From nobody Wed Apr  1 09:46:39 2026
Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com
 [209.85.128.53])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id B8C983A8FE1
	for <linux-kernel@vger.kernel.org>; Mon, 30 Mar 2026 23:07:00 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.128.53
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774912022; cv=none;
 b=WgCum6UF3O1uNljuV0zbke3341xRrr8yKxVFURwhuLPXrJC+JWnAgmtbIQDgozJDgkWJ1HnnfwfxufwZ0ckmmmr7MJGJihfyR8sg1e+bshbgM4eVpIpB2rpt32rB6V4J8r3zTBfS7XpsQEFPFpcT+8bSbUmegTE1LTk3N+MYJq0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774912022; c=relaxed/simple;
	bh=lVi9fbw+5ehLHwAy5mSHqojU6979t7AjxSx8xyHdGDQ=;
	h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type;
 b=oAy9uMay5+pDjNnZzqn+Q7qXpn61ReInNF9ewGMN0nv30SKCTGpJkuRUAOTGhYfLXtFGD6lF8/vsdPArRmbWtli4fKut/8lsH1A9fkA83DA4K7oVY5vApXzRN/goZg2azRdqhzIT6cNneKaSyMeaiwEnGnmhY2AaPP85dv2TdHc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=ApSQSqDC; arc=none smtp.client-ip=209.85.128.53
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="ApSQSqDC"
Received: by mail-wm1-f53.google.com with SMTP id
 5b1f17b1804b1-486fd5360d4so66578055e9.1
        for <linux-kernel@vger.kernel.org>;
 Mon, 30 Mar 2026 16:07:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1774912019; x=1775516819;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:subject:cc:to
         :from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=lXlVTZh0nZUrX6/FvVb6P/QWtzXF6yzkjdxzhuy5lIU=;
        b=ApSQSqDCDjFbKBYazoRTi2isbDwDby/shYtZEPm7QFceMlp/fvAatWRzqJAGyhDW5J
         tnZjanAte1TFLpQGuNJmOCG4dr7Noz94JbCKQ3vkfrOfVdcdsCl73G63RUA7Z8vKdfMK
         iGwA55qRMxmWc+Ntv653+XDncoZu8EJDigdJRm4MHHiSJs1bkyDA1dJr1yKts4BjerqC
         iTd76JlQl/6dVmYuFymZJtgB9m/291FmUbsAZYojWk/KOYOfEmtnGvhrJqkB8Qr4dcR3
         3Gu6F52Q6naiJYtdnyFhX0XtmCg1kkmqUbbg+/v31SLX1fGrwvqOY/FSDeg/SSmIsrXg
         OaIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774912019; x=1775516819;
        h=content-transfer-encoding:mime-version:message-id:subject:cc:to
         :from:date:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=lXlVTZh0nZUrX6/FvVb6P/QWtzXF6yzkjdxzhuy5lIU=;
        b=Xq/mp7YtKk86ULGNQuFKSDz0vwSNN752m4n2FpJe3+67rBta2i9OD1VUE4FTkEVqqB
         gdxO+Qi33fvlqgv/pf9HEiA2pR2jT9d8JaQflLSkOFlJLZE6vrfexar6+vUGrzS9hgBv
         pvRAqzRpyau3Cg6f5j3Le8eL0SyTjCzWgoz27huTqf4pPY9uRXp9tNtR+vlqTSlptRA+
         rzTLfGNsq3XIDPDnGTL7BRpk3JKej5l3wUQLj3wrKsRpOBsGnpyyeq8XVMMq//MCIoS1
         7Q4vYyaVpauS89InmLDi64qI3mkrCB1rI5tsrIj2OSKMKYgOawYFuAk38BUOEr68H/eV
         +WZQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCV55rzhWcRFw9by2RmGWQcb4FcgX4+cPE6WVvcA1d9aV0WyLPrBNDzihkaj/AZ2RZ32vLqGDTH7xJDBNcA=@vger.kernel.org
X-Gm-Message-State: AOJu0Yz9IsHpgv6wbD0T9ib+XJAMONDUJrJkiGK8lzl37gGw4SO1PpJ0
	CL2xtoJhUNA7TPWE3nATUcjEAHB8ReOi4iKrrr7F0W68vYtTjQ09dSQQ
X-Gm-Gg: ATEYQzxigvfRqmROaWn/WdNqNrSyV5vGoKELSIBr/sRkG8uTUHLzFg2c0H9vQCyMOr8
	kSHbLQO1hby46ihFaJnnOX+nk5ZIiXMeeqPczh52q2tz1B90U58qiXsEPAfM2R0yDyEki06Llox
	9wwOOOxYCPwJXi2O8YRVKq3v39z/FCAk60MS7zDFDrk44yRmINfnMeTV742/Wm4naeEih3x8ckD
	RU+RIfgogo1JjF484VbqmfVLkRzUeQm9695tGVIS0AAitFbt3Wnef8fucS7En+6FFFwrDPftubq
	DaKnZEFdyFyFamNXRe6fTSee1qlo2PHJ52akINIEtDFTN+4LaPFx9wMLsFIHXeT8fFV6vyzkfum
	uhLUMw7eZsVyfQ4JFv903uzSF64aujoQHS7XXrHDGSnvudrog6BwqLoWQUdVZa45L56G+JcdzD6
	CGdCAxLkcJMMkaggZrGlgzykZV76H+ZcTb
X-Received: by 2002:a05:600c:a292:b0:487:2439:b7be with SMTP id
 5b1f17b1804b1-4873d34639fmr53269585e9.6.1774912018978;
        Mon, 30 Mar 2026 16:06:58 -0700 (PDT)
Received: from foxbook (bfi53.neoplus.adsl.tpnet.pl. [83.28.46.53])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-48722c9506dsm297019645e9.7.2026.03.30.16.06.57
        (version=TLS1_2 cipher=AES128-SHA bits=128/128);
        Mon, 30 Mar 2026 16:06:58 -0700 (PDT)
Date: Tue, 31 Mar 2026 01:06:54 +0200
From: Michal Pecio <michal.pecio@gmail.com>
To: Mathias Nyman <mathias.nyman@intel.com>, Greg Kroah-Hartman
 <gregkh@linuxfoundation.org>
Cc: Alan Stern <stern@rowland.harvard.edu>, linux-usb@vger.kernel.org,
 linux-kernel@vger.kernel.org
Subject: [PATCH] usb: xhci: Make usb_host_endpoint.hcpriv survive
 endpoint_disable()
Message-ID: <20260331010654.269ac270.michal.pecio@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

xHCI hardware maintains its endpoint state between add_endpoint()
and drop_endpoint() calls followed by successful check_bandwidth().
So does the driver.

Core may call endpoint_disable() during xHCI endpoint life, so don't
clear host_ep->hcpriv then, because this breaks endpoint_reset().

If a driver calls usb_set_interface(), submits URBs which make host
sequence state non-zero and calls usb_clear_halt(), the device clears
its sequence state but xhci_endpoint_reset() bails out. The next URB
malfunctions: USB2 loses one packet, USB3 gets Transaction Error or
may not complete at all on some (buggy?) HCs from ASMedia and AMD.
This is triggered by uvcvideo on bulk video devices.

The code was copied from ehci_endpoint_disable() but it isn't needed
here - hcpriv should only be NULL on emulated root hub endpoints.
It might prevent resetting and inadvertently enabling a disabled and
dropped endpoint, but core shouldn't try to reset dropped endpoints.

Document xhci requirements regarding hcpriv. They are currently met.

Fixes: 18b74067ac78 ("xhci: Fix use-after-free regression in xhci clear hub=
 TT implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Michal Pecio <michal.pecio@gmail.com>
---
 drivers/usb/host/xhci.c | 1 -
 include/linux/usb.h     | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
index 2f7e6544e5ae..849a568d0e63 100644
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -3353,7 +3353,6 @@ static void xhci_endpoint_disable(struct usb_hcd *hcd,
 		xhci_dbg(xhci, "endpoint disable with ep_state 0x%x\n",
 			 ep->ep_state);
 done:
-	host_ep->hcpriv =3D NULL;
 	spin_unlock_irqrestore(&xhci->lock, flags);
 }
=20
diff --git a/include/linux/usb.h b/include/linux/usb.h
index 04277af4bb9d..27e95eade121 100644
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -54,7 +54,8 @@ struct ep_device;
  * @eusb2_isoc_ep_comp: eUSB2 isoc companion descriptor for this endpoint
  * @urb_list: urbs queued to this endpoint; maintained by usbcore
  * @hcpriv: for use by HCD; typically holds hardware dma queue head (QH)
- *	with one or more transfer descriptors (TDs) per urb
+ *	with one or more transfer descriptors (TDs) per urb; must be preserved
+ *	by core while BW is allocated for the endpoint
  * @ep_dev: ep_device for sysfs info
  * @extra: descriptors following this endpoint in the configuration
  * @extralen: how many bytes of "extra" are valid
--=20
2.48.1