929019 – sometimes qemu core dumped when booting guest with q35 Machine type and usb xhci controller

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 929019 - sometimes qemu core dumped when booting guest with q35 Machine type and usb xhci controller

Summary: sometimes qemu core dumped when booting guest with q35 Machine type and usb x...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	qemu-kvm
Sub Component:
Version:	7.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Gerd Hoffmann
QA Contact:	Virtualization Bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-03-29 03:13 UTC by FuXiangChun
Modified:	2014-06-18 03:25 UTC (History)
CC List:	9 users (show)
Fixed In Version:	qemu-kvm-1.5.0-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 10:55:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description FuXiangChun 2013-03-29 03:13:46 UTC

Description of problem:
AS subject, Boot guest with -M q35 and uec-usb-xhci controller. sometimes qemu appears core dumped. and monitor will output warning message as below.

qemu-kvm: hw/usb/core.c:552: usb_packet_setup: Assertion `p->iov.iov != ((void *)0)' failed.
Aborted (core dumped)

Version-Release number of selected component (if applicable):
host guest kernel version:
# uname -r
3.9.0-0.rc4.45.el7.x86_64

qemu-version:
qemu-kvm-1.4.0-1.el7.x86_64

How reproducible:
sometimes(3/10)

Steps to Reproduce:
1.Boot guest 
/usr/libexec/qemu-kvm -M q35 -cpu Opteron_G3 -enable-kvm -m 4096 -smp 2,sockets=2,cores=1,threads=1 -no-kvm-pit-reinjection -name usb-device -uuid b03eea94-a502-4142-b541-96f86473a07a -rtc base=localtime,clock=host,driftfix=slew -device virtio-serial-pci,id=virtio-serial0,max_ports=16,vectors=0,bus=pcie.0,addr=0x3 -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port1 -drive file=/fuxc/rhel7.qcow2,if=none,id=drive-system-disk,format=qcow2,cache=none,aio=native,werror=stop,rerror=stop,serial=QEMU-DISK1 -device ide-hd,bus=ide.0,unit=0,drive=drive-system-disk,id=system-disk,bootindex=1 -netdev tap,id=hostnet0,vhost=off,script=/etc/qemu-ifup -device virtio-net-pci,netdev=hostnet0,id=virtio-net-pci0,mac=08:2E:5F:2A:2D:B2,bus=pcie.0,addr=0x4,event_idx=off,bootindex=0 -device virtio-balloon-pci,id=ballooning,bus=pcie.0,addr=0x5 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -serial unix:/tmp/ttyS0,server,nowait -qmp tcp:0:4444,server,nowait -k en-us -boot menu=on -vnc :1 -monitor stdio -chardev socket,path=/tmp/qga.sock,server,nowait,id=qga0 -device virtio-serial -device virtserialport,chardev=qga0,name=org.qemu.guest_agent.0 -usb -device usb-mouse,id=mouse1 -device usb-mouse,id=mouse2 -device usb-ehci,id=ehci -device usb-storage,drive=drive-usb-0-0,id=usb-0-0,removable=on,bus=ehci.0,port=1 -drive file=storage/usb-storage2.qcow2,if=none,id=drive-usb-0-0,media=disk,format=qcow2,cache=none,aio=native -device nec-usb-xhci,id=xhci0 -drive file=storage/usb-storage1.qcow2,if=none,id=drive-usb-0-1,media=disk,format=qcow2,cache=none,aio=native -device usb-storage,drive=drive-usb-0-1,id=usb-0-1,removable=on

2.
3.
  
Actual results:
core dump:
(gdb) bt
#0  0x00007ffff2afaba5 in raise () from /lib64/libc.so.6
#1  0x00007ffff2afc358 in abort () from /lib64/libc.so.6
#2  0x00007ffff2af3972 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007ffff2af3a22 in __assert_fail () from /lib64/libc.so.6
#4  0x00005555556c9068 in usb_packet_setup (p=p@entry=0x7fffe71fa810, pid=pid@entry=225, ep=<optimized out>, id=id@entry=0, short_not_ok=short_not_ok@entry=false, 
    int_req=int_req@entry=false) at hw/usb/core.c:552
#5  0x00005555556e3f9c in xhci_address_slot (bsr=false, pictx=<optimized out>, slotid=1, xhci=0x7fffe5ac7010) at hw/usb/hcd-xhci.c:1979
#6  xhci_process_commands (xhci=<optimized out>) at hw/usb/hcd-xhci.c:2326
#7  0x00005555557c2942 in access_with_adjusted_size (addr=addr@entry=0, value=value@entry=0x7fffe71fa9f0, size=size@entry=4, access_size_min=<optimized out>, 
    access_size_max=<optimized out>, access=access@entry=0x5555557c2f60 <memory_region_write_accessor>, opaque=opaque@entry=0x7fffe5ac7a18)
    at /usr/src/debug/qemu-1.4.0/memory.c:364
#8  0x00005555557c7c5a in memory_region_dispatch_write (size=4, data=0, addr=0, mr=0x7fffe5ac7a18) at /usr/src/debug/qemu-1.4.0/memory.c:916
#9  io_mem_write (mr=0x7fffe5ac7a18, addr=0, val=<optimized out>, size=<optimized out>) at /usr/src/debug/qemu-1.4.0/memory.c:1597
#10 0x00005555557c2942 in access_with_adjusted_size (addr=addr@entry=0, value=value@entry=0x7fffe71faa90, size=size@entry=4, access_size_min=<optimized out>, 
    access_size_max=<optimized out>, access=access@entry=0x5555557c2f60 <memory_region_write_accessor>, opaque=opaque@entry=0x7fffd8007320)
    at /usr/src/debug/qemu-1.4.0/memory.c:364
#11 0x00005555557c7c5a in memory_region_dispatch_write (size=4, data=0, addr=0, mr=0x7fffd8007320) at /usr/src/debug/qemu-1.4.0/memory.c:916
#12 io_mem_write (mr=0x7fffd8007320, addr=0, val=<optimized out>, size=size@entry=4) at /usr/src/debug/qemu-1.4.0/memory.c:1597
#13 0x000055555577365d in address_space_rw (as=as@entry=0x5555564914a0 <address_space_memory>, addr=4273938432, buf=buf@entry=0x7ffff7fed028 "", len=4, 
    is_write=true) at /usr/src/debug/qemu-1.4.0/exec.c:1893
#14 0x0000555555773755 in cpu_physical_memory_rw (addr=<optimized out>, buf=buf@entry=0x7ffff7fed028 "", len=<optimized out>, is_write=<optimized out>)
    at /usr/src/debug/qemu-1.4.0/exec.c:1975
#15 0x00005555557c0b35 in kvm_cpu_exec (env=env@entry=0x55555697b440) at /usr/src/debug/qemu-1.4.0/kvm-all.c:1590
#16 0x000055555576a871 in qemu_kvm_cpu_thread_fn (arg=0x55555697b440) at /usr/src/debug/qemu-1.4.0/cpus.c:759
#17 0x00007ffff6487d15 in start_thread () from /lib64/libpthread.so.0
#18 0x00007ffff2bb746d in clone () from /lib64/libc.so.6
(gdb) q



Expected results:
work well

Additional info:

Comment 2 Sibiao Luo 2013-04-23 08:12:58 UTC

hit the same issue when i passthrough a USB2.0 and USB3.0 sticks to rehl7 guest using xHCI, the qemu will always core dump.
host info:
kernel-3.9.0-0.rc7.53.el7.x86_64
qemu-kvm-1.4.0-2.1.el7.x86_64
seabios-1.7.2-0.2.gita810e4e7.el7.x86_64
guest info:
kernel-3.9.0-0.rc7.53.el7.x86_64

# /usr/libexec/qemu-kvm -S -M q35 -cpu SandyBridge -enable-kvm...-device nec-usb-xhci,id=xhci0,bus=bridge1,addr=0x9 -device usb-host,hostbus=3,hostaddr=2,id=hostdev1,bus=xhci0.0 -device usb-host,hostbus=4,hostaddr=2,id=hostdev2,bus=xhci0.0

(qemu) info usb
  Device 0.0, Port 1, Speed 480 Mb/s, Product DT 101 G2
  Device 0.0, Port 2, Speed 5000 Mb/s, Product host:4.2
(qemu) 
(qemu) xhci_runtime_read: reg 0x4 unimplemented
xhci_runtime_read: reg 0x8 unimplemented
xhci_runtime_read: reg 0xc unimplemented
xhci_runtime_read: reg 0x10 unimplemented
xhci_runtime_read: reg 0x14 unimplemented
xhci_runtime_read: reg 0x18 unimplemented
xhci_runtime_read: reg 0x1c unimplemented
qemu-kvm: hw/usb/core.c:552: usb_packet_setup: Assertion `p->iov.iov != ((void *)0)' failed.
Aborted (core dumped)
(gdb) bt
#0  0x00007f310bfa9819 in raise () from /lib64/libc.so.6
#1  0x00007f310bfaaf28 in abort () from /lib64/libc.so.6
#2  0x00007f310bfa27f6 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007f310bfa28a2 in __assert_fail () from /lib64/libc.so.6
#4  0x00007f3111883018 in usb_packet_setup (p=p@entry=0x7f30feffc860, pid=pid@entry=225, ep=<optimized out>, 
    id=id@entry=0, short_not_ok=short_not_ok@entry=false, int_req=int_req@entry=false) at hw/usb/core.c:552
#5  0x00007f311189d899 in xhci_address_slot (bsr=<optimized out>, pictx=<optimized out>, slotid=2, xhci=0x7f30fcf0f010)
    at hw/usb/hcd-xhci.c:1979
#6  xhci_process_commands (xhci=0x7f30fcf0f010) at hw/usb/hcd-xhci.c:2326
#7  0x00007f3111976b62 in access_with_adjusted_size (addr=addr@entry=0, value=value@entry=0x7f30feffca40, 
    size=size@entry=4, access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=
    0x7f3111977120 <memory_region_write_accessor>, opaque=opaque@entry=0x7f30fcf0fa18)
    at /usr/src/debug/qemu-1.4.0/memory.c:364
#8  0x00007f311197bafb in memory_region_dispatch_write (size=4, data=0, addr=0, mr=0x7f30fcf0fa18)
    at /usr/src/debug/qemu-1.4.0/memory.c:916
#9  io_mem_write (mr=0x7f30fcf0fa18, addr=0, val=<optimized out>, size=<optimized out>)
    at /usr/src/debug/qemu-1.4.0/memory.c:1597
#10 0x00007f3111976b62 in access_with_adjusted_size (addr=addr@entry=0, value=value@entry=0x7f30feffcaf0, 
    size=size@entry=4, access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=
    0x7f3111977120 <memory_region_write_accessor>, opaque=opaque@entry=0x7f30f8007320)
    at /usr/src/debug/qemu-1.4.0/memory.c:364
#11 0x00007f311197bafb in memory_region_dispatch_write (size=4, data=0, addr=0, mr=0x7f30f8007320)
    at /usr/src/debug/qemu-1.4.0/memory.c:916
#12 io_mem_write (mr=0x7f30f8007320, addr=0, val=<optimized out>, size=size@entry=4)
    at /usr/src/debug/qemu-1.4.0/memory.c:1597
#13 0x00007f3111929e0d in address_space_rw (as=as@entry=0x7f3112667de0 <address_space_memory>, addr=4272168960, 
    buf=buf@entry=0x7f3111705028 <Address 0x7f3111705028 out of bounds>, len=4, is_write=true)
    at /usr/src/debug/qemu-1.4.0/exec.c:1893
#14 0x00007f3111929f05 in cpu_physical_memory_rw (addr=<optimized out>, buf=buf@entry=
    0x7f3111705028 <Address 0x7f3111705028 out of bounds>, len=<optimized out>, is_write=<optimized out>)
    at /usr/src/debug/qemu-1.4.0/exec.c:1975
#15 0x00007f3111974d55 in kvm_cpu_exec (env=env@entry=0x7f31133aa790) at /usr/src/debug/qemu-1.4.0/kvm-all.c:1590
#16 0x00007f3111921431 in qemu_kvm_cpu_thread_fn (arg=0x7f31133aa790) at /usr/src/debug/qemu-1.4.0/cpus.c:759
#17 0x00007f310f989c53 in start_thread () from /lib64/libpthread.so.0
#18 0x00007f310c068ecd in clone () from /lib64/libc.so.6
(gdb) q

Comment 3 Gerd Hoffmann 2013-05-14 13:39:22 UTC

Fixed by upstream commit a67188743bc30a3ad1358b8cd0a2a3cb64c10ff9.

Comment 4 Miroslav Rezanina 2013-05-23 12:06:21 UTC

Build in qemu-kvm-1.5.0-1.el7

Comment 5 Sibiao Luo 2013-07-03 09:05:08 UTC

Reroduce this on qemu-kvm-1.4.0-1.el7.x86_64.
step:
the same to comment #0.
result:
qemu core dump.

Verify this issue on qemu-kvm-1.5.1-1.el7.x86_64, it have no such for usb-storage with xhci controller, it can work well in guest.
but passthrough usb3.0 stick to guest with xhci controller still core dump, please refer to bug 980377.

host info:
3.10.0-0.rc7.64.el7.x86_64
qemu-kvm-1.5.1-1.el7.x86_64
guest info:
3.10.0-0.rc7.64.el7.x86_64

# /usr/libexec/qemu-kvm -M q35 -cpu SandyBridge -enable-kvm -m 4096 -smp 4,sockets=2,cores=2,threads=1 -no-kvm-pit-reinjection -name sluo -uuid 355a2475-4e03-4cdd-bf7b-5d6a59edaa61 -rtc base=localtime,clock=host,driftfix=slew -device pci-bridge,bus=pcie.0,id=bridge1,chassis_nr=1,addr=0x3 -device virtio-serial-pci,id=virtio-serial0,max_ports=16,vectors=0,bus=bridge1,addr=0x4 -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port1 -chardev socket,id=channel2,path=/tmp/helloworld2,server,nowait -device virtserialport,chardev=channel2,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port2 -drive file=/home/RHEL-7.0-20130628.0-Server-x86_64.qcow3,if=none,id=drive-system-disk,format=qcow2,cache=none,aio=native,werror=stop,rerror=stop,serial="QEMU-DISK1" -device virtio-scsi-pci,num_queues=4,id=scsi0,bus=bridge1,addr=0x5 -device scsi-hd,bus=scsi0.0,drive=drive-system-disk,id=system-disk,bootindex=1 -device virtio-balloon-pci,id=ballooning,bus=bridge1,addr=0x6 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -netdev tap,id=hostnet0,vhost=on,queues=4,script=/etc/qemu-ifup -device virtio-net-pci,mq=on,vectors=17,netdev=hostnet0,id=virtio-net-pci0,mac=08:2e:5f:0a:0d:b1,bus=bridge1,addr=0x7,bootindex=2 -k en-us -boot menu=on -qmp tcp:0:4444,server,nowait -serial unix:/tmp/ttyS0,server,nowait -vnc :1 -spice port=5931,disable-ticketing -monitor stdio -device nec-usb-xhci,id=xhci,bus=bridge1,addr=0x8 -drive file=/home/my-usb-storage1.qcow3,if=none,id=storage0,media=disk,cache=none,format=qcow2 -device usb-storage,drive=storage0,id=usb-storage0,bus=xhci.0
(qemu) info block
drive-system-disk: removable=0 io-status=ok file=/home/RHEL-7.0-20130628.0-Server-x86_64.qcow3 ro=0 drv=qcow2 encrypted=0 bps=0 bps_rd=0 bps_wr=0 iops=0 iops_rd=0 iops_wr=0
storage0: removable=0 io-status=ok file=/home/my-usb-storage1.qcow3 ro=0 drv=qcow2 encrypted=0 bps=0 bps_rd=0 bps_wr=0 iops=0 iops_rd=0 iops_wr=0
ide1-cd0: removable=1 locked=0 tray-open=0 [not inserted]
floppy0: removable=1 locked=0 tray-open=0 [not inserted]
sd0: removable=1 locked=0 tray-open=0 [not inserted]
(qemu) 

Base on above, the simulation storage for xhci has been fixed correctly. so set this issue to verified status, please correct me if any mistake.

Best Regards,
sluo

Comment 7 Ludek Smid 2014-06-13 10:55:00 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.