Bug 806755

Summary: boot guest with 16 USB storages assigned the hub and port under uhci will segmentation fault
Product: Red Hat Enterprise Linux 6 Reporter: Sibiao Luo <sluo>
Component: qemu-kvmAssignee: Gerd Hoffmann <kraxel>
Status: CLOSED DUPLICATE QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 6.3CC: acathrow, areis, bcao, bsarathy, chayang, juzhang, michen, mkenneth, qzhang, shu, virt-maint, wdai
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 15:50:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sibiao Luo 2012-03-26 07:22:07 UTC 
Description of problem:
boot guest with 16 USB storages to the guest with the assigned the hub and port under uhci, and then the guest will segmentation fault.

Version-Release number of selected component (if applicable):
host info:
# uname -r && rpm -q qemu-kvm
2.6.32-251.el6.x86_64
qemu-kvm-0.12.1.2-2.249.el6.x86_64
# rpm -q seabios
seabios-0.6.1.2-12.el6.x86_64 
guest info:
guest_name: win7sp1-64
virtio-win: virtio-win-prewhql-0.1-24 

How reproducible:
100%

Steps to Reproduce:
1.boot a guest with 16 USB storages assigned the hub and port under uhci.
CLI: # /usr/libexec/qemu-kvm -M rhel6.3.0 -cpu Penryn -enable-kvm -m 2048 -smp 2,sockets=1,cores=2,threads=1 -name win7-sp1-64 -uuid `uuidgen` -drive file=/home/win7sp1-virtio-64-copy.raw,format=raw,if=none,id=drive-virtio-disk0,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,sndbuf=0,id=hostnet0,vhost=on,script=/etc/qemu-ifup,downscript=no -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=05:1a:4a:02:0b:46,bus=pci.0,bootindex=2 -device virtio-balloon-pci,id=ballooning -spice disable-ticketing,port=5931 -k en-us -vga qxl -global qxl-vga.vram_size=67108864 -monitor stdio -readconfig /home/ich9-ehci-uhci.cfg -device usb-hub,bus=ehci.0,id=usbhub1,port=1 -drive file=usb-storage1.qcow2,if=none,id=storage1,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage1,id=usb-storage1,port=1.1 -drive file=usb-storage2.qcow2,if=none,id=storage2,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage2,id=usb-storage2,port=1.2 -drive file=usb-storage3.qcow2,if=none,id=storage3,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage3,id=usb-storage3,port=1.3 -drive file=usb-storage4.qcow2,if=none,id=storage4,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage4,id=usb-storage4,port=1.4 -drive file=usb-storage5.qcow2,if=none,id=storage5,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage5,id=usb-storage5,port=1.5 -drive file=usb-storage6.qcow2,if=none,id=storage6,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage6,id=usb-storage6,port=1.6 -drive file=usb-storage7.qcow2,if=none,id=storage7,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage7,id=usb-storage7,port=1.7 -drive file=usb-storage8.qcow2,if=none,id=storage8,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage8,id=usb-storage8,port=1.8 -device usb-hub,bus=ehci.0,id=usbhub2,port=2 -drive file=usb-storage9.qcow2,if=none,id=storage9,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage9,id=usb-storage9,port=2.1 -drive file=usb-storage10.qcow2,if=none,id=storage10,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage10,id=usb-storage10,port=2.2 -drive file=usb-storage11.qcow2,if=none,id=storage11,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage11,id=usb-storage11,port=2.3 -drive file=usb-storage12.qcow2,if=none,id=storage12,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage12,id=usb-storage12,port=2.4 -drive file=usb-storage13.qcow2,if=none,id=storage13,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage13,id=usb-storage13,port=2.5 -drive file=usb-storage14.qcow2,if=none,id=storage14,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage14,id=usb-storage14,port=2.6 -drive file=usb-storage15.qcow2,if=none,id=storage15,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage15,id=usb-storage15,port=2.7 -drive file=usb-storage16.qcow2,if=none,id=storage16,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage16,id=usb-storage16,port=2.8
2.check info var the monitor.
(qemu) info usb
  Device 0.1, Port 1, Speed 12 Mb/s, Product QEMU USB Hub
  Device 0.3, Port 1.1, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.4, Port 1.2, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.5, Port 1.3, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.6, Port 1.4, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.7, Port 1.5, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.8, Port 1.6, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.9, Port 1.7, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.10, Port 1.8, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.2, Port 2, Speed 12 Mb/s, Product QEMU USB Hub
  Device 0.11, Port 2.1, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.12, Port 2.2, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.13, Port 2.3, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.14, Port 2.4, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.15, Port 2.5, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.16, Port 2.6, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.17, Port 2.7, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.18, Port 2.8, Speed 12 Mb/s, Product QEMU USB MSD
3.wait the guest to boot up.
  
Actual results:
after the step 3, got segmentation fault and the guest hang.
(qemu) 
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5aabfee in _int_free () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff5aabfee in _int_free () from /lib64/libc.so.6
#1  0x00007ffff7e62c20 in scsi_req_unref (req=0x7ffffff63a60) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/scsi-bus.c:1267
#2  0x00007ffff7e62329 in usb_msd_handle_data (dev=0x7ffffa7dda80, p=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-msd.c:476
#3  0x00007ffff7e5b242 in usb_handle_packet (dev=0x7ffffa7dda80, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:325
#4  0x00007ffff7e5be6e in usb_hub_broadcast_packet (dev=0x7ffffa7db530, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-hub.c:453
#5  usb_hub_handle_packet (dev=0x7ffffa7db530, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-hub.c:476
#6  0x00007ffff7e5b242 in usb_handle_packet (dev=0x7ffffa7db530, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:325
#7  0x00007ffff7f70c22 in uhci_broadcast_packet (s=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:656
#8  uhci_handle_td (s=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:821
#9  uhci_process_frame (s=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:966
#10 0x00007ffff7f712ad in uhci_frame_timer (opaque=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:1048
#11 0x00007ffff7df3a92 in qemu_run_timers (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:1323
#12 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4151
#13 0x00007ffff7e14e7a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2244
#14 0x00007ffff7df63ec in main_loop (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4334
#15 main (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6594
(gdb) q

Expected results:
the guest with 16 USB storages assigned the hub and port under uhci can boot successfully.

Additional info:
ich9-ehci-uhci.cfg can be found in:
http://git.engineering.redhat.com/?p=users/ehabkost/qemu-kvm-rhel6.git;a=blob;f=docs/ich9-ehci-uhci.cfg;hb=HEAD
Comment 2 Gerd Hoffmann 2012-03-27 10:07:57 UTC 
Might be a dup of bug 796118.
Please retest with qemu-kvm-0.12.1.2-2.253.el6 or newer.
Comment 3 Sibiao Luo 2012-03-28 05:13:14 UTC 
(In reply to comment #2)
> Might be a dup of bug 796118.
> Please retest with qemu-kvm-0.12.1.2-2.253.el6 or newer.

yes, Gerd. as the email said, may be there was a use-after-free bug in uhci emulation which possibly can cause segfaults. I have retested this issue with the latest qemu-kvm-0.12.1.2-2.265.el6.x86_64, the segmentation fault issue has been disappear.
Comment 4 Gerd Hoffmann 2012-03-28 15:50:49 UTC 

*** This bug has been marked as a duplicate of bug 796118 ***