[3.16.y-ckt stable] Patch "xhci: fix reporting of 0-sized URBs in control endpoint" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Thu Mar 19 10:13:29 UTC 2015

This is a note to let you know that I have just added a patch titled

    xhci: fix reporting of 0-sized URBs in control endpoint

to the linux-3.16.y-queue branch of the 3.16.y-ckt extended stable tree 
which can be found at:


This patch is scheduled to be released in version 3.16.7-ckt9.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.16.y-ckt tree, see



>From 34a58e7e658995941e9810850c0bb01a3d6e0ce6 Mon Sep 17 00:00:00 2001
From: Aleksander Morgado <aleksander at aleksander.es>
Date: Fri, 6 Mar 2015 17:14:21 +0200
Subject: xhci: fix reporting of 0-sized URBs in control endpoint

commit 45ba2154d12fc43b70312198ec47085f10be801a upstream.

When a control transfer has a short data stage, the xHCI controller generates
two transfer events: a COMP_SHORT_TX event that specifies the untransferred
amount, and a COMP_SUCCESS event. But when the data stage is not short, only the
COMP_SUCCESS event occurs. Therefore, xhci-hcd must set urb->actual_length to
urb->transfer_buffer_length while processing the COMP_SUCCESS event, unless
urb->actual_length was set already by a previous COMP_SHORT_TX event.

The driver checks this by seeing whether urb->actual_length == 0, but this alone
is the wrong test, as it is entirely possible for a short transfer to have an
urb->actual_length = 0.

This patch changes the xhci driver to rely on a new td->urb_length_set flag,
which is set to true when a COMP_SHORT_TX event is received and the URB length
updated at that stage.

This fixes a bug which affected the HSO plugin, which relies on URBs with
urb->actual_length == 0 to halt re-submitting the RX URB in the control

Signed-off-by: Aleksander Morgado <aleksander at aleksander.es>
Signed-off-by: Mathias Nyman <mathias.nyman at linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
 drivers/usb/host/xhci-ring.c | 10 ++++++++--
 drivers/usb/host/xhci.h      |  3 +++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c
index 17df04a2d18b..5e4e1d1d7de7 100644
--- a/drivers/usb/host/xhci-ring.c
+++ b/drivers/usb/host/xhci-ring.c
@@ -1981,7 +1981,7 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
 	if (event_trb != ep_ring->dequeue) {
 		/* The event was for the status stage */
 		if (event_trb == td->last_trb) {
-			if (td->urb->actual_length != 0) {
+			if (td->urb_length_set) {
 				/* Don't overwrite a previously set error code
 				if ((*status == -EINPROGRESS || *status == 0) &&
@@ -1995,7 +1995,13 @@ static int process_ctrl_td(struct xhci_hcd *xhci, struct xhci_td *td,
 		} else {
-		/* Maybe the event was for the data stage? */
+			/*
+			 * Maybe the event was for the data stage? If so, update
+			 * already the actual_length of the URB and flag it as
+			 * set, so that it is not overwritten in the event for
+			 * the last TRB.
+			 */
+			td->urb_length_set = true;
 			td->urb->actual_length =
 				td->urb->transfer_buffer_length -
diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h
index c57261affada..5b6a8ddda5cb 100644
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1,3 +1,4 @@
  * xHCI host controller driver
@@ -1289,6 +1290,8 @@ struct xhci_td {
 	struct xhci_segment	*start_seg;
 	union xhci_trb		*first_trb;
 	union xhci_trb		*last_trb;
+	/* actual_length of the URB has already been set */
+	bool			urb_length_set;

 /* xHCI command default timeout value */

More information about the kernel-team mailing list