[Bug 2153966] [NEW] usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()

Public bug reported: SRU Justification: [ Impact ] xhci_endpoint_disable() clears host_ep->hcpriv = NULL, which breaks xhci_endpoint_reset(). When a USB driver (e.g. uvcvideo) calls usb_set_interface(), submits URBs that make host sequence state non-zero, then calls usb_clear_halt(), the device clears its sequence state but xhci_endpoint_reset() bails out because hcpriv is NULL. The next URB malfunctions: USB2 loses one packet, USB3 gets Transaction Error or may not complete at all on some host controllers from ASMedia and AMD. This is triggered by uvcvideo on bulk video devices. [ Fix ] Cherry-pick upstream mainline commit: - 25e531b422dc ("usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()") Fixes: 18b74067ac78 ("xhci: Fix use-after-free regression in xhci clear hub TT implementation") Cc: stable@vger.kernel.org [ Test Plan ] 1. System with USB3 bulk video device (e.g. USB webcam using uvcvideo) 2. Use the camera with an application (e.g. cheese, guvcview) 3. Trigger usb_set_interface + usb_clear_halt sequence 4. Verify no Transaction Errors or packet loss in dmesg 5. Verify endpoint_reset works correctly after endpoint_disable [ Where problems could occur ] The fix removes one line (host_ep->hcpriv = NULL) from xhci_endpoint_disable(). Risk is very low — the commit message explains hcpriv should only be NULL on emulated root hub endpoints, and core should not try to reset dropped endpoints. ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Affects: linux-oem-6.17 (Ubuntu) Importance: Undecided Status: New ** Affects: linux (Ubuntu Noble) Importance: Undecided Status: New ** Affects: linux-oem-6.17 (Ubuntu Noble) Importance: Undecided Status: New ** Affects: linux (Ubuntu Questing) Importance: Undecided Status: New ** Affects: linux-oem-6.17 (Ubuntu Questing) Importance: Undecided Status: New ** Affects: linux (Ubuntu Resolute) Importance: Undecided Status: New ** Affects: linux-oem-6.17 (Ubuntu Resolute) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: linux-oem-6.17 (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Questing) Importance: Undecided Status: New ** Also affects: linux-oem-6.17 (Ubuntu Questing) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Resolute) Importance: Undecided Status: New ** Also affects: linux-oem-6.17 (Ubuntu Resolute) Importance: Undecided Status: New -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2153966 Title: usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable() Status in linux package in Ubuntu: New Status in linux-oem-6.17 package in Ubuntu: New Status in linux source package in Noble: New Status in linux-oem-6.17 source package in Noble: New Status in linux source package in Questing: New Status in linux-oem-6.17 source package in Questing: New Status in linux source package in Resolute: New Status in linux-oem-6.17 source package in Resolute: New Bug description: SRU Justification: [ Impact ] xhci_endpoint_disable() clears host_ep->hcpriv = NULL, which breaks xhci_endpoint_reset(). When a USB driver (e.g. uvcvideo) calls usb_set_interface(), submits URBs that make host sequence state non-zero, then calls usb_clear_halt(), the device clears its sequence state but xhci_endpoint_reset() bails out because hcpriv is NULL. The next URB malfunctions: USB2 loses one packet, USB3 gets Transaction Error or may not complete at all on some host controllers from ASMedia and AMD. This is triggered by uvcvideo on bulk video devices. [ Fix ] Cherry-pick upstream mainline commit: - 25e531b422dc ("usb: xhci: Make usb_host_endpoint.hcpriv survive endpoint_disable()") Fixes: 18b74067ac78 ("xhci: Fix use-after-free regression in xhci clear hub TT implementation") Cc: stable@vger.kernel.org [ Test Plan ] 1. System with USB3 bulk video device (e.g. USB webcam using uvcvideo) 2. Use the camera with an application (e.g. cheese, guvcview) 3. Trigger usb_set_interface + usb_clear_halt sequence 4. Verify no Transaction Errors or packet loss in dmesg 5. Verify endpoint_reset works correctly after endpoint_disable [ Where problems could occur ] The fix removes one line (host_ep->hcpriv = NULL) from xhci_endpoint_disable(). Risk is very low — the commit message explains hcpriv should only be NULL on emulated root hub endpoints, and core should not try to reset dropped endpoints. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2153966/+subscriptions