[PATCH 25/25] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()

public inbox for linux-usb@vger.kernel.org
 help / color / mirror / Atom feed

From: Mathias Nyman <mathias.nyman@linux.intel.com>
To: <gregkh@linuxfoundation.org>
Cc: <linux-usb@vger.kernel.org>,
	Michal Pecio <michal.pecio@gmail.com>,
	stable@vger.kernel.org,
	Mathias Nyman <mathias.nyman@linux.intel.com>
Subject: [PATCH 25/25] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()
Date: Thu,  2 Apr 2026 16:13:42 +0300	[thread overview]
Message-ID: <20260402131342.2628648-26-mathias.nyman@linux.intel.com> (raw)
In-Reply-To: <20260402131342.2628648-1-mathias.nyman@linux.intel.com>

From: Michal Pecio <michal.pecio@gmail.com>

xHCI hardware maintains its endpoint state between add_endpoint()
and drop_endpoint() calls followed by successful check_bandwidth().
So does the driver.

Core may call endpoint_disable() during xHCI endpoint life, so don't
clear host_ep->hcpriv then, because this breaks endpoint_reset().

If a driver calls usb_set_interface(), submits URBs which make host
sequence state non-zero and calls usb_clear_halt(), the device clears
its sequence state but xhci_endpoint_reset() bails out. The next URB
malfunctions: USB2 loses one packet, USB3 gets Transaction Error or
may not complete at all on some (buggy?) HCs from ASMedia and AMD.
This is triggered by uvcvideo on bulk video devices.

The code was copied from ehci_endpoint_disable() but it isn't needed
here - hcpriv should only be NULL on emulated root hub endpoints.
It might prevent resetting and inadvertently enabling a disabled and
dropped endpoint, but core shouldn't try to reset dropped endpoints.

Document xhci requirements regarding hcpriv. They are currently met.

Fixes: 18b74067ac78 ("xhci: Fix use-after-free regression in xhci clear hub TT implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
---
 drivers/usb/host/xhci.c | 1 -
 include/linux/usb.h     | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 6d27c471d4da..a54f5b57f205 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3292,7 +3292,6 @@ static void xhci_endpoint_disable(struct usb_hcd *hcd,
 		xhci_dbg(xhci, "endpoint disable with ep_state 0x%x\n",
 			 ep->ep_state);
 done:
-	host_ep->hcpriv = NULL;
 	spin_unlock_irqrestore(&xhci->lock, flags);
 }

diff --git a/include/linux/usb.h b/include/linux/usb.h
index 04277af4bb9d..27e95eade121 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -54,7 +54,8 @@ struct ep_device;
  * @eusb2_isoc_ep_comp: eUSB2 isoc companion descriptor for this endpoint
  * @urb_list: urbs queued to this endpoint; maintained by usbcore
  * @hcpriv: for use by HCD; typically holds hardware dma queue head (QH)
- *	with one or more transfer descriptors (TDs) per urb
+ *	with one or more transfer descriptors (TDs) per urb; must be preserved
+ *	by core while BW is allocated for the endpoint
  * @ep_dev: ep_device for sysfs info
  * @extra: descriptors following this endpoint in the configuration
  * @extralen: how many bytes of "extra" are valid
-- 
2.43.0

next prev parent reply	other threads:[~2026-04-02 13:17 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-02 13:13 [PATCH 00/25] xhci features for usb-next Mathias Nyman
2026-04-02 13:13 ` [PATCH 01/25] xhci: use BIT macro Mathias Nyman
2026-04-02 13:13 ` [PATCH 02/25] usb: xhci: Simplify clearing the Event Interrupt bit Mathias Nyman
2026-04-02 13:13 ` [PATCH 03/25] usb: xhci: Fix debugfs bandwidth reporting Mathias Nyman
2026-04-02 13:13 ` [PATCH 04/25] usb: xhci: simplify CMRT initialization logic Mathias Nyman
2026-04-02 13:13 ` [PATCH 05/25] usb: xhci: relocate Restore/Controller error check Mathias Nyman
2026-04-02 13:13 ` [PATCH 06/25] usb: xhci: factor out roothub bandwidth cleanup Mathias Nyman
2026-04-02 13:13 ` [PATCH 07/25] usb: xhci: move reserving command ring trb Mathias Nyman
2026-04-02 13:13 ` [PATCH 08/25] usb: xhci: move ring initialization Mathias Nyman
2026-04-02 13:13 ` [PATCH 09/25] usb: xhci: move initialization for lifetime objects Mathias Nyman
2026-04-02 13:13 ` [PATCH 10/25] usb: xhci: split core allocation and initialization Mathias Nyman
2026-04-02 13:13 ` [PATCH 11/25] usb: xhci: improve debug messages during suspend Mathias Nyman
2026-04-02 13:13 ` [PATCH 12/25] usb: xhci: optimize resuming from S4 (suspend-to-disk) Mathias Nyman
2026-04-02 13:13 ` [PATCH 13/25] usb: xhci: stop treating 'wIndex' as a mutable port number Mathias Nyman
2026-04-02 13:13 ` [PATCH 14/25] usb: xhci: rename 'wIndex' parameters to 'portnum' Mathias Nyman
2026-04-02 13:13 ` [PATCH 15/25] usb: xhci: clean up handling of upper bits in SetPortFeature wIndex Mathias Nyman
2026-04-02 13:13 ` [PATCH 16/25] usb: xhci: clean up 'wValue' handling in xhci_hub_control() Mathias Nyman
2026-04-02 13:13 ` [PATCH 17/25] usb: xhci: separate use of USB Chapter 11 PLS macros from xHCI-specific PLS macros Mathias Nyman
2026-04-02 13:13 ` [PATCH 18/25] usb: xhci: add PORTPMSC variable to xhci_hub_control() Mathias Nyman
2026-04-02 13:13 ` [PATCH 19/25] usb: xhci: add PORTSC " Mathias Nyman
2026-04-02 13:13 ` [PATCH 20/25] usb: xhci: rename parameter to match argument 'portsc' Mathias Nyman
2026-04-02 13:13 ` [PATCH 21/25] usb: xhci: cleanup xhci_hub_report_usb3_link_state() Mathias Nyman
2026-04-02 13:13 ` [PATCH 22/25] usb: xhci: simpilfy resume root hub code Mathias Nyman
2026-04-02 13:13 ` [PATCH 23/25] usb: xhci: move roothub port limit validation Mathias Nyman
2026-04-02 13:13 ` [PATCH 24/25] usb: xhci: remove duplicate '0x' prefix Mathias Nyman
2026-04-02 13:13 ` Mathias Nyman [this message]
2026-04-11 14:41 ` Question on follow-up work for secondary interrupters raoxu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6d27c471d4d dfblob:a54f5b57f20 dfblob:04277af4bb9
dfblob:27e95eade12 )
 OR (
bs:"[PATCH 25/25] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260402131342.2628648-26-mathias.nyman@linux.intel.com \
    --to=mathias.nyman@linux.intel.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=michal.pecio@gmail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox