      nbytes = privep->ep.maxpacket;
+    }
+
   val = nbytes |
         RP2040_USBCTRL_DPSRAM_EP_BUFF_CTRL_AVAIL |
         (privep->next_pid ?

Reply via email to