This is an automated email from the ASF dual-hosted git repository. xiaoxiang781216 pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nuttx.git
commit cc77be145a9a5aa6ffc617bef591d014595347bd Author: Ricard Rosson <[email protected]> AuthorDate: Wed Jul 8 22:04:35 2026 +0100 arch/rp2040: clamp bulk OUT read length to the endpoint max packet size rp2040_epread() armed the DPSRAM buffer-control register with the full usbdev request length. That length is only correct for requests no larger than the buffer-control LEN field, which is 10 bits wide (max 1023 bytes). Class drivers that post larger read requests -- e.g. cdcncm allocates a 16 KiB NTB read buffer -- overflow LEN: 16384 & 0x3ff is 0, and the high bits corrupt the neighbouring control flags. The controller then sees a zero-length available buffer and completes the transfer immediately with zero bytes, over and over, so no OUT data is ever received (cdcncm floods "Wrong NTH SIGN, skblen 0"). The receive path already accumulates a request across multiple packets: rp2040_rxcomplete() copies each packet, advances xfrd and re-arms via rp2040_rdrequest() until the request is satisfied or a short packet arrives. So the buffer only ever needs to be armed for a single maximum-size packet. Clamp nbytes accordingly. This matches the transmit path, which already chunks to ep.maxpacket in rp2040_wrrequest. Bulk classes with small reads (cdcacm, usbmsc) were unaffected because their request lengths already fit in LEN, which is why the defect only showed up on cdcncm. Validated on raspberrypi-pico (RP2040): a CONFIG_NET_CDCNCM device that previously received nothing now passes traffic in both directions with 0% packet loss. Co-Authored-By: Claude Fable 5 <[email protected]> Claude-Session: https://claude.ai/code/session_01AHJRvWeBMTHwzpwjaUg4HW Signed-off-by: Ricard Rosson <[email protected]> --- arch/arm/src/rp2040/rp2040_usbdev.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/arch/arm/src/rp2040/rp2040_usbdev.c b/arch/arm/src/rp2040/rp2040_usbdev.c index 4211f789531..3be598b60a7 100644 --- a/arch/arm/src/rp2040/rp2040_usbdev.c +++ b/arch/arm/src/rp2040/rp2040_usbdev.c @@ -536,6 +536,20 @@ static int rp2040_epread(struct rp2040_ep_s *privep, uint16_t nbytes) uint32_t val; irqstate_t flags; + /* The hardware receives a single USB packet into the buffer, and the + * buffer-control LEN field is only 10 bits wide. Arm the buffer for at + * most one maximum-size packet; rp2040_rxcomplete accumulates the request + * across multiple packets and re-arms until it is satisfied or a short + * packet arrives. Passing the full (possibly multi-kByte) request length + * would overflow LEN and corrupt the neighbouring control bits, making the + * transfer complete immediately with zero bytes. + */ + + if (nbytes > privep->ep.maxpacket) + { + nbytes = privep->ep.maxpacket; + } + val = nbytes | RP2040_USBCTRL_DPSRAM_EP_BUFF_CTRL_AVAIL | (privep->next_pid ?
