Re: [PATCH RFT RFC] usb: xhci: Kill hosts with HCE or HSE on command timeout

[Michal Pecio]

On Sat, 23 May 2026 00:47:28 -0300, Desnes Nunes wrote:
> Hello Michal,
> 
> On Fri, May 22, 2026 at 9:29 PM Michal Pecio <michal.pecio@xxxxxxxxx> wrote:
> > Sorry, I forgot about the most important thing: crash kernel log,
> > or at least the IOMMU fault message showing the bad address.  
>
> I was indeed intrigued and almost sent it without you asking for it :-)
> 
> The crashkernel's fault address is shown latter on down below, but now
> I have attached the full kexec dmesg too.
> 
> PS: Note that the debugfs file 'memory' from before contains the
> addresses of the main kernel, not crashkernel's addresses:
>     - From main dmesg:
> [    6.728105] xhci_hcd 0000:80:14.0: Device context base array
> address = 0x000000010a958000 (DMA), 00000000f542e3ba (virt)
> [    6.737602] xhci_hcd 0000:80:14.0: ERST deq = 64'h10a95a000

Neither debugfs dump corresponds to this dmesg, addresses don't match.
And it doesn't look like the guard pages patch is working here. 

But maybe it doesn't matter. Your "memory" files show a clear pattern
of consecutive page-sized allocations (example from after.zip):

102fb6000 DCBAA
102fb7000 CR
102fb8000 ER segmnet 0
102fb9000 ER segment 1
102fba000 ERST 

We can make a guess that the faulting address is the ERST, which
definitely should be accessible to the host controller.

This simple patch logs ERST allocation and freeing; as far as I see
nothing else touches that mapping.

If the ERST is somehow freed before starting the HC, that's a bug.
Otherwise, it seems you were right that you have some IOMMU problem.

Regards,
Michal
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c
index e76e321e119f..3f1e25bcb7ee 100644
--- a/drivers/usb/host/xhci-mem.c
+++ b/drivers/usb/host/xhci-mem.c
@@ -1815,6 +1815,7 @@ static int xhci_alloc_erst(struct xhci_hcd *xhci,
 					   size, &erst->erst_dma_addr, flags);
 	if (!erst->entries)
 		return -ENOMEM;
+	xhci_info(xhci, "alloc ERST at %pad\n", &erst->erst_dma_addr);
 
 	erst->num_entries = evt_ring->num_segs;
 
@@ -1867,6 +1868,7 @@ xhci_free_interrupter(struct xhci_hcd *xhci, struct xhci_interrupter *ir)
 				  ir->erst.entries,
 				  ir->erst.erst_dma_addr);
 	ir->erst.entries = NULL;
+	xhci_info(xhci, "free ERST at %pad\n", &ir->erst.erst_dma_addr);
 
 	/* free interrupter event ring */
 	if (ir->event_ring)