RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 806755 - boot guest with 16 USB storages assigned the hub and port under uhci will segmentation fault
Summary: boot guest with 16 USB storages assigned the hub and port under uhci will seg...
Keywords:
Status: CLOSED DUPLICATE of bug 796118
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: qemu-kvm
Version: 6.3
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Gerd Hoffmann
QA Contact: Virtualization Bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-26 07:22 UTC by Sibiao Luo
Modified: 2012-03-30 06:07 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-28 15:50:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Sibiao Luo 2012-03-26 07:22:07 UTC 
Description of problem:
boot guest with 16 USB storages to the guest with the assigned the hub and port under uhci, and then the guest will segmentation fault.

Version-Release number of selected component (if applicable):
host info:
# uname -r && rpm -q qemu-kvm
2.6.32-251.el6.x86_64
qemu-kvm-0.12.1.2-2.249.el6.x86_64
# rpm -q seabios
seabios-0.6.1.2-12.el6.x86_64 
guest info:
guest_name: win7sp1-64
virtio-win: virtio-win-prewhql-0.1-24 

How reproducible:
100%

Steps to Reproduce:
1.boot a guest with 16 USB storages assigned the hub and port under uhci.
CLI: # /usr/libexec/qemu-kvm -M rhel6.3.0 -cpu Penryn -enable-kvm -m 2048 -smp 2,sockets=1,cores=2,threads=1 -name win7-sp1-64 -uuid `uuidgen` -drive file=/home/win7sp1-virtio-64-copy.raw,format=raw,if=none,id=drive-virtio-disk0,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,sndbuf=0,id=hostnet0,vhost=on,script=/etc/qemu-ifup,downscript=no -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=05:1a:4a:02:0b:46,bus=pci.0,bootindex=2 -device virtio-balloon-pci,id=ballooning -spice disable-ticketing,port=5931 -k en-us -vga qxl -global qxl-vga.vram_size=67108864 -monitor stdio -readconfig /home/ich9-ehci-uhci.cfg -device usb-hub,bus=ehci.0,id=usbhub1,port=1 -drive file=usb-storage1.qcow2,if=none,id=storage1,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage1,id=usb-storage1,port=1.1 -drive file=usb-storage2.qcow2,if=none,id=storage2,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage2,id=usb-storage2,port=1.2 -drive file=usb-storage3.qcow2,if=none,id=storage3,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage3,id=usb-storage3,port=1.3 -drive file=usb-storage4.qcow2,if=none,id=storage4,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage4,id=usb-storage4,port=1.4 -drive file=usb-storage5.qcow2,if=none,id=storage5,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage5,id=usb-storage5,port=1.5 -drive file=usb-storage6.qcow2,if=none,id=storage6,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage6,id=usb-storage6,port=1.6 -drive file=usb-storage7.qcow2,if=none,id=storage7,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage7,id=usb-storage7,port=1.7 -drive file=usb-storage8.qcow2,if=none,id=storage8,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage8,id=usb-storage8,port=1.8 -device usb-hub,bus=ehci.0,id=usbhub2,port=2 -drive file=usb-storage9.qcow2,if=none,id=storage9,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage9,id=usb-storage9,port=2.1 -drive file=usb-storage10.qcow2,if=none,id=storage10,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage10,id=usb-storage10,port=2.2 -drive file=usb-storage11.qcow2,if=none,id=storage11,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage11,id=usb-storage11,port=2.3 -drive file=usb-storage12.qcow2,if=none,id=storage12,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage12,id=usb-storage12,port=2.4 -drive file=usb-storage13.qcow2,if=none,id=storage13,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage13,id=usb-storage13,port=2.5 -drive file=usb-storage14.qcow2,if=none,id=storage14,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage14,id=usb-storage14,port=2.6 -drive file=usb-storage15.qcow2,if=none,id=storage15,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage15,id=usb-storage15,port=2.7 -drive file=usb-storage16.qcow2,if=none,id=storage16,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage16,id=usb-storage16,port=2.8
2.check info var the monitor.
(qemu) info usb
  Device 0.1, Port 1, Speed 12 Mb/s, Product QEMU USB Hub
  Device 0.3, Port 1.1, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.4, Port 1.2, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.5, Port 1.3, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.6, Port 1.4, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.7, Port 1.5, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.8, Port 1.6, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.9, Port 1.7, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.10, Port 1.8, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.2, Port 2, Speed 12 Mb/s, Product QEMU USB Hub
  Device 0.11, Port 2.1, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.12, Port 2.2, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.13, Port 2.3, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.14, Port 2.4, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.15, Port 2.5, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.16, Port 2.6, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.17, Port 2.7, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.18, Port 2.8, Speed 12 Mb/s, Product QEMU USB MSD
3.wait the guest to boot up.
  
Actual results:
after the step 3, got segmentation fault and the guest hang.
(qemu) 
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5aabfee in _int_free () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff5aabfee in _int_free () from /lib64/libc.so.6
#1  0x00007ffff7e62c20 in scsi_req_unref (req=0x7ffffff63a60) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/scsi-bus.c:1267
#2  0x00007ffff7e62329 in usb_msd_handle_data (dev=0x7ffffa7dda80, p=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-msd.c:476
#3  0x00007ffff7e5b242 in usb_handle_packet (dev=0x7ffffa7dda80, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:325
#4  0x00007ffff7e5be6e in usb_hub_broadcast_packet (dev=0x7ffffa7db530, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-hub.c:453
#5  usb_hub_handle_packet (dev=0x7ffffa7db530, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-hub.c:476
#6  0x00007ffff7e5b242 in usb_handle_packet (dev=0x7ffffa7db530, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:325
#7  0x00007ffff7f70c22 in uhci_broadcast_packet (s=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:656
#8  uhci_handle_td (s=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:821
#9  uhci_process_frame (s=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:966
#10 0x00007ffff7f712ad in uhci_frame_timer (opaque=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:1048
#11 0x00007ffff7df3a92 in qemu_run_timers (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:1323
#12 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4151
#13 0x00007ffff7e14e7a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2244
#14 0x00007ffff7df63ec in main_loop (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4334
#15 main (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6594
(gdb) q

Expected results:
the guest with 16 USB storages assigned the hub and port under uhci can boot successfully.

Additional info:
ich9-ehci-uhci.cfg can be found in:
http://git.engineering.redhat.com/?p=users/ehabkost/qemu-kvm-rhel6.git;a=blob;f=docs/ich9-ehci-uhci.cfg;hb=HEAD
Comment 2 Gerd Hoffmann 2012-03-27 10:07:57 UTC 
Might be a dup of bug 796118.
Please retest with qemu-kvm-0.12.1.2-2.253.el6 or newer.
Comment 3 Sibiao Luo 2012-03-28 05:13:14 UTC 
(In reply to comment #2)
> Might be a dup of bug 796118.
> Please retest with qemu-kvm-0.12.1.2-2.253.el6 or newer.

yes, Gerd. as the email said, may be there was a use-after-free bug in uhci emulation which possibly can cause segfaults. I have retested this issue with the latest qemu-kvm-0.12.1.2-2.265.el6.x86_64, the segmentation fault issue has been disappear.
Comment 4 Gerd Hoffmann 2012-03-28 15:50:49 UTC 

*** This bug has been marked as a duplicate of bug 796118 ***
Note You need to log in before you can comment on or make changes to this bug.