Bug 733010
| Summary: | core dump when issue fdisk -l in guest which has two usb-storage attached | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Chao Yang <chayang> | ||||||
| Component: | qemu-kvm | Assignee: | Gerd Hoffmann <kraxel> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 6.2 | CC: | chayang, juzhang, kraxel, michen, mkenneth, qzhou, shuang, tburke, virt-maint | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | qemu-kvm-0.12.1.2-2.206.el6 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
Cause:
When canceling a usb packet the usb-storage emulation tries to cancel the corroesponding scsi request without checking that one exists in the first place.
Consequence
NULL pointer dereference -> segfault -> qemu dumps core.
Fix
Add check for scsi request presence.
Result
Non-existing requests not referenced any more.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2011-12-06 15:56:35 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 519633 [details]
dmesg with two usb-storage auto-mounted
I removed "-device usb-mouse,bus=ehci.0,port=3,id=mouse" from cli and tested again, through in dmesg, info like "hub 1-0:1.0: Cannot enable port 2. Maybe the USB cable is bad?" disappeared, core dump happened again if only one usb-storage auto-mounted in guest.
/usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 4096 -smp 4,sockets=1,cores=4,threads=1 -name RHEL6.1_32 -uuid 24b39949-f2a3-4fed-8b3d-528ba6439cc6 -rtc base=utc,clock=host,driftfix=slew -boot order=dc,menu=on -drive file=/home/RHEL6.1-32-copy.qcow2,if=none,id=drive-virtio-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-virtio-0-0,id=virt0-0-0,bootindex=1 -netdev tap,id=hostnet1,vhost=on -device virtio-net-pci,netdev=hostnet1,id=net1,mac=64:31:50:41:e1:c3 -spice port=9000,disable-ticketing -vga qxl -global qxl-vga.vram_size=67108864 -monitor stdio -balloon none
/
-usb
-device usb-tablet,id=input1,bus=usb.0,port=1
-device usb-hub,bus=usb.0,port=2,id=hub
-device usb-storage,bus=usb.0,port=2.4,drive=drive-usb-2-0,id=usb-2-0,removable=on -drive file=/home/image/usb-storage-2.qcow2,if=none,id=drive-usb-2-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads
/
-device usb-ehci,id=ehci
-device usb-storage,drive=drive-usb-0-0,id=usb-0-0,removable=on,bus=ehci.0,port=1
-drive file=/home/image/usb-storage.qcow2,if=none,id=drive-usb-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native
Actual Results:
Same output of bt:
Program received signal SIGSEGV, Segmentation fault.
scsi_req_cancel (req=0x0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/scsi-bus.c:686
686 if (req->dev && req->dev->info->cancel_io) {
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.21-3.el6.x86_64 celt051-0.5.1.3-0.el6.x86_64 cyrus-sasl-gssapi-2.1.23-8.el6.x86_64 cyrus-sasl-lib-2.1.23-8.el6.x86_64 cyrus-sasl-md5-2.1.23-8.el6.x86_64 cyrus-sasl-plain-2.1.23-8.el6.x86_64 db4-4.7.25-16.el6.x86_64 dbus-libs-1.2.24-4.el6_0.x86_64 glibc-2.12-1.25.el6.x86_64 gnutls-2.8.5-4.el6.x86_64 keyutils-libs-1.4-1.el6.x86_64 krb5-libs-1.9-9.el6_1.1.x86_64 libICE-1.0.6-1.el6.x86_64 libSM-1.1.0-7.1.el6.x86_64 libX11-1.3-2.el6.x86_64 libXau-1.0.5-1.el6.x86_64 libXext-1.1-3.el6.x86_64 libXfixes-4.0.4-1.el6.x86_64 libXi-1.3-3.el6.x86_64 libXrandr-1.3.0-4.el6.x86_64 libXrender-0.9.5-1.el6.x86_64 libXtst-1.0.99.2-3.el6.x86_64 libaio-0.3.107-10.el6.x86_64 libasyncns-0.8-1.1.el6.x86_64 libcom_err-1.41.12-7.el6.x86_64 libgcrypt-1.4.5-5.el6.x86_64 libgpg-error-1.7-3.el6.x86_64 libjpeg-6b-46.el6.x86_64 libselinux-2.0.94-5.el6.x86_64 libsndfile-1.0.20-3.el6.x86_64 libtasn1-2.3-3.el6.x86_64 libuuid-2.17.2-12.el6.x86_64 libxcb-1.5-1.el6.x86_64 nss-softokn-freebl-3.12.9-3.el6.x86_64 openssl-1.0.0-10.el6.x86_64 pixman-0.18.4-1.el6_0.1.x86_64 pulseaudio-libs-0.9.21-13.el6.x86_64 spice-server-0.8.2-3.el6.x86_64 tcp_wrappers-libs-7.6-56.3.el6.x86_64 zlib-1.2.3-25.el6.x86_64
(gdb) bt
#0 scsi_req_cancel (req=0x0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/scsi-bus.c:686
#1 0x00000000004adfca in usb_cancel_packet (p=0x19a3010) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:347
#2 0x000000000046d9d2 in uhci_async_cancel (s=<value optimized out>, async=0x19a3010) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:204
#3 0x000000000046eb32 in uhci_async_validate_end (opaque=0x15987b0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:234
#4 uhci_frame_timer (opaque=0x15987b0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:1048
#5 0x000000000040b832 in qemu_run_timers (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:1185
#6 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3883
#7 0x0000000000429e3a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2204
#8 0x000000000040db15 in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4064
#9 main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6284
Verified this issue with qemu-kvm-0.12.1.2-2.195.el6 Steps Boot guest with emulated usb1.1 and usb2.0 sticks #/usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 4096 -smp 2,sockets=1,cores=2,threads=1 -name rhel6.2sp164 -device virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x4 -drive file=/root/rhel6.2sp1-64.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,serial=zhang,cache=none,werror=stop,rerror=stop,aio=native -device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=2 -drive if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0,bootindex=1 -netdev tap,id=hostnet0,vhost=on -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:42:0b:00,bus=pci.0,addr=0x3 -chardev socket,id=charchannel0,path=/var/test,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.rhevm.vdsm -chardev spicevmc,id=charchannel1,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0 -vnc :10 -monitor stdio -boot menu=on -qmp tcp:0:5555,server,nowait -usb -device usb-tablet,id=input1,bus=usb.0,port=1 -device usb-hub,bus=usb.0,port=2,id=hub -device usb-storage,bus=usb.0,port=2.4,drive=drive-usb-2-0,id=usb-2-0,removable=on -drive file=/root/usb.qcow2,if=none,id=drive-usb-2-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads -device usb-ehci,id=ehci -device usb-storage,drive=drive-usb-0-0,id=usb-0-0,removable=on,bus=ehci.0,port=1 -drive file=/root/usb2.qcow2,if=none,id=drive-usb-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native 2 In guest #fdisk -l Results Can find both two sticks Disk /dev/sda: 1073 MB, 1073741824 bytes 34 heads, 61 sectors/track, 1011 cylinders Units = cylinders of 2074 * 512 = 1061888 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Disk /dev/sda doesn't contain a valid partition table Disk /dev/sdb: 1073 MB, 1073741824 bytes usb-devices T: Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=480 MxCh= 6 D: Ver= 2.00 Cls=09(hub ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1d6b ProdID=0002 Rev=02.06 S: Manufacturer=Linux 2.6.32-206.el6.x86_64 ehci_hcd S: Product=EHCI Host Controller S: SerialNumber=0000:00:06.0 C: #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=0000 ProdID=0000 Rev=00.00 S: Manufacturer=QEMU 0.12.1 S: Product=QEMU USB HARDDRIVE S: SerialNumber=1 C: #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=0mA I: If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage T: Bus=02 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#= 1 Spd=12 MxCh= 2 D: Ver= 1.10 Cls=09(hub ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=1d6b ProdID=0001 Rev=02.06 S: Manufacturer=Linux 2.6.32-206.el6.x86_64 uhci_hcd S: Product=UHCI Host Controller S: SerialNumber=0000:00:01.2 C: #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 D: Ver= 1.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 P: Vendor=0627 ProdID=0001 Rev=00.00 S: Manufacturer=QEMU 0.12.1 S: Product=QEMU USB Tablet S: SerialNumber=42 C: #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=02 Driver=usbhid T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 3 Spd=12 MxCh= 8 D: Ver= 1.10 Cls=09(hub ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 P: Vendor=0000 ProdID=0000 Rev=01.01 S: Manufacturer=QEMU 0.12.1 S: Product=QEMU USB Hub S: SerialNumber=314159 C: #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA I: If#= 0 Alt= 0 #EPs= 1 Cls=09(hub ) Sub=00 Prot=00 Driver=hub T: Bus=02 Lev=02 Prnt=03 Port=03 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 P: Vendor=0000 ProdID=0000 Rev=00.00 S: Manufacturer=QEMU 0.12.1 S: Product=QEMU USB HARDDRIVE S: SerialNumber=1 C: #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=0mA I: If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage Moving to ON_QA because Errata Tool did not do it
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause:
When canceling a usb packet the usb-storage emulation tries to cancel the corroesponding scsi request without checking that one exists in the first place.
Consequence
NULL pointer dereference -> segfault -> qemu dumps core.
Fix
Add check for scsi request presence.
Result
Non-existing requests not referenced any more.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1531.html |
Created attachment 519632 [details] only one usb-storage auto mounted Description of problem: Boot a guest with two usb-storage attached, issue fdisk -l in guest after guest boot up. Version-Release number of selected component (if applicable): # rpm -q qemu-kvm qemu-kvm-0.12.1.2-2.184.el6.x86_64 # uname -r 2.6.32-191.el6.x86_64 How reproducible: 1/5 Steps to Reproduce: 1. 2. 3. Actual results: Guest quitted with core dump: Program received signal SIGSEGV, Segmentation fault. scsi_req_cancel (req=0x0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/scsi-bus.c:686 686 if (req->dev && req->dev->info->cancel_io) { (gdb) bt #0 scsi_req_cancel (req=0x0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/scsi-bus.c:686 #1 0x00000000004adfca in usb_cancel_packet (p=0x2f6c3c0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:347 #2 0x000000000046d9d2 in uhci_async_cancel (s=<value optimized out>, async=0x2f6c3c0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:204 #3 0x000000000046eb32 in uhci_async_validate_end (opaque=0x27ec810) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:234 #4 uhci_frame_timer (opaque=0x27ec810) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:1048 #5 0x000000000040b832 in qemu_run_timers (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:1185 #6 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3883 #7 0x0000000000429e3a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2204 #8 0x000000000040db15 in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4064 #9 main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6284 (gdb) Expected results: Additional info: Sometimes only one usb-storage auto-mounted in guest, in this case, issue fdisk -l will trigger core dump easily. CLI: /usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 4096 -smp 4,sockets=1,cores=4,threads=1 -name RHEL6.1_32 -uuid 24b39949-f2a3-4fed-8b3d-528ba6439cc6 -rtc base=utc,clock=host,driftfix=slew -boot order=dc,menu=on -drive file=/home/RHEL6.1-32-copy.qcow2,if=none,id=drive-virtio-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-virtio-0-0,id=virt0-0-0,bootindex=1 -netdev tap,id=hostnet1,vhost=on -device virtio-net-pci,netdev=hostnet1,id=net1,mac=64:31:50:41:e1:c3 -usb -device usb-tablet,id=input1,bus=usb.0,port=1 -spice port=9000,disable-ticketing -vga qxl -global qxl-vga.vram_size=67108864 -monitor stdio -balloon none -device usb-ehci,id=ehci -device usb-hub,bus=usb.0,port=2,id=hub -device usb-storage,bus=usb.0,port=2.4,drive=drive-usb-2-0,id=usb-2-0,removable=on -drive file=/home/image/usb-storage-2.qcow2,if=none,id=drive-usb-2-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads -device usb-storage,drive=drive-usb-0-0,id=usb-0-0,removable=on,bus=ehci.0,port=1 -device usb-ccid,id=ccid -drive file=/home/image/usb-storage.qcow2,if=none,id=drive-usb-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native -device usb-mouse,bus=ehci.0,port=3,id=mouse