lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f2c03c5d-d667-4398-9267-77d7f6aaf6b3@linux.intel.com>
Date: Mon, 5 Jan 2026 15:45:06 +0200
From: Mathias Nyman <mathias.nyman@...ux.intel.com>
To: 胡连勤 <hulianqin@...o.com>,
 Mathias Nyman <mathias.nyman@...el.com>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 "broonie@...nel.org" <broonie@...nel.org>,
 "quic_wcheng@...cinc.com" <quic_wcheng@...cinc.com>
Cc: "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
 "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: Consultation on the issue of digital headphones freezing

Hi

On 1/4/26 14:44, 胡连勤 wrote:
> Hello linux experts:
> 
> I have a question. My device freezes when using it with digital headphones.
> The stack trace is as follows:
> 
> [192165.107937][    C0] xhci-hcd xhci-hcd.3.auto: Error: Failed finding new dequeue state
> [192165.107946][    C0] xhci-hcd xhci-hcd.3.auto: Failed to clear cancelled cached URB 000000002d756eab, mark clear anyway
> [192165.108387][T17454] usb 1-1: reset full-speed USB device number 2 using xhci-hcd
> [192165.225904][T17454] usb 1-1: device descriptor read/64, error -71
> [192165.442224][T17454] usb 1-1: Device not responding to setup address.
> [192165.642107][T17454] usb 1-1: Device not responding to setup address.
> [192165.845879][T17454] usb 1-1: device not accepting address 2, error -71
> [192165.846031][T17454] usb 1-1: WARN: invalid context state for evaluate context command.
> [192165.957927][T17454] usb 1-1: reset full-speed USB device number 2 using xhci-hcd
> [192165.958032][T17454] xhci-hcd xhci-hcd.3.auto: ERROR: unexpected setup context command completion code 0x11.
> [192165.958040][T17454] usb 1-1: hub failed to enable device, error -22
> [192165.958165][T17454] usb 1-1: WARN: invalid context state for evaluate context command.
> [192166.070623][T17454] usb 1-1: reset full-speed USB device number 2 using xhci-hcd
> [192166.070728][T17454] xhci-hcd xhci-hcd.3.auto: ERROR: unexpected setup address command completion code 0x11.
> [192166.273835][T17454] xhci-hcd xhci-hcd.3.auto: ERROR: unexpected setup address command completion code 0x11.
> [192166.473788][T17454] usb 1-1: device not accepting address 2, error -22
> [192166.473943][T17454] usb 1-1: WARN: invalid context state for evaluate context command.
> [192166.585802][T17454] usb 1-1: reset full-speed USB device number 2 using xhci-hcd
> [192166.585901][T17454] xhci-hcd xhci-hcd.3.auto: ERROR: unexpected setup address command completion code 0x11.
> [192166.785850][T17454] xhci-hcd xhci-hcd.3.auto: ERROR: unexpected setup address command completion code 0x11.
> [192166.985829][T17454] usb 1-1: device not accepting address 2, error -22
> [192166.986836][T17454] usb 1-1: USB disconnect, device number 2
> [192166.990744][T17170] pc : xhci_initialize_ring_info+0x0/0x30
> [192166.990754][T17170] lr : xhci_sideband_remove_endpoint+0x84/0xb8
> [192166.990760][T17170] sp : ffffffc0f2d6ba10
> [192166.990763][T17170] x29: ffffffc0f2d6ba10 x28: ffffff884082a7c0 x27: ffffff89e4e43c00
> [192166.990772][T17170] x26: ffffff8a689d2c00 x25: 0000000000000000 x24: 0000000000000000
> [192166.990780][T17170] x23: ffffffe881212e50 x22: ffffff88feaad210 x21: 00000000ffffffed
> [192166.990788][T17170] x20: ffffff8880dd6200 x19: ffffff88feaad200 x18: ffffffe883debf00
> [192166.990795][T17170] x17: 00000000e11f7a81 x16: 00000000e11f7a81 x15: 0000000000000000
> [192166.990803][T17170] x14: 0000000000000000 x13: 0000000000000000 x12: ffffff89a7dcfc60
> [192166.990811][T17170] x11: 0000000000000029 x10: 0000000000000000 x9 : 03f28220e26a0a00
> [192166.990818][T17170] x8 : 0000000000000003 x7 : 0000000000000000 x6 : 0000000000000000
> [192166.990826][T17170] x5 : ffffffe88253eda8 x4 : fffffffee69f73e0 x3 : 00000000802a0029
> [192166.990834][T17170] x2 : ffffff89a7dcfc60 x1 : 00000000802a002a x0 : 0000000000000000
> [192166.990841][T17170] Call trace:
> [192166.990843][T17170]  xhci_initialize_ring_info+0x0/0x30
> [192166.990853][T17170]  handle_uaudio_stream_req+0xacc/0xda0 [snd_usb_audio_qmi 0fac57c02f06d038d015e5719390f9b3eda86e61]
> [192166.990865][T17170]  qmi_invoke_handler+0xd8/0x144 [qmi_helpers 4e26e13e3f77f3f53f00b1285e47dea9167ec3b4]
> [192166.990878][T17170]  qmi_data_ready_work+0x2ec/0x764 [qmi_helpers 4e26e13e3f77f3f53f00b1285e47dea9167ec3b4]
> [192166.990891][T17170]  process_scheduled_works+0x1c4/0x45c
> [192166.990897][T17170]  worker_thread+0x32c/0x3e8
> [192166.990903][T17170]  kthread+0x11c/0x1b0
> [192166.990912][T17170]  ret_from_fork+0x10/0x20
> [192166.990921][T17170] Code: a8c37bfd d50323bf d65f03c0 cee7796a (f9400009)
> [192166.990924][T17170] ---[ end trace 0000000000000000 ]---
> [192166.990929][T17170] Kernel panic - not syncing: Oops: Fatal exception
> [192166.990932][T17170] SMP: stopping secondary CPUs
> 
> Trace 32 analysis revealed that the crash was caused by ep->ring being null when calling the xhci_sideband_remove_endpoint function.
> I haven't come up with a better solution than this one.
> diff --git a/drivers/usb/host/xhci-sideband.c b/drivers/usb/host/xhci-sideband.c
> index a85f62a73313..04ae2cbba838 100644
> --- a/drivers/usb/host/xhci-sideband.c
> +++ b/drivers/usb/host/xhci-sideband.c
> @@ -206,7 +206,7 @@ xhci_sideband_remove_endpoint(struct xhci_sideband *sb,
>   	ep_index = xhci_get_endpoint_index(&host_ep->desc);
>   	ep = sb->eps[ep_index];
>   
> -	if (!ep || !ep->sideband || ep->sideband != sb)
> +	if (!ep || !ep->sideband || !ep->ring || ep->sideband != sb)
>   		return -ENODEV;

We can't return yet if endpoint and sideband are valid, but ring is missing.
We should still set

ep->sideband = NULL;
sb->eps[ep->ep_index] = NULL;

in __xhci_sideband_remove() for this sideband and endpoint.

Was xhci_sideband_notify_ep_ring_free() called for this endpoint?
We can in that case possibly avoid calling both xhci_stop_endpoint_sync()
and xhci_initialize_ring_info() during this xhci_sideband_remove_endpoint()
call.


The failure to find new dequeue states also look worrying:
[192165.107937][    C0] xhci-hcd xhci-hcd.3.auto: Error: Failed finding new dequeue state
[192165.107946][    C0] xhci-hcd xhci-hcd.3.auto: Failed to clear cancelled cached URB 000000002d756eab, mark clear anyway

If this endpoint is offloaded (sideband) then xhci driver shouldn't try
to find a new dequeue position.

Thanks
Mathias

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ