733010 – core dump when issue fdisk -l in guest which has two usb-storage attached

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 733010 - core dump when issue fdisk -l in guest which has two usb-storage attached

Summary: core dump when issue fdisk -l in guest which has two usb-storage attached

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-24 13:04 UTC by Chao Yang
Modified:	2013-01-10 00:14 UTC (History)
CC List:	9 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.206.el6
Doc Type:	Bug Fix
Doc Text:	Cause: When canceling a usb packet the usb-storage emulation tries to cancel the corroesponding scsi request without checking that one exists in the first place. Consequence NULL pointer dereference -> segfault -> qemu dumps core. Fix Add check for scsi request presence. Result Non-existing requests not referenced any more.
Clone Of:
Environment:
Last Closed:	2011-12-06 15:56:35 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
only one usb-storage auto mounted (27.03 KB, text/plain) 2011-08-24 13:04 UTC, Chao Yang	no flags	Details
dmesg with two usb-storage auto-mounted (26.85 KB, text/plain) 2011-08-24 13:06 UTC, Chao Yang	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1531	0	normal	SHIPPED_LIVE	Moderate: qemu-kvm security, bug fix, and enhancement update	2011-12-06 01:23:30 UTC

Description Chao Yang 2011-08-24 13:04:15 UTC

Created attachment 519632 [details]
only one usb-storage auto mounted

Description of problem:
Boot a guest with two usb-storage attached, issue fdisk -l in guest after guest boot up.

Version-Release number of selected component (if applicable):
# rpm -q qemu-kvm
qemu-kvm-0.12.1.2-2.184.el6.x86_64
# uname -r
2.6.32-191.el6.x86_64


How reproducible:
1/5

Steps to Reproduce:
1.
2.
3.
  
Actual results:
Guest quitted with core dump:
Program received signal SIGSEGV, Segmentation fault.
scsi_req_cancel (req=0x0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/scsi-bus.c:686
686	    if (req->dev && req->dev->info->cancel_io) {
(gdb) bt
#0  scsi_req_cancel (req=0x0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/scsi-bus.c:686
#1  0x00000000004adfca in usb_cancel_packet (p=0x2f6c3c0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:347
#2  0x000000000046d9d2 in uhci_async_cancel (s=<value optimized out>, async=0x2f6c3c0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:204
#3  0x000000000046eb32 in uhci_async_validate_end (opaque=0x27ec810) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:234
#4  uhci_frame_timer (opaque=0x27ec810) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:1048
#5  0x000000000040b832 in qemu_run_timers (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:1185
#6  main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3883
#7  0x0000000000429e3a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2204
#8  0x000000000040db15 in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4064
#9  main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6284
(gdb) 


Expected results:


Additional info:
Sometimes only one usb-storage auto-mounted in guest, in this case, issue fdisk -l will trigger core dump easily.  

CLI:
/usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 4096 -smp 4,sockets=1,cores=4,threads=1 -name RHEL6.1_32 -uuid 24b39949-f2a3-4fed-8b3d-528ba6439cc6 -rtc base=utc,clock=host,driftfix=slew -boot order=dc,menu=on -drive file=/home/RHEL6.1-32-copy.qcow2,if=none,id=drive-virtio-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-virtio-0-0,id=virt0-0-0,bootindex=1 -netdev tap,id=hostnet1,vhost=on -device virtio-net-pci,netdev=hostnet1,id=net1,mac=64:31:50:41:e1:c3 -usb -device usb-tablet,id=input1,bus=usb.0,port=1 -spice port=9000,disable-ticketing -vga qxl -global qxl-vga.vram_size=67108864 -monitor stdio -balloon none  -device usb-ehci,id=ehci  -device usb-hub,bus=usb.0,port=2,id=hub -device usb-storage,bus=usb.0,port=2.4,drive=drive-usb-2-0,id=usb-2-0,removable=on -drive file=/home/image/usb-storage-2.qcow2,if=none,id=drive-usb-2-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads -device usb-storage,drive=drive-usb-0-0,id=usb-0-0,removable=on,bus=ehci.0,port=1  -device usb-ccid,id=ccid -drive file=/home/image/usb-storage.qcow2,if=none,id=drive-usb-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native -device usb-mouse,bus=ehci.0,port=3,id=mouse

Comment 1 Chao Yang 2011-08-24 13:06:06 UTC

Created attachment 519633 [details]
dmesg with two usb-storage auto-mounted

Comment 3 Chao Yang 2011-08-25 02:41:50 UTC

I removed "-device usb-mouse,bus=ehci.0,port=3,id=mouse" from cli and tested again, through in dmesg, info like "hub 1-0:1.0: Cannot enable port 2.  Maybe the USB cable is bad?" disappeared, core dump happened again if only one usb-storage auto-mounted in guest.

/usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 4096 -smp 4,sockets=1,cores=4,threads=1 -name RHEL6.1_32 -uuid 24b39949-f2a3-4fed-8b3d-528ba6439cc6 -rtc base=utc,clock=host,driftfix=slew -boot order=dc,menu=on -drive file=/home/RHEL6.1-32-copy.qcow2,if=none,id=drive-virtio-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,drive=drive-virtio-0-0,id=virt0-0-0,bootindex=1 -netdev tap,id=hostnet1,vhost=on -device virtio-net-pci,netdev=hostnet1,id=net1,mac=64:31:50:41:e1:c3 -spice port=9000,disable-ticketing -vga qxl -global qxl-vga.vram_size=67108864 -monitor stdio -balloon none 
/
-usb 
-device usb-tablet,id=input1,bus=usb.0,port=1 
-device usb-hub,bus=usb.0,port=2,id=hub
-device usb-storage,bus=usb.0,port=2.4,drive=drive-usb-2-0,id=usb-2-0,removable=on -drive file=/home/image/usb-storage-2.qcow2,if=none,id=drive-usb-2-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads

/
-device usb-ehci,id=ehci     
-device usb-storage,drive=drive-usb-0-0,id=usb-0-0,removable=on,bus=ehci.0,port=1   
-drive file=/home/image/usb-storage.qcow2,if=none,id=drive-usb-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native




Actual Results:
Same output of bt:
Program received signal SIGSEGV, Segmentation fault.
scsi_req_cancel (req=0x0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/scsi-bus.c:686
686	    if (req->dev && req->dev->info->cancel_io) {
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.21-3.el6.x86_64 celt051-0.5.1.3-0.el6.x86_64 cyrus-sasl-gssapi-2.1.23-8.el6.x86_64 cyrus-sasl-lib-2.1.23-8.el6.x86_64 cyrus-sasl-md5-2.1.23-8.el6.x86_64 cyrus-sasl-plain-2.1.23-8.el6.x86_64 db4-4.7.25-16.el6.x86_64 dbus-libs-1.2.24-4.el6_0.x86_64 glibc-2.12-1.25.el6.x86_64 gnutls-2.8.5-4.el6.x86_64 keyutils-libs-1.4-1.el6.x86_64 krb5-libs-1.9-9.el6_1.1.x86_64 libICE-1.0.6-1.el6.x86_64 libSM-1.1.0-7.1.el6.x86_64 libX11-1.3-2.el6.x86_64 libXau-1.0.5-1.el6.x86_64 libXext-1.1-3.el6.x86_64 libXfixes-4.0.4-1.el6.x86_64 libXi-1.3-3.el6.x86_64 libXrandr-1.3.0-4.el6.x86_64 libXrender-0.9.5-1.el6.x86_64 libXtst-1.0.99.2-3.el6.x86_64 libaio-0.3.107-10.el6.x86_64 libasyncns-0.8-1.1.el6.x86_64 libcom_err-1.41.12-7.el6.x86_64 libgcrypt-1.4.5-5.el6.x86_64 libgpg-error-1.7-3.el6.x86_64 libjpeg-6b-46.el6.x86_64 libselinux-2.0.94-5.el6.x86_64 libsndfile-1.0.20-3.el6.x86_64 libtasn1-2.3-3.el6.x86_64 libuuid-2.17.2-12.el6.x86_64 libxcb-1.5-1.el6.x86_64 nss-softokn-freebl-3.12.9-3.el6.x86_64 openssl-1.0.0-10.el6.x86_64 pixman-0.18.4-1.el6_0.1.x86_64 pulseaudio-libs-0.9.21-13.el6.x86_64 spice-server-0.8.2-3.el6.x86_64 tcp_wrappers-libs-7.6-56.3.el6.x86_64 zlib-1.2.3-25.el6.x86_64
(gdb) bt
#0  scsi_req_cancel (req=0x0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/scsi-bus.c:686
#1  0x00000000004adfca in usb_cancel_packet (p=0x19a3010) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:347
#2  0x000000000046d9d2 in uhci_async_cancel (s=<value optimized out>, async=0x19a3010) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:204
#3  0x000000000046eb32 in uhci_async_validate_end (opaque=0x15987b0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:234
#4  uhci_frame_timer (opaque=0x15987b0) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:1048
#5  0x000000000040b832 in qemu_run_timers (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:1185
#6  main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3883
#7  0x0000000000429e3a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2204
#8  0x000000000040db15 in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4064
#9  main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6284

Comment 8 juzhang 2011-10-11 09:30:51 UTC

Verified this issue with qemu-kvm-0.12.1.2-2.195.el6

Steps
Boot guest with emulated usb1.1 and usb2.0 sticks
#/usr/libexec/qemu-kvm -M rhel6.2.0 -enable-kvm -m 4096 -smp 2,sockets=1,cores=2,threads=1 -name rhel6.2sp164 -device virtio-serial-pci,id=virtio-serial0,max_ports=16,bus=pci.0,addr=0x4 -drive file=/root/rhel6.2sp1-64.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,serial=zhang,cache=none,werror=stop,rerror=stop,aio=native -device virtio-blk-pci,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=2 -drive if=none,media=cdrom,id=drive-ide0-1-0,readonly=on,format=raw -device ide-drive,bus=ide.1,unit=0,drive=drive-ide0-1-0,id=ide0-1-0,bootindex=1 -netdev tap,id=hostnet0,vhost=on -device virtio-net-pci,netdev=hostnet0,id=net0,mac=00:1a:4a:42:0b:00,bus=pci.0,addr=0x3 -chardev socket,id=charchannel0,path=/var/test,server,nowait -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.rhevm.vdsm -chardev spicevmc,id=charchannel1,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=2,chardev=charchannel1,id=channel1,name=com.redhat.spice.0 -vnc :10 -monitor stdio -boot menu=on -qmp tcp:0:5555,server,nowait -usb -device usb-tablet,id=input1,bus=usb.0,port=1 -device usb-hub,bus=usb.0,port=2,id=hub -device usb-storage,bus=usb.0,port=2.4,drive=drive-usb-2-0,id=usb-2-0,removable=on -drive file=/root/usb.qcow2,if=none,id=drive-usb-2-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=threads -device usb-ehci,id=ehci -device usb-storage,drive=drive-usb-0-0,id=usb-0-0,removable=on,bus=ehci.0,port=1 -drive file=/root/usb2.qcow2,if=none,id=drive-usb-0-0,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native

2 In guest
#fdisk -l

Results
Can find both two sticks
Disk /dev/sda: 1073 MB, 1073741824 bytes
34 heads, 61 sectors/track, 1011 cylinders
Units = cylinders of 2074 * 512 = 1061888 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Disk /dev/sda doesn't contain a valid partition table

Disk /dev/sdb: 1073 MB, 1073741824 bytes

usb-devices 

T:  Bus=01 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#=  1 Spd=480 MxCh= 6
D:  Ver= 2.00 Cls=09(hub  ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=1d6b ProdID=0002 Rev=02.06
S:  Manufacturer=Linux 2.6.32-206.el6.x86_64 ehci_hcd
S:  Product=EHCI Host Controller
S:  SerialNumber=0000:00:06.0
C:  #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=09(hub  ) Sub=00 Prot=00 Driver=hub

T:  Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=0000 ProdID=0000 Rev=00.00
S:  Manufacturer=QEMU 0.12.1
S:  Product=QEMU USB HARDDRIVE
S:  SerialNumber=1
C:  #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=0mA
I:  If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage

T:  Bus=02 Lev=00 Prnt=00 Port=00 Cnt=00 Dev#=  1 Spd=12  MxCh= 2
D:  Ver= 1.10 Cls=09(hub  ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=1d6b ProdID=0001 Rev=02.06
S:  Manufacturer=Linux 2.6.32-206.el6.x86_64 uhci_hcd
S:  Product=UHCI Host Controller
S:  SerialNumber=0000:00:01.2
C:  #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=09(hub  ) Sub=00 Prot=00 Driver=hub

T:  Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12  MxCh= 0
D:  Ver= 1.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs=  1
P:  Vendor=0627 ProdID=0001 Rev=00.00
S:  Manufacturer=QEMU 0.12.1
S:  Product=QEMU USB Tablet
S:  SerialNumber=42
C:  #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=100mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=02 Driver=usbhid

T:  Bus=02 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#=  3 Spd=12  MxCh= 8
D:  Ver= 1.10 Cls=09(hub  ) Sub=00 Prot=00 MxPS= 8 #Cfgs=  1
P:  Vendor=0000 ProdID=0000 Rev=01.01
S:  Manufacturer=QEMU 0.12.1
S:  Product=QEMU USB Hub
S:  SerialNumber=314159
C:  #Ifs= 1 Cfg#= 1 Atr=e0 MxPwr=0mA
I:  If#= 0 Alt= 0 #EPs= 1 Cls=09(hub  ) Sub=00 Prot=00 Driver=hub

T:  Bus=02 Lev=02 Prnt=03 Port=03 Cnt=01 Dev#=  4 Spd=12  MxCh= 0
D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 8 #Cfgs=  1
P:  Vendor=0000 ProdID=0000 Rev=00.00
S:  Manufacturer=QEMU 0.12.1
S:  Product=QEMU USB HARDDRIVE
S:  SerialNumber=1
C:  #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=0mA
I:  If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage

Comment 11 Eduardo Habkost 2011-10-28 17:59:39 UTC

Moving to ON_QA because Errata Tool did not do it

Comment 13 Gerd Hoffmann 2011-11-18 12:17:28 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause:
    When canceling a usb packet the usb-storage emulation tries to cancel the corroesponding scsi request without checking that one exists in the first place.
Consequence
    NULL pointer dereference -> segfault -> qemu dumps core.
Fix
    Add check for scsi request presence.
Result
    Non-existing requests not referenced any more.

Comment 14 errata-xmlrpc 2011-12-06 15:56:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1531.html

Note You need to log in before you can comment on or make changes to this bug.