806755 – boot guest with 16 USB storages assigned the hub and port under uhci will segmentation fault

Bug 806755 - boot guest with 16 USB storages assigned the hub and port under uhci will segmentation fault

Summary: boot guest with 16 USB storages assigned the hub and port under uhci will seg...

Keywords:
Status:	CLOSED DUPLICATE of bug 796118
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	6.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-03-26 07:22 UTC by Sibiao Luo
Modified:	2012-03-30 06:07 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-28 15:50:49 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Sibiao Luo 2012-03-26 07:22:07 UTC

Description of problem:
boot guest with 16 USB storages to the guest with the assigned the hub and port under uhci, and then the guest will segmentation fault.

Version-Release number of selected component (if applicable):
host info:
# uname -r && rpm -q qemu-kvm
2.6.32-251.el6.x86_64
qemu-kvm-0.12.1.2-2.249.el6.x86_64
# rpm -q seabios
seabios-0.6.1.2-12.el6.x86_64 
guest info:
guest_name: win7sp1-64
virtio-win: virtio-win-prewhql-0.1-24 

How reproducible:
100%

Steps to Reproduce:
1.boot a guest with 16 USB storages assigned the hub and port under uhci.
CLI: # /usr/libexec/qemu-kvm -M rhel6.3.0 -cpu Penryn -enable-kvm -m 2048 -smp 2,sockets=1,cores=2,threads=1 -name win7-sp1-64 -uuid `uuidgen` -drive file=/home/win7sp1-virtio-64-copy.raw,format=raw,if=none,id=drive-virtio-disk0,cache=none,werror=stop,rerror=stop -device virtio-blk-pci,scsi=off,bus=pci.0,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -netdev tap,sndbuf=0,id=hostnet0,vhost=on,script=/etc/qemu-ifup,downscript=no -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=05:1a:4a:02:0b:46,bus=pci.0,bootindex=2 -device virtio-balloon-pci,id=ballooning -spice disable-ticketing,port=5931 -k en-us -vga qxl -global qxl-vga.vram_size=67108864 -monitor stdio -readconfig /home/ich9-ehci-uhci.cfg -device usb-hub,bus=ehci.0,id=usbhub1,port=1 -drive file=usb-storage1.qcow2,if=none,id=storage1,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage1,id=usb-storage1,port=1.1 -drive file=usb-storage2.qcow2,if=none,id=storage2,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage2,id=usb-storage2,port=1.2 -drive file=usb-storage3.qcow2,if=none,id=storage3,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage3,id=usb-storage3,port=1.3 -drive file=usb-storage4.qcow2,if=none,id=storage4,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage4,id=usb-storage4,port=1.4 -drive file=usb-storage5.qcow2,if=none,id=storage5,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage5,id=usb-storage5,port=1.5 -drive file=usb-storage6.qcow2,if=none,id=storage6,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage6,id=usb-storage6,port=1.6 -drive file=usb-storage7.qcow2,if=none,id=storage7,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage7,id=usb-storage7,port=1.7 -drive file=usb-storage8.qcow2,if=none,id=storage8,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage8,id=usb-storage8,port=1.8 -device usb-hub,bus=ehci.0,id=usbhub2,port=2 -drive file=usb-storage9.qcow2,if=none,id=storage9,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage9,id=usb-storage9,port=2.1 -drive file=usb-storage10.qcow2,if=none,id=storage10,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage10,id=usb-storage10,port=2.2 -drive file=usb-storage11.qcow2,if=none,id=storage11,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage11,id=usb-storage11,port=2.3 -drive file=usb-storage12.qcow2,if=none,id=storage12,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage12,id=usb-storage12,port=2.4 -drive file=usb-storage13.qcow2,if=none,id=storage13,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage13,id=usb-storage13,port=2.5 -drive file=usb-storage14.qcow2,if=none,id=storage14,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage14,id=usb-storage14,port=2.6 -drive file=usb-storage15.qcow2,if=none,id=storage15,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage15,id=usb-storage15,port=2.7 -drive file=usb-storage16.qcow2,if=none,id=storage16,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage16,id=usb-storage16,port=2.8
2.check info var the monitor.
(qemu) info usb
  Device 0.1, Port 1, Speed 12 Mb/s, Product QEMU USB Hub
  Device 0.3, Port 1.1, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.4, Port 1.2, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.5, Port 1.3, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.6, Port 1.4, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.7, Port 1.5, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.8, Port 1.6, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.9, Port 1.7, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.10, Port 1.8, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.2, Port 2, Speed 12 Mb/s, Product QEMU USB Hub
  Device 0.11, Port 2.1, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.12, Port 2.2, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.13, Port 2.3, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.14, Port 2.4, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.15, Port 2.5, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.16, Port 2.6, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.17, Port 2.7, Speed 12 Mb/s, Product QEMU USB MSD
  Device 0.18, Port 2.8, Speed 12 Mb/s, Product QEMU USB MSD
3.wait the guest to boot up.
  
Actual results:
after the step 3, got segmentation fault and the guest hang.
(qemu) 
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5aabfee in _int_free () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff5aabfee in _int_free () from /lib64/libc.so.6
#1  0x00007ffff7e62c20 in scsi_req_unref (req=0x7ffffff63a60) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/scsi-bus.c:1267
#2  0x00007ffff7e62329 in usb_msd_handle_data (dev=0x7ffffa7dda80, p=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-msd.c:476
#3  0x00007ffff7e5b242 in usb_handle_packet (dev=0x7ffffa7dda80, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:325
#4  0x00007ffff7e5be6e in usb_hub_broadcast_packet (dev=0x7ffffa7db530, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-hub.c:453
#5  usb_hub_handle_packet (dev=0x7ffffa7db530, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-hub.c:476
#6  0x00007ffff7e5b242 in usb_handle_packet (dev=0x7ffffa7db530, p=0x7ffffff63210) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb.c:325
#7  0x00007ffff7f70c22 in uhci_broadcast_packet (s=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:656
#8  uhci_handle_td (s=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:821
#9  uhci_process_frame (s=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:966
#10 0x00007ffff7f712ad in uhci_frame_timer (opaque=0x7ffff9d95820) at /usr/src/debug/qemu-kvm-0.12.1.2/hw/usb-uhci.c:1048
#11 0x00007ffff7df3a92 in qemu_run_timers (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:1323
#12 main_loop_wait (timeout=1000) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4151
#13 0x00007ffff7e14e7a in kvm_main_loop () at /usr/src/debug/qemu-kvm-0.12.1.2/qemu-kvm.c:2244
#14 0x00007ffff7df63ec in main_loop (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:4334
#15 main (argc=20, argv=<value optimized out>, envp=<value optimized out>) at /usr/src/debug/qemu-kvm-0.12.1.2/vl.c:6594
(gdb) q

Expected results:
the guest with 16 USB storages assigned the hub and port under uhci can boot successfully.

Additional info:
ich9-ehci-uhci.cfg can be found in:
http://git.engineering.redhat.com/?p=users/ehabkost/qemu-kvm-rhel6.git;a=blob;f=docs/ich9-ehci-uhci.cfg;hb=HEAD

Comment 2 Gerd Hoffmann 2012-03-27 10:07:57 UTC

Might be a dup of bug 796118.
Please retest with qemu-kvm-0.12.1.2-2.253.el6 or newer.

Comment 3 Sibiao Luo 2012-03-28 05:13:14 UTC

(In reply to comment #2)
> Might be a dup of bug 796118.
> Please retest with qemu-kvm-0.12.1.2-2.253.el6 or newer.

yes, Gerd. as the email said, may be there was a use-after-free bug in uhci emulation which possibly can cause segfaults. I have retested this issue with the latest qemu-kvm-0.12.1.2-2.265.el6.x86_64, the segmentation fault issue has been disappear.

Comment 4 Gerd Hoffmann 2012-03-28 15:50:49 UTC


*** This bug has been marked as a duplicate of bug 796118 ***

Note You need to log in before you can comment on or make changes to this bug.