答复: [PATCH] usb: xhci: check Null pointer in segment alloc

[胡连勤]

Hi ALL:

Another log entry for an anomaly shows that when the host screen is on, 
a reset operation is performed during the process of waking up the digital headset, resulting in a crash.

[309410.459322][  T336] vusb dbg: screen on
[309411.956190][T16132] usb 1-1: reset full-speed USB device number 2 using xhci-hcd
[309412.076514][T16132] usb 1-1: device descriptor read/64, error -71
[309412.294241][T16132] usb 1-1: device descriptor read/64, error -71
[309412.506346][T16132] usb 1-1: reset full-speed USB device number 2 using xhci-hcd
[309412.667884][T16132] Unable to handle kernel paging request at virtual address 00000000efc822e0
[...]
[309412.668337][T16132] pc : dma_pool_alloc+0x38/0x2a4
[309412.668339][T16132] lr : dma_pool_alloc+0x2c/0x2a4
[309412.668341][T16132] sp : ffffffc109e039d0
[309412.668342][T16132] x29: ffffffc109e039d0 x28: 0000000000001800 x27: 0000000000000001
[309412.668344][T16132] x26: ffffff891bc605c0 x25: ffffff8ae7be4b80 x24: 0000000000000002
[309412.668345][T16132] x23: 0000000000000040 x22: 00000000efc822e0 x21: ffffffc109e03a10
[309412.668347][T16132] x20: 0000000000000d00 x19: ffffff89825c2b80 x18: ffffffd9cbd2ca00
[309412.668348][T16132] x17: 00000000b77d0433 x16: fffffffee29d9490 x15: ffffff8001cf41d0
[309412.668350][T16132] x14: 0000000000000000 x13: 0000000000000200 x12: dead000000000100
[309412.668351][T16132] x11: 0000000065e0fc41 x10: 7485925f4d19edd1 x9 : 0000000000000000
[309412.668353][T16132] x8 : 0000000000000001 x7 : 0000000000000000 x6 : 000000000000003f
[309412.668354][T16132] x5 : 0000000000000040 x4 : 0000000000000040 x3 : 0000000080400040
[309412.668356][T16132] x2 : ffffffc109e03a10 x1 : 0000000000000000 x0 : 0000000000000000
[309412.668357][T16132] Call trace:
[309412.668358][T16132]  dma_pool_alloc+0x38/0x2a4
[309412.668359][T16132]  xhci_segment_alloc+0x9c/0x1c4
[309412.668361][T16132]  xhci_alloc_segments_for_ring+0xbc/0x170
[309412.668362][T16132]  xhci_ring_alloc+0xb4/0x1f0
[309412.668363][T16132]  xhci_endpoint_init+0x3b0/0x4bc
[309412.668364][T16132]  xhci_add_endpoint+0x1a4/0x29c
[309412.668365][T16132]  usb_hcd_alloc_bandwidth+0x230/0x3d4
[309412.668366][T16132]  usb_reset_and_verify_device+0x1e0/0x744
[309412.668368][T16132]  usb_reset_device+0x154/0x23c
[309412.668370][T16132]  __usb_queue_reset_device+0x3c/0x64
[309412.668371][T16132]  process_scheduled_works+0x200/0x9d8
[309412.668372][T16132]  worker_thread+0x154/0x3b4
[309412.668373][T16132]  kthread+0x11c/0x1a0
[309412.668375][T16132]  ret_from_fork+0x10/0x20
[309412.668378][T16132] Code: 942f5097 f9400e76 aa0003e9 b40002f6 (f94002c8) 
[309412.668379][T16132] ---[ end trace 0000000000000000 ]---

> > >> Even after updating the kernel, the issue persists during the wake-up process
> > >> after the device has been put into sleep mode when connected to digital headphones.
> > >>
> > >> The error message is as follows:
> > >>
> > >> [465214.519817][T17247] msm-dwc3 a600000.ssusb: [2026-04-26 07:38:16.871288]vusb dbg: [2026-04-26 07:38:16.871288]DWC3 in
> > low power mode
> > >> [465221.257099][T24488] check_valid_request: card#:0 dev#:0 dir:0 en:1 fmt:2 rate:48000 #ch:2
> > >> [465221.259370][T24488] msm-dwc3 a600000.ssusb: [2026-04-26 07:38:23.610842]vusb dbg: [2026-04-26 07:38:23.610842]DWC3
> > exited from low power mode
> > >> [465221.690852][T24488] usb 1-1: 1:1: cannot get freq at ep 0x3
> > >> [465221.690947][T24488] uaudio_iommu_map: type:0 map pa:0x000000089a6ae000 to iova:0x00001000 size:4096
> > >> [465221.690956][T24488] uaudio_get_iova: exact size: 4096 found
> > >> [465221.690959][T24488] uaudio_get_iova: va:0x00022000 curr_iova:0x00024000 curr_iova_size:4186112
> > >> [465221.690962][T24488] uaudio_iommu_map: type:1 map pa:0x000000091c537000 to iova:0x00022000 size:4096
> > >> [465221.690994][T24488] uaudio_get_iova: exact size: 32768 found
> > >> [465221.690996][T24488] uaudio_get_iova: va:0x00422000 curr_iova:0x00432000 curr_iova_size:4290592768
> > >> [465221.691001][T24488] uaudio_iommu_map: type:2 map pa:0x0000000974e5c000 to iova:0x00422000 len:4096 offset:0
> > >> [465221.691004][T24488] uaudio_iommu_map: type:2 map pa:0x000000092ff0b000 to iova:0x00423000 len:4096 offset:0
> > >> [465221.691008][T24488] uaudio_iommu_map: type:2 map pa:0x00000009086d4000 to iova:0x00424000 len:4096 offset:0
> > >> [465221.691011][T24488] uaudio_iommu_map: type:2 map pa:0x0000000903d42000 to iova:0x00425000 len:4096 offset:0
> > >> [465221.691014][T24488] uaudio_iommu_map: type:2 map pa:0x0000000899f40000 to iova:0x00426000 len:4096 offset:0
> > >> [465221.691017][T24488] uaudio_iommu_map: type:2 map pa:0x000000091c491000 to iova:0x00427000 len:4096 offset:0
> > >> [465221.691020][T24488] uaudio_iommu_map: type:2 map pa:0x0000000899269000 to iova:0x00428000 len:4096 offset:0
> > >> [465221.691023][T24488] uaudio_iommu_map: type:2 map pa:0x000000093b4d3000 to iova:0x00429000 len:4096 offset:0
> > >> [465221.691052][T24488] handle_uaudio_stream_req: ret 0: qmi response latency 433 ms
> > >> [465223.771840][T24494] handle_uaudio_stream_req: sq_node:5 sq_port:207 sq_family:2a
> > >> [465223.771858][T24494] check_valid_request: card#:0 dev#:0 dir:0 en:0 fmt:2 rate:48000 #ch:2
> > >> [465223.827409][T24494] uaudio_put_iova: curr_iova_size 4190208
> > >> [465223.827414][T24494] uaudio_iommu_unmap: type 1: unmap iova 0x00022000 size 4096
> > >> [465223.827425][T24494] uaudio_put_iova: curr_iova_size 4290625536
> > >> [465223.827429][T24494] uaudio_iommu_unmap: type 2: unmap iova 0x00422000 size 32768
> > >> [465223.827463][T24494] handle_uaudio_stream_req: release resources: intf# 1 card# 0
> > >> [465223.827467][T24494] uaudio_dev_release: for dev 0000000000000000
> > >> [465223.827472][T24494] uaudio_iommu_unmap: type 0: unmap iova 0x00001000 size 4096
> > >> [465223.827517][T24494] uaudio_event_ring_cleanup_free: all audio devices disconnected
> > >> [465223.827561][T24494] handle_uaudio_stream_req: ret 0: qmi response latency 55 ms
> > >> [465227.360186][ T3223] android time 2026-04-27 06:38:29.711646
> > >> [465232.791611][T24493] handle_uaudio_stream_req: sq_node:5 sq_port:207 sq_family:2a
> > >> [465232.791615][T24493] check_valid_request: card#:0 dev#:0 dir:0 en:1 fmt:2 rate:48000 #ch:2
>          Start playing audio
> 
> > >> [465233.213670][T24493] uaudio_iommu_map: type:0 map pa:0x000000091094f000 to iova:0x00001000 size:4096
> > >> [465233.213683][T24493] uaudio_get_iova: exact size: 4096 found
> > >> [465233.213686][T24493] uaudio_get_iova: va:0x00022000 curr_iova:0x00024000 curr_iova_size:4186112
> > >> [465233.213689][T24493] uaudio_iommu_map: type:1 map pa:0x000000089a6ae000 to iova:0x00022000 size:4096
> > >> [465233.213712][T24493] uaudio_get_iova: exact size: 32768 found
> > >> [465233.213715][T24493] uaudio_get_iova: va:0x00422000 curr_iova:0x00432000 curr_iova_size:4290592768
> > >> [465233.213720][T24493] uaudio_iommu_map: type:2 map pa:0x0000000968e5f000 to iova:0x00422000 len:4096 offset:0
> > >> [465233.213723][T24493] uaudio_iommu_map: type:2 map pa:0x0000000968e5e000 to iova:0x00423000 len:4096 offset:0
> > >> [465233.213727][T24493] uaudio_iommu_map: type:2 map pa:0x00000008caa58000 to iova:0x00424000 len:4096 offset:0
> > >> [465233.213730][T24493] uaudio_iommu_map: type:2 map pa:0x0000000a91af0000 to iova:0x00425000 len:4096 offset:0
> > >> [465233.213734][T24493] uaudio_iommu_map: type:2 map pa:0x00000009d38c1000 to iova:0x00426000 len:4096 offset:0
> > >> [465233.213737][T24493] uaudio_iommu_map: type:2 map pa:0x00000009e1e05000 to iova:0x00427000 len:4096 offset:0
> > >> [465233.213740][T24493] uaudio_iommu_map: type:2 map pa:0x00000009f8ea4000 to iova:0x00428000 len:4096 offset:0
> > >> [465233.213743][T24493] uaudio_iommu_map: type:2 map pa:0x00000000a7519000 to iova:0x00429000 len:4096 offset:0
> > >> [465233.213791][T24493] handle_uaudio_stream_req: ret 0: qmi response latency 422 ms
> > >> [465248.503579][T24411] usb 1-1: reset full-speed USB device number 2 using xhci-hcd
>          playback time [465232.791615], about 16 seconds later, host reset digital headphones.
>          In addition, the log also confirmed that from the time the sound was played until the crash occurred,
>          the host was in a state where the screen was on, and the system was awake and not in sleep mode.
> 
> > >> [465248.641732][T24411] Unable to handle kernel paging request at virtual address 00000000ef808000
> > >> [...]
> > >> [465248.643670][T24411] Call trace:
> > >> [465248.643673][T24411]  dma_pool_alloc+0x38/0x2a4
> > >> [465248.643684][T24411]  xhci_segment_alloc+0x9c/0x1c4
> > >> [465248.643692][T24411]  xhci_alloc_segments_for_ring+0xbc/0x170
> > >> [465248.643699][T24411]  xhci_ring_alloc+0xb4/0x1f0
> > >> [465248.643705][T24411]  xhci_endpoint_init+0x3b0/0x4bc
> > >> [465248.643711][T24411]  xhci_add_endpoint+0x1a4/0x29c
> > >> [465248.643723][T24411]  usb_hcd_alloc_bandwidth+0x230/0x3d4
> > >> [465248.643729][T24411]  usb_reset_and_verify_device+0x1e0/0x744
> > >> [465248.643741][T24411]  usb_reset_device+0x154/0x23c
> > >> [465248.643756][T24411]  __usb_queue_reset_device+0x3c/0x64
> > >> [465248.643764][T24411]  process_scheduled_works+0x200/0x9d8
> > >> [465248.643772][T24411]  worker_thread+0x154/0x3b4
> > >> [465248.643780][T24411]  kthread+0x11c/0x1a0
> > >> [465248.643791][T24411]  ret_from_fork+0x10/0x20
> > >> [465248.643807][T24411] Code: 942f5097 f9400e76 aa0003e9 b40002f6 (f94002c8)
> > >> [465248.643812][T24411] ---[ end trace 0000000000000000 ]---
> > >
> > > Looks like this time somebody tried to reset a USB device while
> > > the segment pool is destroyed, not created yet or corrupted.
> > >
> > > Again, xhci_hcd dynamic debug would show what led to this and
> > > whether the pool was supposed to be ready at that time or not.
> > > The pool should always be ready except during xhci_resume() and
> > > after xhci_stop(), so it's unclear how this happened.
> > >
> > > Again, chances are that something is trying to resume USB device
> > > concurrently with its parent host controller.
> > It's possible this specific issue is no longer seen on 7.1-rc1 kernel as xhci
> > driver no longer destroys and re-creates the dma pools in resume even if xHC
> > controller is reset in resume.
> >
> > But main issue here seems to be that the device is reset or resumed when xHC host
> > is not ready as Michal pointed out.
> >
> > Is this related to audio offload where we pretend the usb device and xHC are suspended
> > even if they are running? allowing usb audio playback during system suspend?
> 
> The current logs show that after the system woke up, it was playing audio. During playback,
> the host suddenly reset the digital headphones, and a crash occurred during the reset process.
> 

Lianqin
Thanks