Bug 796118

Summary: qemu hits core dump when boot guest with 2 pass-though usb devices under 1.1 controller
Product: Red Hat Enterprise Linux 6 Reporter: juzhang <juzhang>
Component: qemu-kvmAssignee: Gerd Hoffmann <kraxel>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: acathrow, bsarathy, lyarwood, michen, minovotn, mkenneth, rdassen, shu, sluo, tburke, virt-maint, xfu, zhpeng
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-0.12.1.2-2.253.el6 Doc Type: Bug Fix
Doc Text:
Cause: qemu usb emulation core modified data structures after releasing them. Consequence: assert() can trigger due to unexpected data structure changes and qemu dumps core. Fix: move release call to correct place. Resolution: core dumps are gone.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 11:43:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description juzhang 2012-02-22 10:55:29 UTC 
Description of problem:
qemu hits core dump when boot guest with two pass-though usb devices under 1.1 controller

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.230.el6.x86_64

How reproducible:
70%

Steps to Reproduce:
1.Boot guest with two physical usb device attached under 1.1 controller
#/usr/libexec/qemu-kvm -m 4096 -smp 1 -rtc base=utc,clock=host,driftfix=slew -boot menu=on -drive file=/root/rhel6.2virtio.qcow2,if=none,id=drive-virtio-scsi,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native -device virtio-blk-pci,drive=drive-virtio-scsi,id=virtio-scsi -netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=22:1a:4a:42:1b:38 -usb -device usb-tablet,id=input1 -vnc :11 -monitor stdio 
//
-device usb-host,hostbus=1,hostaddr=3,id=hostdev0 
-device usb-host,hostbus=1,hostaddr=4,id=hostdev1
2.
3.
  
Actual results:
After step1,qemu hit quit with core dump
qemu-kvm: /builddir/build/BUILD/qemu-kvm-0.12.1.2/hw/usb.c:345: usb_packet_complete: Assertion `p->owner != ((void *)0)' failed.

(gdb) bt
#0  0x00007ffff500e885 in raise () from /lib64/libc.so.6
#1  0x00007ffff5010065 in abort () from /lib64/libc.so.6
#2  0x00007ffff50079fe in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007ffff5007ac0 in __assert_fail () from /lib64/libc.so.6
#4  0x00007ffff7e6442f in usb_packet_complete (dev=<value optimized out>, p=0x7ffff89fc540) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:345
#5  0x00007ffff7e6773b in async_complete (opaque=0x7ffff9cc3b30) at usb-linux.c:397
#6  0x00007ffff7dfe966 in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4023
#7  0x00007ffff7e1e18a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2225
#8  0x00007ffff7e0040c in main_loop (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4228
#9  main (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6489

Expected results:
Guest can be booted stressful and usb device works well in guest.

Additional info:
Guest works well under 2.0 controller
-device usb-ehci,id=ehci -device usb-host,hostbus=1,hostaddr=3,id=hostdev0 -device usb-host,hostbus=1,hostaddr=4,id=hostdev1

Append one question
Do we support "piix4-usb-uhci" and "piix3-usb-uhci"?,thanks
Comment 1 Gerd Hoffmann 2012-03-16 12:05:54 UTC 
Reproduces, good, hopefully makes it easy to pin down.

Yes, the controllers are supported, piix3-usb-uhci is the default 1.1 usb controller, piix4-usb-uhci is identical with just different pci ids (piix4 chipset ones instead of piix3 chipset).
Comment 4 Gerd Hoffmann 2012-03-16 13:26:24 UTC 
Patch posted.
Comment 6 Shaolong Hu 2012-03-20 08:27:47 UTC 
I try to reproduce this on qemu 250 with two usb stick:

At beginning this can not be reproduced with steps in comment0, after looking into code, this bug only happens when there is deferred USB packet handling, to trigger this:

1. 
[root@shu ~]# ls -il /dev/sd*
  6199 brw-rw----. 1 root disk 8,   0 Mar 20 22:01 /dev/sda
  6200 brw-rw----. 1 root disk 8,   1 Mar 20 22:01 /dev/sda1
  6201 brw-rw----. 1 root disk 8,   2 Mar 20 22:01 /dev/sda2
320354 brw-rw----. 1 root disk 8, 112 Mar 20 22:50 /dev/sdh
320520 brw-rw----. 1 root disk 8, 113 Mar 20 22:50 /dev/sdh1
320478 brw-rw----. 1 root disk 8, 128 Mar 20 22:50 /dev/sdi
320613 brw-rw----. 1 root disk 8, 129 Mar 20 22:50 /dev/sdi1

2.
[root@shu ~]# while true; do dd if=/dev/zero of=/dev/sdh1 bs=1K count=1 &  dd if=/dev/zero of=/dev/sdi1 bs=1K count=1 &  done

3. 
then run qemu-kvm with "-device usb-host,hostbus=1,hostaddr=4,id=hostdev0 -device usb-host,hostbus=1,hostaddr=5,id=hostdev1"


Test the scratch build qemu-kvm-0.12.1.2-2.249.el6.bz796118.1.x86_64, this problem has gone.
Comment 10 Gerd Hoffmann 2012-03-28 15:50:49 UTC 
*** Bug 806755 has been marked as a duplicate of this bug. ***
Comment 11 Shaolong Hu 2012-03-29 03:12:20 UTC 
Verified on 267 with steps in comment 6, before patch can reproduce the bug in a chance of 70%, with 267, try 10 ten times, do not hit the problem, verified.
Comment 12 Gerd Hoffmann 2012-03-29 07:33:48 UTC 
*** Bug 807517 has been marked as a duplicate of this bug. ***
Comment 13 Gerd Hoffmann 2012-03-29 07:34:46 UTC 
*** Bug 807102 has been marked as a duplicate of this bug. ***
Comment 15 Lee Yarwood 2012-04-04 08:52:25 UTC 
*** Bug 803528 has been marked as a duplicate of this bug. ***
Comment 17 Michal Novotny 2012-05-04 12:53:18 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
NEEDINFO
Comment 18 Gerd Hoffmann 2012-05-04 13:20:51 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1,7 @@
-NEEDINFO+Cause: qemu usb emulation core modified data structures after releasing them.
+
+Consequence: assert() can trigger due to unexpected data structure changes and qemu dumps core.
+
+Fix: move release call to correct place.
+
+Resolution: core dumps are gone.
Comment 19 errata-xmlrpc 2012-06-20 11:43:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0746.html