Bug 734995 - Core dump when hotplug three usb-hub into the same port under both uhci and ehci
Summary: Core dump when hotplug three usb-hub into the same port under both uhci and ehci
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.2
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Virtualization Bugs
URL:
Whiteboard:
: 726317 735009 735018 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-01 06:39 UTC by Shaolong Hu
Modified: 2013-01-10 00:16 UTC (History)
8 users (show)

Fixed In Version: qemu-kvm-0.12.1.2-2.206.el6
Doc Type: Bug Fix
Doc Text:
Bug was in a new 6.2 feature and isn't present in any released version.
Clone Of:
Environment:
Last Closed: 2011-12-06 16:02:55 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1531 normal SHIPPED_LIVE Moderate: qemu-kvm security, bug fix, and enhancement update 2011-12-06 01:23:30 UTC

Description Shaolong Hu 2011-09-01 06:39:16 UTC 
Description of problem:
-------------------------
Add three usb-hub to the same port cause qemu-kvm core dump, both uhci and ehci hit the issue.


Version-Release number of selected component (if applicable):
--------------------------------------------------------------
qemu-kvm-0.12.1.2-2.184.el6.x86_64
2.6.32-191.el6.x86_64


How reproducible:
------------------
100%


Steps to Reproduce:
1.Boot guest with:
#/usr/libexec/qemu-kvm -enable-kvm -M rhel6.2.0 -smp 4 -m 4G -name rhel6.1-64 -uuid 3f2ea5cd-3d29-48ff-aab2-23df1b6ae213 -drive file=RHEL-Server-6.1-64-virtio.qcow2,cache=none,if=none,rerror=stop,werror=stop,id=drive-virtio-disk0,format=qcow2 -device virtio-blk-pci,drive=drive-virtio-disk0,id=device-virtio-disk0,bootindex=1 -netdev tap,script=/etc/qemu-ifup,id=netdev0 -device virtio-net-pci,netdev=netdev0,id=device-net0 -boot order=cd,menu=on -monitor stdio -vnc :20 -usb

2.In qemu monitor:
device_add usb-hub,port=1,id=hub1

3.In qemu monitor:
device_add usb-hub,port=1,id=hub2

4.In qemu monitor:
device_add usb-hub,port=1,id=hub3

  
Actual results:
----------------
1.After step 2:

in guest:
#lsusb
Bus 001 Device 002: ID 0000:0000
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

in qemu monitor:
(qemu)info qtree
      dev: piix3-usb-uhci, id ""
        dev-prop: masterbus = <null>
        dev-prop: firstport = 0
        bus-prop: addr = 01.2
        bus-prop: romfile = <null>
        bus-prop: rombar = 1
        bus-prop: multifunction = off
        class USB controller, addr 00:01.2, pci id 8086:7020 (sub 1af4:1100)
        bar 4: i/o at 0xc020 [0xc03f]
        bus: usb.0
          type USB
          dev: usb-hub, id "hub1"
            bus-prop: port = "1"
            addr 0.2, port 1, speed 12, name QEMU USB Hub, attached

2.After step 3:

in guest:
#lsusb
Bus 001 Device 002: ID 0000:0000
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub

in qemu monitor:
(qemu)info qtree
      dev: piix3-usb-uhci, id ""
        dev-prop: masterbus = <null>
        dev-prop: firstport = 0
        bus-prop: addr = 01.2
        bus-prop: romfile = <null>
        bus-prop: rombar = 1
        bus-prop: multifunction = off
        class USB controller, addr 00:01.2, pci id 8086:7020 (sub 1af4:1100)
        bar 4: i/o at 0xc020 [0xc03f]
        bus: usb.0
          type USB
          dev: usb-hub, id "hub2"
            bus-prop: port = "1"
            addr 0.0, port .1, speed 12, name QEMU USB Hub, attached
          dev: usb-hub, id "hub1"
            bus-prop: port = "1"
            addr 0.2, port 1, speed 12, name QEMU USB Hub, attached

3.After step 4:
(qemu) device_add usb-hub,port=1,id=hub1
(qemu) device_add usb-hub,port=1,id=hub2
(qemu) device_add usb-hub,port=1,id=hub3
qemu-kvm: savevm.c:1258: vmstate_register: Assertion `!se->compat || se->instance_id == 0' failed.
Aborted (core dumped)

4.Core dump:
Core was generated by `/usr/libexec/qemu-kvm -enable-kvm -M rhel6.2.0 -smp 4 -m 4G -name rhel6.1-64 -u'.
Program terminated with signal 6, Aborted.
#0  0x0000003e3f032945 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	  return INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
Missing separate debuginfos, use: debuginfo-install alsa-lib-1.0.22-3.el6.x86_64 celt051-0.5.1.3-0.el6.x86_64 cyrus-sasl-gssapi-2.1.23-12.el6.x86_64 cyrus-sasl-lib-2.1.23-12.el6.x86_64 cyrus-sasl-md5-2.1.23-12.el6.x86_64 cyrus-sasl-plain-2.1.23-12.el6.x86_64 db4-4.7.25-16.el6.x86_64 dbus-libs-1.2.24-5.el6_1.x86_64 gnutls-2.8.5-4.el6.x86_64 keyutils-libs-1.4-3.el6.x86_64 krb5-libs-1.9-18.el6.x86_64 libICE-1.0.6-1.el6.x86_64 libSM-1.1.0-7.1.el6.x86_64 libX11-1.3-2.el6.x86_64 libXau-1.0.5-1.el6.x86_64 libXext-1.1-3.el6.x86_64 libXfixes-4.0.4-1.el6.x86_64 libXi-1.3-3.el6.x86_64 libXrandr-1.3.0-4.el6.x86_64 libXrender-0.9.5-1.el6.x86_64 libXtst-1.0.99.2-3.el6.x86_64 libaio-0.3.107-10.el6.x86_64 libasyncns-0.8-1.1.el6.x86_64 libcom_err-1.41.12-10.el6.x86_64 libgcrypt-1.4.5-9.el6.x86_64 libgpg-error-1.7-4.el6.x86_64 libjpeg-6b-46.el6.x86_64 libselinux-2.0.94-5.1.el6.x86_64 libsndfile-1.0.20-3.el6_1.1.x86_64 libtasn1-2.3-3.el6.x86_64 libuuid-2.17.2-12.1.el6.x86_64 libxcb-1.5-1.el6.x86_64 nss-softokn-freebl-3.12.9-8.el6.x86_64 openssl-1.0.0-15.el6.x86_64 pixman-0.18.4-1.el6_0.1.x86_64 pulseaudio-libs-0.9.21-13.el6.x86_64 tcp_wrappers-libs-7.6-57.el6.x86_64
(gdb) bt
#0  0x0000003e3f032945 in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x0000003e3f034125 in abort () at abort.c:92
#2  0x0000003e3f02b9fe in __assert_fail_base (fmt=<value optimized out>, assertion=0x6498f0 "!se->compat || se->instance_id == 0", file=0x649ce1 "savevm.c", line=<value optimized out>, 
    function=<value optimized out>) at assert.c:96
#3  0x0000003e3f02bac0 in __assert_fail (assertion=0x6498f0 "!se->compat || se->instance_id == 0", file=0x649ce1 "savevm.c", line=1258, function=0x64a030 "vmstate_register") at assert.c:105
#4  0x00000000004bee31 in vmstate_register (dev=<value optimized out>, instance_id=<value optimized out>, vmsd=<value optimized out>, opaque=<value optimized out>) at savevm.c:1258
#5  0x00000000004c273f in qdev_init (dev=0x44ac050) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:288
#6  0x00000000004c2a99 in qdev_device_add (opts=0x3287f90) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:253
#7  0x00000000004c3009 in do_device_add (mon=<value optimized out>, qdict=<value optimized out>, ret_data=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/qdev.c:806
#8  0x00000000004124e0 in monitor_call_handler (mon=<value optimized out>, cmd=0x58e5d0, params=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4079
#9  0x0000000000417250 in handle_user_command (mon=0x307f210, cmdline=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4116
#10 0x000000000041737a in monitor_command_cb (mon=0x307f210, cmdline=<value optimized out>, opaque=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4671
#11 0x00000000004a91bb in readline_handle_byte (rs=0x449b0f0, ch=<value optimized out>) at readline.c:369
#12 0x000000000041759c in monitor_read (opaque=<value optimized out>, buf=0x7fffc432e560 "\r", size=1) at /usr/src/debug/qemu-kvm-0.12.1.2/monitor.c:4657
#13 0x00000000004bad2b in qemu_chr_read (opaque=0x2e43d40) at qemu-char.c:170
#14 fd_chr_read (opaque=0x2e43d40) at qemu-char.c:664
#15 0x000000000040b65f in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:3854
#16 0x0000000000429e3a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2204
#17 0x000000000040db15 in main_loop (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4064
#18 main (argc=<value optimized out>, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6284



Expected results:
------------------
If this action is not permitted, prompt error, like hotplug usb-tablet into same port it will prompt:

(qemu) device_add usb-tablet,port=1,id=input0
(qemu) device_add usb-tablet,port=1,id=input1
Error: usb port 1 (bus usb.0) not found

Device 'usb-tablet' could not be initialized


Additional info:
-------------------
Ehci hits the same issue.
Comment 2 Gerd Hoffmann 2011-09-01 13:18:40 UTC 
*** Bug 735009 has been marked as a duplicate of this bug. ***
Comment 3 Gerd Hoffmann 2011-09-02 07:18:42 UTC 
*** Bug 735018 has been marked as a duplicate of this bug. ***
Comment 5 juzhang 2011-09-03 02:46:29 UTC 
(In reply to comment #3)
> *** Bug 735018 has been marked as a duplicate of this bug. ***

bz735018 is regression bug,Since bz735018 is marked duplicated with this issue,mark this issue as regression bug too.

-snip for bz735018-
Also tested with qemu-kvm-tools-0.12.1.2-2.179.el6.x86_64,guest can be booted
successful. mark this issue as regression
Comment 8 Gerd Hoffmann 2011-09-14 09:23:59 UTC 
*** Bug 726317 has been marked as a duplicate of this bug. ***
Comment 11 Shaolong Hu 2011-10-09 09:41:34 UTC 
Verified on qemu-kvm-0.12.1.2-2.195.el6.x86_64:

Under uhci, after step 3:

(qemu) device_add usb-hub,port=1,id=hub2
Error: usb port 1 (bus usb.0) not found (in use?)
Device 'usb-hub' could not be initialized

Under ehci, after step 2:

(qemu) device_add usb-hub,port=1,id=hub1
Warning: speed mismatch trying to attach usb device QEMU USB Hub to bus ehci.0
Device 'usb-hub' could not be initialized


Based on above results, this bug has been fixed.
Comment 14 Eduardo Habkost 2011-10-28 17:59:48 UTC 
Moving to ON_QA because Errata Tool did not do it
Comment 16 Gerd Hoffmann 2011-11-18 13:02:34 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Bug was in a new 6.2 feature and isn't present in any released version.
Comment 17 errata-xmlrpc 2011-12-06 16:02:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1531.html
Note You need to log in before you can comment on or make changes to this bug.