RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1070027 - qemu crash during iofuzz test: qemu: hw/usb/core.c:707: usb_ep_get: Assertion `pid == 0x69 || pid == 0xe1' failed.
Summary: qemu crash during iofuzz test: qemu: hw/usb/core.c:707: usb_ep_get: Assertion...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: qemu-kvm-rhev
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Xujun Ma
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-26 05:47 UTC by Xiaoqing Wei
Modified: 2016-11-07 20:11 UTC (History)
8 users (show)

Fixed In Version: QEMU 2.6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-07 20:11:38 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
autotest log (247.32 KB, application/x-xz)
2014-02-26 06:17 UTC, Xiaoqing Wei 		no flags Details
gdb (11.76 KB, text/plain)
2014-02-26 06:23 UTC, Xiaoqing Wei 		no flags Details
xz (18.55 MB, application/x-xz)
2014-02-26 07:31 UTC, Xiaoqing Wei 		no flags Details
xz (18.55 MB, application/x-xz)
2014-02-26 07:34 UTC, Xiaoqing Wei 		no flags Details
xz (18.55 MB, application/x-xz)
2014-02-26 07:52 UTC, Xiaoqing Wei 		no flags Details
xz (2.81 MB, application/x-xz)
2014-02-26 07:53 UTC, Xiaoqing Wei 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2673 0 normal SHIPPED_LIVE qemu-kvm-rhev bug fix and enhancement update 2016-11-08 01:06:13 UTC

Description Xiaoqing Wei 2014-02-26 05:47:59 UTC 
Description of problem:
qemu crash during iofuzz test: qemu: hw/usb/core.c:707: usb_ep_get: Assertion `pid == 0x69 || pid == 0xe1' failed.

Version-Release number of selected component (if applicable):
qemu-kvm-rhev-1.5.3-48.el7.x86_64
kernel-3.10.0-86.el7.x86_64
spice-server-0.12.4-5.el7.x86_64
ipxe-roms-qemu-20130517-4.gitc4bce43.el7.noarch
seabios-bin-1.7.2.2-11.el7.x86_64
seavgabios-bin-1.7.2.2-11.el7.x86_64
sgabios-bin-0.20110622svn-4.el7.noarch


How reproducible:
only once

Steps to Reproduce:
1. guest: 5.10 x86_64

    KVM iofuzz test:
    1) Log into a guest
    2) Enumerate all IO port ranges through /proc/ioports
    3) On each port of the range:
        * Read it
        * Write 0 to it
        * Write a random value to a random port on a random order
2.
3.

Actual results:
qemu crash

Expected results:
qemu work well

Additional info:
Comment 2 Xiaoqing Wei 2014-02-26 06:17:20 UTC 
Created attachment 867793 [details]
autotest log

02/19 00:44:48 INFO |      virt:0057| Virt Test '0.15.1-master-5377-g1e713', Branch 'master', SHA1 '1e713b149de927a501336fad71bce8b7ba6fc447'
02/19 00:45:35 INFO |   aexpect:0907| [qemu output] (Process terminated with status 0)
02/19 00:45:37 INFO |   qemu_vm:2028| Running qemu command (reformatted):
/usr/local/staf/test/RHEV/kvm/autotest-devel/client/tests/virt/qemu/qemu \
    -S  \
    -name 'virt-tests-vm1'  \
    -sandbox off  \
    -M pc  \
    -nodefaults  \
    -vga qxl  \
    -global qxl-vga.vram_size=33554432  \
    -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20140219-004536-y30CAfIX,server,nowait \
    -mon chardev=qmp_id_qmpmonitor1,mode=control  \
    -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20140219-004536-y30CAfIX,server,nowait \
    -device isa-serial,chardev=serial_id_serial0  \
    -chardev socket,id=seabioslog_id_20140219-004536-y30CAfIX,path=/tmp/seabios-20140219-004536-y30CAfIX,server,nowait \
    -device isa-debugcon,chardev=seabioslog_id_20140219-004536-y30CAfIX,iobase=0x402 \
    -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 \
    -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/usr/local/staf/test/RHEV/kvm/autotest-devel/client/tests/virt/shared/data/images/RHEL-Server-5.10-64-virtio.raw \
    -device ide-hd,id=image1,drive=drive_image1,bus=ide.0,unit=0 \
    -device virtio-net-pci,mac=9a:97:98:99:9a:9b,id=idDgbhGX,netdev=idLuHmn6,bus=pci.0,addr=04  \
    -netdev tap,id=idLuHmn6,vhost=on,vhostfd=33,fd=32  \
    -m 2048  \
    -smp 2,maxcpus=2,cores=1,threads=1,sockets=2  \
    -cpu 'SandyBridge',+kvm_pv_unhalt \
    -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1  \
    -spice port=3000,password=123456,addr=0,image-compression=auto_glz,zlib-glz-wan-compression=auto,streaming-video=all,agent-mouse=on,playback-compression=on,ipv4  \
    -rtc base=utc,clock=host,driftfix=slew  \
    -boot order=cdn,once=c,menu=off  \
    -no-kvm-pit-reinjection \
    -enable-kvm
02/19 00:45:37 INFO |   aexpect:0907| [qemu output] Warning: option deprecated, use lost_tick_policy property of kvm-pit instead.
02/19 00:45:38 INFO |   qemu_vm:2037| Created qemu process with parent PID 4226
02/19 00:45:38 INFO |qemu_monit:0125| Connecting to monitor 'qmpmonitor1'
02/19 00:45:39 INFO |      virt:0136| Running function: iofuzz.run_iofuzz()
02/19 00:46:36 INFO |    iofuzz:0099| Enumerate guest devices through /proc/ioports
02/19 00:46:36 INFO |    iofuzz:0116| Fuzzing keyboard, port range 0x60-0x60
02/19 00:46:44 INFO |    iofuzz:0116| Fuzzing timer1, port range 0x50-0x53
02/19 00:47:19 INFO |    iofuzz:0116| Fuzzing rtc, port range 0x70-0x77
02/19 00:48:27 INFO |    iofuzz:0116| Fuzzing 0000:00:02.0, port range 0xc000-0xc01f
02/19 00:53:00 INFO |    iofuzz:0116| Fuzzing floppy, port range 0x3f2-0x3f5
02/19 00:53:34 INFO |    iofuzz:0116| Fuzzing ACPI PM1a_EVT_BLK, port range 0xb000-0xb003
02/19 00:54:08 INFO |    iofuzz:0116| Fuzzing pic1, port range 0x20-0x21
02/19 00:54:26 INFO |    iofuzz:0116| Fuzzing piix4_smbus, port range 0xb100-0xb107
02/19 00:55:34 INFO |    iofuzz:0116| Fuzzing dma page reg, port range 0x80-0x8f
02/19 00:57:50 INFO |    iofuzz:0116| Fuzzing serial, port range 0x3f8-0x3ff
02/19 00:58:59 INFO |    iofuzz:0116| Fuzzing uhci_hcd, port range 0xc020-0xc03f
02/19 01:00:55 INFO |   aexpect:0907| [qemu output] qemu: hw/usb/core.c:707: usb_ep_get: Assertion `pid == 0x69 || pid == 0xe1' failed.
02/19 01:01:21 INFO |   aexpect:0907| [qemu output] /tmp/aexpect/YhEALePw/aexpect-AhX57b.sh: line 1:  4227 Aborted                 (core dumped) /usr/local/staf/test/RHEV/kvm/autotest-devel/client/tests/virt/qemu/qemu -S -name 'virt-tests-vm1' -sandbox off -M pc -nodefaults -vga qxl -global qxl-vga.vram_size=33554432 -chardev socket,id=qmp_id_qmpmonitor1,path=/tmp/monitor-qmpmonitor1-20140219-004536-y30CAfIX,server,nowait -mon chardev=qmp_id_qmpmonitor1,mode=control -chardev socket,id=serial_id_serial0,path=/tmp/serial-serial0-20140219-004536-y30CAfIX,server,nowait -device isa-serial,chardev=serial_id_serial0 -chardev socket,id=seabioslog_id_20140219-004536-y30CAfIX,path=/tmp/seabios-20140219-004536-y30CAfIX,server,nowait -device isa-debugcon,chardev=seabioslog_id_20140219-004536-y30CAfIX,iobase=0x402 -device ich9-usb-uhci1,id=usb1,bus=pci.0,addr=03 -drive id=drive_image1,if=none,cache=none,snapshot=off,aio=native,file=/usr/local/staf/test/RHEV/kvm/autotest-devel/client/tests/virt/shared/data/images/RHEL-Server-5.10-64-virtio.raw -device ide-hd,id=image1,drive=drive_image1,bus=ide.0,unit=0 -device virtio-net-pci,mac=9a:97:98:99:9a:9b,id=idDgbhGX,netdev=idLuHmn6,bus=pci.0,addr=04 -netdev tap,id=idLuHmn6,vhost=on,vhostfd=33,fd=32 -m 2048 -smp 2,maxcpus=2,cores=1,threads=1,sockets=2 -cpu 'SandyBridge',+kvm_pv_unhalt -device usb-tablet,id=usb-tablet1,bus=usb1.0,port=1 -spice port=3000,password=123456,addr=0,image-compression=auto_glz,zlib-glz-wan-compression=auto,streaming-video=all,agent-mouse=on,playback-compression=on,ipv4 -rtc base=utc,clock=host,driftfix=slew -boot order=cdn,once=c,menu=off -no-kvm-pit-reinjection -enable-kvm
02/19 01:01:21 INFO |   aexpect:0907| [qemu output] (Process terminated with status 134)
02/19 01:02:01 ERROR|      virt:0155| Test failed: TestFail: VM has quit abnormally during write: [49204, 35]











(gdb) bt
#0  0x00007fa33dc71989 in raise () from /lib64/libc.so.6
#1  0x00007fa33dc73098 in abort () from /lib64/libc.so.6
#2  0x00007fa33dc6a8f6 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007fa33dc6a9a2 in __assert_fail () from /lib64/libc.so.6
#4  0x00007fa34314057f in usb_ep_get (dev=<optimized out>, pid=pid@entry=80, ep=<optimized out>) at hw/usb/core.c:707
#5  0x00007fa34314b303 in uhci_handle_td (s=s@entry=0x7fa344d4b6d0, q=q@entry=0x0, qh_addr=qh_addr@entry=0, td=td@entry=0x7fff092c2a20, td_addr=12714064, 
    int_mask=int_mask@entry=0x7fff092c2a0c) at hw/usb/hcd-uhci.c:872
#6  0x00007fa34314b9d6 in uhci_process_frame (s=s@entry=0x7fa344d4b6d0) at hw/usb/hcd-uhci.c:1084
#7  0x00007fa34314bcdd in uhci_frame_timer (opaque=0x7fa344d4b6d0) at hw/usb/hcd-uhci.c:1183
#8  0x00007fa343194046 in qemu_run_timers (clock=0x7fa344cd1920) at qemu-timer.c:394
#9  0x00007fa3431941b5 in qemu_run_timers (clock=<optimized out>) at qemu-timer.c:459
#10 qemu_run_all_timers () at qemu-timer.c:452
#11 0x00007fa343162b6e in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:470
#12 0x00007fa343086290 in main_loop () at vl.c:1988
#13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4357
Comment 3 Xiaoqing Wei 2014-02-26 06:23:45 UTC 
Created attachment 867794 [details]
gdb
Comment 5 Xiaoqing Wei 2014-02-26 07:31:59 UTC 
Created attachment 867819 [details]
xz
Comment 6 Xiaoqing Wei 2014-02-26 07:34:35 UTC 
Created attachment 867822 [details]
xz
Comment 7 Xiaoqing Wei 2014-02-26 07:52:05 UTC 
Created attachment 867829 [details]
xz
Comment 8 Xiaoqing Wei 2014-02-26 07:53:56 UTC 
Created attachment 867832 [details]
xz
Comment 9 Gerd Hoffmann 2014-02-26 15:19:15 UTC 
Fuzzing probably changed some address register, resulting in uhci interpreting some random memory address as uhci data structures & filling pid from random crap.

So a case of a guest-triggerable assert.  Not very nice to the guest, but also not very critical.
Comment 14 Gerd Hoffmann 2016-04-15 11:51:28 UTC 
Upstream commit 5f77e06baa84323e5bbc96c2c7f4fe627078b210 (will be in 2.6)
Comment 16 Xujun Ma 2016-09-14 09:41:05 UTC 
Reproduced the issue on old version:

Version-Release number of selected component (if applicable):
qemu-kvm-rhev-1.5.3-48.el7.x86_64
kernel-3.10.0-86.el7.x86_64
spice-server-0.12.4-5.el7.x86_64
ipxe-roms-qemu-20130517-4.gitc4bce43.el7.noarch
seabios-bin-1.7.2.2-11.el7.x86_64
seavgabios-bin-1.7.2.2-11.el7.x86_64
sgabios-bin-0.20110622svn-4.el7.noarch

Steps to Reproduce:
1.run the case "iofuzz" for uhci_hcd device by avocado on host 50 times

Actual results:
Can't reproduce this issue

Verified the issue on the latest build:
Version-Release number of selected component (if applicable):
qemu-kvm-rhev-2.6.0-24.el7.x86_64
seabios-bin-1.9.1-4.el7.noarch
seavgabios-bin-1.9.1-4.el7.noarch
sgabios-bin-0.20110622svn-4.el7.noarch
host:kernel-3.10.0-492.el7.x86_64
guest:kernel-3.10.0-492.el7.x86_64


Steps to Verify:
The same steps as above

Actual results:
no this issue
Comment 17 Xujun Ma 2016-09-18 03:20:43 UTC 
This bug is probabilistic,it happened only once, so it's hard to reproduce.
I have run iofuzz script with latest qemu for three days,and didn't meet this issue,so we can think the bug has been fixed.
if anybody meet this issue again,you can reopen it freely.
Comment 19 errata-xmlrpc 2016-11-07 20:11:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2673.html
Note You need to log in before you can comment on or make changes to this bug.