Bug 1070027
| Summary: | qemu crash during iofuzz test: qemu: hw/usb/core.c:707: usb_ep_get: Assertion `pid == 0x69 || pid == 0xe1' failed. | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Xiaoqing Wei <xwei> | ||||||||||||||
| Component: | qemu-kvm-rhev | Assignee: | Gerd Hoffmann <kraxel> | ||||||||||||||
| Status: | CLOSED ERRATA | QA Contact: | Xujun Ma <xuma> | ||||||||||||||
| Severity: | medium | Docs Contact: | |||||||||||||||
| Priority: | medium | ||||||||||||||||
| Version: | 7.0 | CC: | chayang, hhuang, huding, juzhang, knoel, mrezanin, rbalakri, virt-maint | ||||||||||||||
| Target Milestone: | rc | ||||||||||||||||
| Target Release: | --- | ||||||||||||||||
| Hardware: | Unspecified | ||||||||||||||||
| OS: | Unspecified | ||||||||||||||||
| Whiteboard: | |||||||||||||||||
| Fixed In Version: | QEMU 2.6 | Doc Type: | Bug Fix | ||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||
| Clone Of: | Environment: | ||||||||||||||||
| Last Closed: | 2016-11-07 20:11:38 UTC | Type: | Bug | ||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||
| Embargoed: | |||||||||||||||||
| Attachments: |
|
||||||||||||||||
Created attachment 867793 [details]
autotest log
02/19 00:44:48 INFO | virt:0057| Virt Test '0.15.1-master-5377-g1e713', Branch 'master', SHA1 '1e713b149de927a501336fad71bce8b7ba6fc447'
02/19 00:45:35 INFO | aexpect:0907| [qemu output] (Process terminated with status 0)
02/19 00:45:37 INFO | qemu_vm:2028| Running qemu command (reformatted):
/usr/local/staf/test/RHEV/kvm/autotest-devel/client/tests/virt/qemu/qemu \
-S \
-name 'virt-tests-vm1' \
-sandbox off \
-M pc \
-nodefaults \
-vga qxl \
-global qxl-vga.vram_size=33554432 \
-chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20140219-004536-y30CAfIX,server,nowait \
-mon chardev=qmp_id_qmpmonitor1,mode=control \
-chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20140219-004536-y30CAfIX,server,nowait \
-device isa-serial,chardev=serial_id_serial0 \
-chardev socket,id=seabioslog_id_20140219-004536-y30CAfIX,path=/tmp/seabios-20140219-004536-y30CAfIX,server,nowait \
-device isa-debugcon,chardev=seabioslog_id_20140219-004536-y30CAfIX,iobase=0x402 \
-device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 \
-drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/usr/local/staf/test/RHEV/kvm/autotest-devel/client/tests/virt/shared/data/images/RHEL-Server-5.10-64-virtio.raw \
-device ide-hd,id=image1,drive=drive_image1,bus=ide.0,unit=0 \
-device virtio-net-pci,mac=9a:97:98:99:9a:9b,id=idDgbhGX,netdev=idLuHmn6,bus=pci.0,addr=04 \
-netdev tap,id=idLuHmn6,vhost=on,vhostfd=33,fd=32 \
-m 2048 \
-smp 2,maxcpus=2,cores=1,threads=1,sockets=2 \
-cpu 'SandyBridge',+kvm_pv_unhalt \
-device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 \
-spice port=3000,password=123456,addr=0,image-compression=auto_glz,zlib-glz-wan-compression=auto,streaming-video=all,agent-mouse=on,playback-compression=on,ipv4 \
-rtc base=utc,clock=host,driftfix=slew \
-boot order=cdn,once=c,menu=off \
-no-kvm-pit-reinjection \
-enable-kvm
02/19 00:45:37 INFO | aexpect:0907| [qemu output] Warning: option deprecated, use lost_tick_policy property of kvm-pit instead.
02/19 00:45:38 INFO | qemu_vm:2037| Created qemu process with parent PID 4226
02/19 00:45:38 INFO |qemu_monit:0125| Connecting to monitor 'qmpmonitor1'
02/19 00:45:39 INFO | virt:0136| Running function: iofuzz.run_iofuzz()
02/19 00:46:36 INFO | iofuzz:0099| Enumerate guest devices through /proc/ioports
02/19 00:46:36 INFO | iofuzz:0116| Fuzzing keyboard, port range 0x60-0x60
02/19 00:46:44 INFO | iofuzz:0116| Fuzzing timer1, port range 0x50-0x53
02/19 00:47:19 INFO | iofuzz:0116| Fuzzing rtc, port range 0x70-0x77
02/19 00:48:27 INFO | iofuzz:0116| Fuzzing 0000:00:02.0, port range 0xc000-0xc01f
02/19 00:53:00 INFO | iofuzz:0116| Fuzzing floppy, port range 0x3f2-0x3f5
02/19 00:53:34 INFO | iofuzz:0116| Fuzzing ACPI PM1a_EVT_BLK, port range 0xb000-0xb003
02/19 00:54:08 INFO | iofuzz:0116| Fuzzing pic1, port range 0x20-0x21
02/19 00:54:26 INFO | iofuzz:0116| Fuzzing piix4_smbus, port range 0xb100-0xb107
02/19 00:55:34 INFO | iofuzz:0116| Fuzzing dma page reg, port range 0x80-0x8f
02/19 00:57:50 INFO | iofuzz:0116| Fuzzing serial, port range 0x3f8-0x3ff
02/19 00:58:59 INFO | iofuzz:0116| Fuzzing uhci_hcd, port range 0xc020-0xc03f
02/19 01:00:55 INFO | aexpect:0907| [qemu output] qemu: hw/usb/core.c:707: usb_ep_get: Assertion `pid == 0x69 || pid == 0xe1' failed.
02/19 01:01:21 INFO | aexpect:0907| [qemu output] /tmp/aexpect/YhEALePw/aexpect-AhX57b.sh: line 1: 4227 Aborted (core dumped) /usr/local/staf/test/RHEV/kvm/autotest-devel/client/tests/virt/qemu/qemu -S -name 'virt-tests-vm1' -sandbox off -M pc -nodefaults -vga qxl -global qxl-vga.vram_size=33554432 -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20140219-004536-y30CAfIX,server,nowait -mon chardev=qmp_id_qmpmonitor1,mode=control -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20140219-004536-y30CAfIX,server,nowait -device isa-serial,chardev=serial_id_serial0 -chardev socket,id=seabioslog_id_20140219-004536-y30CAfIX,path=/tmp/seabios-20140219-004536-y30CAfIX,server,nowait -device isa-debugcon,chardev=seabioslog_id_20140219-004536-y30CAfIX,iobase=0x402 -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/usr/local/staf/test/RHEV/kvm/autotest-devel/client/tests/virt/shared/data/images/RHEL-Server-5.10-64-virtio.raw -device ide-hd,id=image1,drive=drive_image1,bus=ide.0,unit=0 -device virtio-net-pci,mac=9a:97:98:99:9a:9b,id=idDgbhGX,netdev=idLuHmn6,bus=pci.0,addr=04 -netdev tap,id=idLuHmn6,vhost=on,vhostfd=33,fd=32 -m 2048 -smp 2,maxcpus=2,cores=1,threads=1,sockets=2 -cpu 'SandyBridge',+kvm_pv_unhalt -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 -spice port=3000,password=123456,addr=0,image-compression=auto_glz,zlib-glz-wan-compression=auto,streaming-video=all,agent-mouse=on,playback-compression=on,ipv4 -rtc base=utc,clock=host,driftfix=slew -boot order=cdn,once=c,menu=off -no-kvm-pit-reinjection -enable-kvm
02/19 01:01:21 INFO | aexpect:0907| [qemu output] (Process terminated with status 134)
02/19 01:02:01 ERROR| virt:0155| Test failed: TestFail: VM has quit abnormally during write: [49204, 35]
(gdb) bt
#0 0x00007fa33dc71989 in raise () from /lib64/libc.so.6
#1 0x00007fa33dc73098 in abort () from /lib64/libc.so.6
#2 0x00007fa33dc6a8f6 in __assert_fail_base () from /lib64/libc.so.6
#3 0x00007fa33dc6a9a2 in __assert_fail () from /lib64/libc.so.6
#4 0x00007fa34314057f in usb_ep_get (dev=<optimized out>, pid=pid@entry=80, ep=<optimized out>) at hw/usb/core.c:707
#5 0x00007fa34314b303 in uhci_handle_td (s=s@entry=0x7fa344d4b6d0, q=q@entry=0x0, qh_addr=qh_addr@entry=0, td=td@entry=0x7fff092c2a20, td_addr=12714064,
int_mask=int_mask@entry=0x7fff092c2a0c) at hw/usb/hcd-uhci.c:872
#6 0x00007fa34314b9d6 in uhci_process_frame (s=s@entry=0x7fa344d4b6d0) at hw/usb/hcd-uhci.c:1084
#7 0x00007fa34314bcdd in uhci_frame_timer (opaque=0x7fa344d4b6d0) at hw/usb/hcd-uhci.c:1183
#8 0x00007fa343194046 in qemu_run_timers (clock=0x7fa344cd1920) at qemu-timer.c:394
#9 0x00007fa3431941b5 in qemu_run_timers (clock=<optimized out>) at qemu-timer.c:459
#10 qemu_run_all_timers () at qemu-timer.c:452
#11 0x00007fa343162b6e in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:470
#12 0x00007fa343086290 in main_loop () at vl.c:1988
#13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4357
Created attachment 867794 [details]
gdb
Created attachment 867819 [details]
xz
Created attachment 867822 [details]
xz
Created attachment 867829 [details]
xz
Created attachment 867832 [details]
xz
Fuzzing probably changed some address register, resulting in uhci interpreting some random memory address as uhci data structures & filling pid from random crap. So a case of a guest-triggerable assert. Not very nice to the guest, but also not very critical. Upstream commit 5f77e06baa84323e5bbc96c2c7f4fe627078b210 (will be in 2.6) Reproduced the issue on old version: Version-Release number of selected component (if applicable): qemu-kvm-rhev-1.5.3-48.el7.x86_64 kernel-3.10.0-86.el7.x86_64 spice-server-0.12.4-5.el7.x86_64 ipxe-roms-qemu-20130517-4.gitc4bce43.el7.noarch seabios-bin-1.7.2.2-11.el7.x86_64 seavgabios-bin-1.7.2.2-11.el7.x86_64 sgabios-bin-0.20110622svn-4.el7.noarch Steps to Reproduce: 1.run the case "iofuzz" for uhci_hcd device by avocado on host 50 times Actual results: Can't reproduce this issue Verified the issue on the latest build: Version-Release number of selected component (if applicable): qemu-kvm-rhev-2.6.0-24.el7.x86_64 seabios-bin-1.9.1-4.el7.noarch seavgabios-bin-1.9.1-4.el7.noarch sgabios-bin-0.20110622svn-4.el7.noarch host:kernel-3.10.0-492.el7.x86_64 guest:kernel-3.10.0-492.el7.x86_64 Steps to Verify: The same steps as above Actual results: no this issue This bug is probabilistic,it happened only once, so it's hard to reproduce. I have run iofuzz script with latest qemu for three days,and didn't meet this issue,so we can think the bug has been fixed. if anybody meet this issue again,you can reopen it freely. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2673.html |
Description of problem: qemu crash during iofuzz test: qemu: hw/usb/core.c:707: usb_ep_get: Assertion `pid == 0x69 || pid == 0xe1' failed. Version-Release number of selected component (if applicable): qemu-kvm-rhev-1.5.3-48.el7.x86_64 kernel-3.10.0-86.el7.x86_64 spice-server-0.12.4-5.el7.x86_64 ipxe-roms-qemu-20130517-4.gitc4bce43.el7.noarch seabios-bin-1.7.2.2-11.el7.x86_64 seavgabios-bin-1.7.2.2-11.el7.x86_64 sgabios-bin-0.20110622svn-4.el7.noarch How reproducible: only once Steps to Reproduce: 1. guest: 5.10 x86_64 KVM iofuzz test: 1) Log into a guest 2) Enumerate all IO port ranges through /proc/ioports 3) On each port of the range: * Read it * Write 0 to it * Write a random value to a random port on a random order 2. 3. Actual results: qemu crash Expected results: qemu work well Additional info: