796118 – qemu hits core dump when boot guest with 2 pass-though usb devices under 1.1 controller

Bug 796118 - qemu hits core dump when boot guest with 2 pass-though usb devices under 1.1 controller

Summary: qemu hits core dump when boot guest with 2 pass-though usb devices under 1.1 ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Duplicates (4):	803528 806755 807102 807517 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-22 10:55 UTC by juzhang
Modified:	2018-11-28 20:44 UTC (History)
CC List:	13 users (show)
Fixed In Version:	qemu-kvm-0.12.1.2-2.253.el6
Doc Type:	Bug Fix
Doc Text:	Cause: qemu usb emulation core modified data structures after releasing them. Consequence: assert() can trigger due to unexpected data structure changes and qemu dumps core. Fix: move release call to correct place. Resolution: core dumps are gone.
Clone Of:
Environment:
Last Closed:	2012-06-20 11:43:46 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	78823	0	None	None	None	Never
Red Hat Product Errata	RHBA-2012:0746	0	normal	SHIPPED_LIVE	qemu-kvm bug fix and enhancement update	2012-06-19 19:31:48 UTC

Description juzhang 2012-02-22 10:55:29 UTC

Description of problem:
qemu hits core dump when boot guest with two pass-though usb devices under 1.1 controller

Version-Release number of selected component (if applicable):
qemu-kvm-0.12.1.2-2.230.el6.x86_64

How reproducible:
70%

Steps to Reproduce:
1.Boot guest with two physical usb device attached under 1.1 controller
#/usr/libexec/qemu-kvm -m 4096 -smp 1 -rtc base=utc,clock=host,driftfix=slew -boot menu=on -drive file=/root/rhel6.2virtio.qcow2,if=none,id=drive-virtio-scsi,media=disk,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native -device virtio-blk-pci,drive=drive-virtio-scsi,id=virtio-scsi -netdev tap,id=hostnet0 -device virtio-net-pci,netdev=hostnet0,id=net0,mac=22:1a:4a:42:1b:38 -usb -device usb-tablet,id=input1 -vnc :11 -monitor stdio 
//
-device usb-host,hostbus=1,hostaddr=3,id=hostdev0 
-device usb-host,hostbus=1,hostaddr=4,id=hostdev1
2.
3.
  
Actual results:
After step1,qemu hit quit with core dump
qemu-kvm: /builddir/build/BUILD/qemu-kvm-0.12.1.2/hw/usb.c:345: usb_packet_complete: Assertion `p->owner != ((void *)0)' failed.

(gdb) bt
#0  0x00007ffff500e885 in raise () from /lib64/libc.so.6
#1  0x00007ffff5010065 in abort () from /lib64/libc.so.6
#2  0x00007ffff50079fe in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007ffff5007ac0 in __assert_fail () from /lib64/libc.so.6
#4  0x00007ffff7e6442f in usb_packet_complete (dev=<value optimized out>, p=0x7ffff89fc540) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:345
#5  0x00007ffff7e6773b in async_complete (opaque=0x7ffff9cc3b30) at usb-linux.c:397
#6  0x00007ffff7dfe966 in main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4023
#7  0x00007ffff7e1e18a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2225
#8  0x00007ffff7e0040c in main_loop (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4228
#9  main (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6489

Expected results:
Guest can be booted stressful and usb device works well in guest.

Additional info:
Guest works well under 2.0 controller
-device usb-ehci,id=ehci -device usb-host,hostbus=1,hostaddr=3,id=hostdev0 -device usb-host,hostbus=1,hostaddr=4,id=hostdev1

Append one question
Do we support "piix4-usb-uhci" and "piix3-usb-uhci"?,thanks

Comment 1 Gerd Hoffmann 2012-03-16 12:05:54 UTC

Reproduces, good, hopefully makes it easy to pin down.

Yes, the controllers are supported, piix3-usb-uhci is the default 1.1 usb controller, piix4-usb-uhci is identical with just different pci ids (piix4 chipset ones instead of piix3 chipset).

Comment 4 Gerd Hoffmann 2012-03-16 13:26:24 UTC

Patch posted.

Comment 6 Shaolong Hu 2012-03-20 08:27:47 UTC

I try to reproduce this on qemu 250 with two usb stick:

At beginning this can not be reproduced with steps in comment0, after looking into code, this bug only happens when there is deferred USB packet handling, to trigger this:

1. 
[root@shu ~]# ls -il /dev/sd*
  6199 brw-rw----. 1 root disk 8,   0 Mar 20 22:01 /dev/sda
  6200 brw-rw----. 1 root disk 8,   1 Mar 20 22:01 /dev/sda1
  6201 brw-rw----. 1 root disk 8,   2 Mar 20 22:01 /dev/sda2
320354 brw-rw----. 1 root disk 8, 112 Mar 20 22:50 /dev/sdh
320520 brw-rw----. 1 root disk 8, 113 Mar 20 22:50 /dev/sdh1
320478 brw-rw----. 1 root disk 8, 128 Mar 20 22:50 /dev/sdi
320613 brw-rw----. 1 root disk 8, 129 Mar 20 22:50 /dev/sdi1

2.
[root@shu ~]# while true; do dd if=/dev/zero of=/dev/sdh1 bs=1K count=1 &  dd if=/dev/zero of=/dev/sdi1 bs=1K count=1 &  done

3. 
then run qemu-kvm with "-device usb-host,hostbus=1,hostaddr=4,id=hostdev0 -device usb-host,hostbus=1,hostaddr=5,id=hostdev1"


Test the scratch build qemu-kvm-0.12.1.2-2.249.el6.bz796118.1.x86_64, this problem has gone.

Comment 10 Gerd Hoffmann 2012-03-28 15:50:49 UTC

*** Bug 806755 has been marked as a duplicate of this bug. ***

Comment 11 Shaolong Hu 2012-03-29 03:12:20 UTC

Verified on 267 with steps in comment 6, before patch can reproduce the bug in a chance of 70%, with 267, try 10 ten times, do not hit the problem, verified.

Comment 12 Gerd Hoffmann 2012-03-29 07:33:48 UTC

*** Bug 807517 has been marked as a duplicate of this bug. ***

Comment 13 Gerd Hoffmann 2012-03-29 07:34:46 UTC

*** Bug 807102 has been marked as a duplicate of this bug. ***

Comment 15 Lee Yarwood 2012-04-04 08:52:25 UTC

*** Bug 803528 has been marked as a duplicate of this bug. ***

Comment 17 Michal Novotny 2012-05-04 12:53:18 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
NEEDINFO

Comment 18 Gerd Hoffmann 2012-05-04 13:20:51 UTC

    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1 +1,7 @@
-NEEDINFO+Cause: qemu usb emulation core modified data structures after releasing them.
+
+Consequence: assert() can trigger due to unexpected data structure changes and qemu dumps core.
+
+Fix: move release call to correct place.
+
+Resolution: core dumps are gone.

Comment 19 errata-xmlrpc 2012-06-20 11:43:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0746.html

Note You need to log in before you can comment on or make changes to this bug.