Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 980738

Summary: QEMU core dump when passthrough USB Webcam to guest with xHCI controller
Product: Red Hat Enterprise Linux 7 Reporter: Sibiao Luo <sluo>
Component: qemu-kvmAssignee: Gerd Hoffmann <kraxel>
Status: CLOSED DUPLICATE QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: acathrow, chayang, hhuang, juzhang, kraxel, mazhang, michen, qzhang, rhod, shuang, virt-maint, xfu
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-24 07:29:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sibiao Luo 2013-07-03 07:18:23 UTC 
Description of problem:
insert a USB Webcam to host var physically XHCI controller, and passthrough it to guest with xhci controller, after a while the QEMU core dump.

Version-Release number of selected component (if applicable):
host info:
3.10.0-0.rc7.64.el7.x86_64
qemu-kvm-1.5.1-1.el7.x86_64
guest info:
3.10.0-0.rc7.64.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.insert a USB Webcam to host var physically XHCI controller.
2.get the bus and addr of USB Webcam info.
# lsusb
Bus 003 Device 002: ID 0ac8:3450 Z-Star Microelectronics Corp.
3.pathrough USB Webcam to guest var xhci controller.
# /usr/libexec/qemu-kvm -M q35 -cpu SandyBridge -enable-kvm -m 4096 -smp 4,sockets=2,cores=2,threads=1 -no-kvm-pit-reinjection -name sluo -uuid 355a2475-4e03-4cdd-bf7b-5d6a59edaa61 -rtc base=localtime,clock=host,driftfix=slew -device pci-bridge,bus=pcie.0,id=bridge1,chassis_nr=1,addr=0x3 -device virtio-serial-pci,id=virtio-serial0,max_ports=16,vectors=0,bus=bridge1,addr=0x4 -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port1 -chardev socket,id=channel2,path=/tmp/helloworld2,server,nowait -device virtserialport,chardev=channel2,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port2 -drive file=/home/RHEL-7.0-20130628.0-Server-x86_64.qcow3,if=none,id=drive-system-disk,format=qcow2,cache=none,aio=native,werror=stop,rerror=stop,serial="QEMU-DISK1" -device virtio-scsi-pci,num_queues=4,id=scsi0,bus=bridge1,addr=0x5 -device scsi-hd,bus=scsi0.0,drive=drive-system-disk,id=system-disk,bootindex=1 -device virtio-balloon-pci,id=ballooning,bus=bridge1,addr=0x6 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -netdev tap,id=hostnet0,vhost=on,queues=4,script=/etc/qemu-ifup -device virtio-net-pci,mq=on,vectors=17,netdev=hostnet0,id=virtio-net-pci0,mac=08:2e:5f:0a:0d:b1,bus=bridge1,addr=0x7,bootindex=2 -k en-us -boot menu=on -qmp tcp:0:4444,server,nowait -serial unix:/tmp/ttyS0,server,nowait -vnc :1 -spice port=5931,disable-ticketing -monitor stdio -device nec-usb-xhci,id=xhci,bus=bridge1,addr=0x8 -device usb-host,hostbus=3,hostaddr=2,id=Z-Star,bus=xhci.0

Actual results:
after step 2, the qemu core dump, i will paste the bt log later.
(qemu) qemu-kvm: hw/usb/core.c:413: usb_handle_packet: Assertion `p->ep->type != 3 || (dev->flags & (1 << USB_DEV_FLAG_IS_HOST))' failed.
Aborted (core dumped)

Expected results:
it should no any core dump, the USB Webcam should work well in guest.

Additional info:
Comment 1 Sibiao Luo 2013-07-03 07:19:53 UTC 
(gdb) bt
#0  0x00007fa69571ea19 in raise () from /lib64/libc.so.6
#1  0x00007fa695720128 in abort () from /lib64/libc.so.6
#2  0x00007fa695717986 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007fa695717a32 in __assert_fail () from /lib64/libc.so.6
#4  0x00007fa699f3d2d7 in usb_handle_packet (dev=<optimized out>, p=p@entry=0x7fa680054ba0) at hw/usb/core.c:412
#5  0x00007fa699f5083b in xhci_submit (epctx=0x7fa680054b70, xfer=0x7fa680054b98, xhci=0x7fa67dd38010)
    at hw/usb/hcd-xhci.c:1861
#6  xhci_fire_transfer (epctx=0x7fa680054b70, xfer=0x7fa680054b98, xhci=0x7fa67dd38010) at hw/usb/hcd-xhci.c:1873
#7  xhci_kick_ep (xhci=0x7fa67dd38010, slotid=1, epid=3, streamid=0) at hw/usb/hcd-xhci.c:1995
#8  0x00007fa69a0307b2 in access_with_adjusted_size (addr=addr@entry=4, value=value@entry=0x7fa68c8e7a40, 
    size=size@entry=4, access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=
    0x7fa69a030d70 <memory_region_write_accessor>, opaque=opaque@entry=0x7fa67dd38a30)
    at /usr/src/debug/qemu-1.5.1/memory.c:364
#9  0x00007fa69a03574b in memory_region_dispatch_write (size=4, data=3, addr=4, mr=0x7fa67dd38a30)
    at /usr/src/debug/qemu-1.5.1/memory.c:916
#10 io_mem_write (mr=0x7fa67dd38a30, addr=4, val=<optimized out>, size=4) at /usr/src/debug/qemu-1.5.1/memory.c:1597
#11 0x00007fa69a0307b2 in access_with_adjusted_size (addr=addr@entry=4, value=value@entry=0x7fa68c8e7af0, 
    size=size@entry=4, access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=
    0x7fa69a030d70 <memory_region_write_accessor>, opaque=opaque@entry=0x7fa678007320)
    at /usr/src/debug/qemu-1.5.1/memory.c:364
#12 0x00007fa69a03574b in memory_region_dispatch_write (size=4, data=3, addr=4, mr=0x7fa678007320)
    at /usr/src/debug/qemu-1.5.1/memory.c:916
#13 io_mem_write (mr=0x7fa678007320, addr=4, val=<optimized out>, size=size@entry=4)
    at /usr/src/debug/qemu-1.5.1/memory.c:1597
#14 0x00007fa699fe377d in address_space_rw (as=as@entry=0x7fa69acfdf80 <address_space_memory>, addr=4272168964, 
    buf=buf@entry=0x7fa699cbf028 <Address 0x7fa699cbf028 out of bounds>, len=4, is_write=true)
    at /usr/src/debug/qemu-1.5.1/exec.c:1916
#15 0x00007fa699fe3875 in cpu_physical_memory_rw (addr=<optimized out>, 
    buf=buf@entry=0x7fa699cbf028 <Address 0x7fa699cbf028 out of bounds>, len=<optimized out>, is_write=<optimized out>)
    at /usr/src/debug/qemu-1.5.1/exec.c:1998
#16 0x00007fa69a02f245 in kvm_cpu_exec (env=env@entry=0x7fa69b8f0070) at /usr/src/debug/qemu-1.5.1/kvm-all.c:1643
#17 0x00007fa699fda375 in qemu_kvm_cpu_thread_fn (arg=0x7fa69b8f0070) at /usr/src/debug/qemu-1.5.1/cpus.c:759
#18 0x00007fa698057c53 in start_thread () from /lib64/libpthread.so.0
#19 0x00007fa6957de13d in clone () from /lib64/libc.so.6
(gdb) bt full
#0  0x00007fa69571ea19 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007fa695720128 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007fa695717986 in __assert_fail_base () from /lib64/libc.so.6
No symbol table info available.
#3  0x00007fa695717a32 in __assert_fail () from /lib64/libc.so.6
No symbol table info available.
#4  0x00007fa699f3d2d7 in usb_handle_packet (dev=<optimized out>, p=p@entry=0x7fa680054ba0) at hw/usb/core.c:412
        __PRETTY_FUNCTION__ = "usb_handle_packet"
#5  0x00007fa699f5083b in xhci_submit (epctx=0x7fa680054b70, xfer=0x7fa680054b98, xhci=0x7fa67dd38010)
    at hw/usb/hcd-xhci.c:1861
        mfindex = <optimized out>
#6  xhci_fire_transfer (epctx=0x7fa680054b70, xfer=0x7fa680054b98, xhci=0x7fa67dd38010) at hw/usb/hcd-xhci.c:1873
No locals.
#7  xhci_kick_ep (xhci=0x7fa67dd38010, slotid=1, epid=3, streamid=0) at hw/usb/hcd-xhci.c:1995
        xfer = 0x7fa680054b98
        stctx = <optimized out>
        epctx = 0x7fa680054b70
        ring = 0x7fa680054b80
        ep = 0x0
        mfindex = <optimized out>
        i = <optimized out>
        __PRETTY_FUNCTION__ = "xhci_kick_ep"
#8  0x00007fa69a0307b2 in access_with_adjusted_size (addr=addr@entry=4, value=value@entry=0x7fa68c8e7a40, 
    size=size@entry=4, access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=
    0x7fa69a030d70 <memory_region_write_accessor>, opaque=opaque@entry=0x7fa67dd38a30)
    at /usr/src/debug/qemu-1.5.1/memory.c:364
        access_mask = 4294967295
        access_size = 4
        i = <optimized out>
#9  0x00007fa69a03574b in memory_region_dispatch_write (size=4, data=3, addr=4, mr=0x7fa67dd38a30)
    at /usr/src/debug/qemu-1.5.1/memory.c:916
No locals.
#10 io_mem_write (mr=0x7fa67dd38a30, addr=4, val=<optimized out>, size=4) at /usr/src/debug/qemu-1.5.1/memory.c:1597
No locals.
#11 0x00007fa69a0307b2 in access_with_adjusted_size (addr=addr@entry=4, value=value@entry=0x7fa68c8e7af0, 
    size=size@entry=4, access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=
    0x7fa69a030d70 <memory_region_write_accessor>, opaque=opaque@entry=0x7fa678007320)
    at /usr/src/debug/qemu-1.5.1/memory.c:364
        access_mask = 4294967295
        access_size = 4
        i = <optimized out>
#12 0x00007fa69a03574b in memory_region_dispatch_write (size=4, data=3, addr=4, mr=0x7fa678007320)
    at /usr/src/debug/qemu-1.5.1/memory.c:916
No locals.
#13 io_mem_write (mr=0x7fa678007320, addr=4, val=<optimized out>, size=size@entry=4)
    at /usr/src/debug/qemu-1.5.1/memory.c:1597
No locals.
#14 0x00007fa699fe377d in address_space_rw (as=as@entry=0x7fa69acfdf80 <address_space_memory>, addr=4272168964, 
    buf=buf@entry=0x7fa699cbf028 <Address 0x7fa699cbf028 out of bounds>, len=4, is_write=true)
    at /usr/src/debug/qemu-1.5.1/exec.c:1916
        addr1 = <optimized out>
        d = 0x7fa69b6fc810
        l = 4
        ptr = <optimized out>
        val = <optimized out>
        page = 4272168960
        section = <optimized out>
#15 0x00007fa699fe3875 in cpu_physical_memory_rw (addr=<optimized out>, 
    buf=buf@entry=0x7fa699cbf028 <Address 0x7fa699cbf028 out of bounds>, len=<optimized out>, is_write=<optimized out>)
    at /usr/src/debug/qemu-1.5.1/exec.c:1998
No locals.
#16 0x00007fa69a02f245 in kvm_cpu_exec (env=env@entry=0x7fa69b8f0070) at /usr/src/debug/qemu-1.5.1/kvm-all.c:1643
        cpu = 0x7fa69b8eff60
        __func__ = "kvm_cpu_exec"
        run = 0x7fa699cbf000
        ret = <optimized out>
        run_ret = 0
#17 0x00007fa699fda375 in qemu_kvm_cpu_thread_fn (arg=0x7fa69b8f0070) at /usr/src/debug/qemu-1.5.1/cpus.c:759
        cpu = 0x7fa69b8eff60
        __func__ = "qemu_kvm_cpu_thread_fn"
        r = <optimized out>
#18 0x00007fa698057c53 in start_thread () from /lib64/libpthread.so.0
No symbol table info available.
#19 0x00007fa6957de13d in clone () from /lib64/libc.so.6
No symbol table info available.
(gdb)
Comment 2 Sibiao Luo 2013-07-03 07:23:19 UTC 
# lsusb -vv
Bus 003 Device 002: ID 0ac8:3450 Z-Star Microelectronics Corp. 
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass          239 Miscellaneous Device
  bDeviceSubClass         2 ?
  bDeviceProtocol         1 Interface Association
  bMaxPacketSize0        64
  idVendor           0x0ac8 Z-Star Microelectronics Corp.
  idProduct          0x3450 
  bcdDevice            1.a2
  iManufacturer           1 Vimicro Corp.
  iProduct                2 Altair USB2.0 Camera
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength          481
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              320mA
    Interface Association:
      bLength                 8
      bDescriptorType        11
      bFirstInterface         0
      bInterfaceCount         2
      bFunctionClass         14 Video
      bFunctionSubClass       3 Video Interface Collection
      bFunctionProtocol       0 
      iFunction               2 Altair USB2.0 Camera
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass        14 Video
      bInterfaceSubClass      1 Video Control
      bInterfaceProtocol      0 
      iInterface              2 Altair USB2.0 Camera
      VideoControl Interface Descriptor:
        bLength                13
        bDescriptorType        36
        bDescriptorSubtype      1 (HEADER)
        bcdUVC               1.00
        wTotalLength           79
        dwClockFrequency       30.000000MHz
        bInCollection           1
        baInterfaceNr( 0)       1
      VideoControl Interface Descriptor:
        bLength                18
        bDescriptorType        36
        bDescriptorSubtype      2 (INPUT_TERMINAL)
        bTerminalID             1
        wTerminalType      0x0201 Camera Sensor
        bAssocTerminal          0
        iTerminal               0 
        wObjectiveFocalLengthMin      0
        wObjectiveFocalLengthMax      0
        wOcularFocalLength            0
        bControlSize                  3
        bmControls           0x0002002a
          Auto-Exposure Mode
          Exposure Time (Absolute)
          Focus (Absolute)
          Focus, Auto
      VideoControl Interface Descriptor:
        bLength                11
        bDescriptorType        36
        bDescriptorSubtype      5 (PROCESSING_UNIT)
      Warning: Descriptor too short
        bUnitID                 2
        bSourceID               1
        wMaxMultiplier          0
        bControlSize            2
        bmControls     0x0000177b
          Brightness
          Contrast
          Saturation
          Sharpness
          Gamma
          White Balance Temperature
          Backlight Compensation
          Gain
          Power Line Frequency
          White Balance Temperature, Auto
        iProcessing             0 
        bmVideoStandards     0x 9
          None
          SECAM - 625/50
      VideoControl Interface Descriptor:
        bLength                 9
        bDescriptorType        36
        bDescriptorSubtype      3 (OUTPUT_TERMINAL)
        bTerminalID             3
        wTerminalType      0x0101 USB Streaming
        bAssocTerminal          0
        bSourceID               2
        iTerminal               0 
      VideoControl Interface Descriptor:
        bLength                28
        bDescriptorType        36
        bDescriptorSubtype      6 (EXTENSION_UNIT)
        bUnitID                 4
        guidExtensionCode         {5dc717a9-1941-da11-ae0e-000d56ac7b4c}
        bNumControl             8
        bNrPins                 1
        baSourceID( 0)          1
        bControlSize            3
        bmControls( 0)       0x59
        bmControls( 1)       0x80
        bmControls( 2)       0x80
        iExtension              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x000a  1x 10 bytes
        bInterval               5
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           0
      bInterfaceClass        14 Video
      bInterfaceSubClass      2 Video Streaming
      bInterfaceProtocol      0 
      iInterface              0 
      VideoStreaming Interface Descriptor:
        bLength                            14
        bDescriptorType                    36
        bDescriptorSubtype                  1 (INPUT_HEADER)
        bNumFormats                         1
        wTotalLength                      243
        bEndPointAddress                  130
        bmInfo                              0
        bTerminalLink                       3
        bStillCaptureMethod                 2
        bTriggerSupport                     1
        bTriggerUsage                       1
        bControlSize                        1
        bmaControls( 0)                    27
      VideoStreaming Interface Descriptor:
        bLength                            27
        bDescriptorType                    36
        bDescriptorSubtype                  4 (FORMAT_UNCOMPRESSED)
        bFormatIndex                        1
        bNumFrameDescriptors                5
        guidFormat                            {59555932-0000-1000-8000-00aa00389b71}
        bBitsPerPixel                      16
        bDefaultFrameIndex                  1
        bAspectRatioX                       0
        bAspectRatioY                       0
        bmInterlaceFlags                 0x00
          Interlaced stream or variable: No
          Fields per frame: 2 fields
          Field 1 first: No
          Field pattern: Field 1 only
          bCopyProtect                      0
      VideoStreaming Interface Descriptor:
        bLength                            34
        bDescriptorType                    36
        bDescriptorSubtype                  5 (FRAME_UNCOMPRESSED)
        bFrameIndex                         1
        bmCapabilities                   0x00
          Still image unsupported
        wWidth                            640
        wHeight                           480
        dwMinBitRate                   768000
        dwMaxBitRate                196608000
        dwMaxVideoFrameBufferSize      614400
        dwDefaultFrameInterval         333333
        bFrameIntervalType                  2
        dwFrameInterval( 0)            333333
        dwFrameInterval( 1)            666667
      VideoStreaming Interface Descriptor:
        bLength                            34
        bDescriptorType                    36
        bDescriptorSubtype                  5 (FRAME_UNCOMPRESSED)
        bFrameIndex                         2
        bmCapabilities                   0x00
          Still image unsupported
        wWidth                            352
        wHeight                           288
        dwMinBitRate                   768000
        dwMaxBitRate                196608000
        dwMaxVideoFrameBufferSize      202752
        dwDefaultFrameInterval         333333
        bFrameIntervalType                  2
        dwFrameInterval( 0)            333333
        dwFrameInterval( 1)            666667
      VideoStreaming Interface Descriptor:
        bLength                            34
        bDescriptorType                    36
        bDescriptorSubtype                  5 (FRAME_UNCOMPRESSED)
        bFrameIndex                         3
        bmCapabilities                   0x00
          Still image unsupported
        wWidth                            320
        wHeight                           240
        dwMinBitRate                   768000
        dwMaxBitRate                196608000
        dwMaxVideoFrameBufferSize      153600
        dwDefaultFrameInterval         333333
        bFrameIntervalType                  2
        dwFrameInterval( 0)            333333
        dwFrameInterval( 1)            666667
      VideoStreaming Interface Descriptor:
        bLength                            34
        bDescriptorType                    36
        bDescriptorSubtype                  5 (FRAME_UNCOMPRESSED)
        bFrameIndex                         4
        bmCapabilities                   0x00
          Still image unsupported
        wWidth                            176
        wHeight                           144
        dwMinBitRate                   768000
        dwMaxBitRate                196608000
        dwMaxVideoFrameBufferSize       50688
        dwDefaultFrameInterval         333333
        bFrameIntervalType                  2
        dwFrameInterval( 0)            333333
        dwFrameInterval( 1)            666667
      VideoStreaming Interface Descriptor:
        bLength                            34
        bDescriptorType                    36
        bDescriptorSubtype                  5 (FRAME_UNCOMPRESSED)
        bFrameIndex                         5
        bmCapabilities                   0x00
          Still image unsupported
        wWidth                            160
        wHeight                           120
        dwMinBitRate                   768000
        dwMaxBitRate                196608000
        dwMaxVideoFrameBufferSize       38400
        dwDefaultFrameInterval         333333
        bFrameIntervalType                  2
        dwFrameInterval( 0)            333333
        dwFrameInterval( 1)            666667
      VideoStreaming Interface Descriptor:
        bLength                            26
        bDescriptorType                    36
        bDescriptorSubtype                  3 (STILL_IMAGE_FRAME)
        bEndpointAddress                    0
        bNumImageSizePatterns               5
        wWidth( 0)                        640
        wHeight( 0)                       480
        wWidth( 1)                        352
        wHeight( 1)                       288
        wWidth( 2)                        320
        wHeight( 2)                       240
        wWidth( 3)                        176
        wHeight( 3)                       144
        wWidth( 4)                        160
        wHeight( 4)                       120
        bNumCompressionPatterns             5
      VideoStreaming Interface Descriptor:
        bLength                             6
        bDescriptorType                    36
        bDescriptorSubtype                 13 (COLORFORMAT)
        bColorPrimaries                     0 (Unspecified)
        bTransferCharacteristics            0 (Unspecified)
        bMatrixCoefficients                 0 (Unspecified)
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       1
      bNumEndpoints           1
      bInterfaceClass        14 Video
      bInterfaceSubClass      2 Video Streaming
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            5
          Transfer Type            Isochronous
          Synch Type               Asynchronous
          Usage Type               Data
        wMaxPacketSize     0x0080  1x 128 bytes
        bInterval               1
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       2
      bNumEndpoints           1
      bInterfaceClass        14 Video
      bInterfaceSubClass      2 Video Streaming
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            5
          Transfer Type            Isochronous
          Synch Type               Asynchronous
          Usage Type               Data
        wMaxPacketSize     0x0200  1x 512 bytes
        bInterval               1
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       3
      bNumEndpoints           1
      bInterfaceClass        14 Video
      bInterfaceSubClass      2 Video Streaming
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            5
          Transfer Type            Isochronous
          Synch Type               Asynchronous
          Usage Type               Data
        wMaxPacketSize     0x0400  1x 1024 bytes
        bInterval               1
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       4
      bNumEndpoints           1
      bInterfaceClass        14 Video
      bInterfaceSubClass      2 Video Streaming
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            5
          Transfer Type            Isochronous
          Synch Type               Asynchronous
          Usage Type               Data
        wMaxPacketSize     0x0b00  2x 768 bytes
        bInterval               1
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       5
      bNumEndpoints           1
      bInterfaceClass        14 Video
      bInterfaceSubClass      2 Video Streaming
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            5
          Transfer Type            Isochronous
          Synch Type               Asynchronous
          Usage Type               Data
        wMaxPacketSize     0x0c00  2x 1024 bytes
        bInterval               1
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       6
      bNumEndpoints           1
      bInterfaceClass        14 Video
      bInterfaceSubClass      2 Video Streaming
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            5
          Transfer Type            Isochronous
          Synch Type               Asynchronous
          Usage Type               Data
        wMaxPacketSize     0x1380  3x 896 bytes
        bInterval               1
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       7
      bNumEndpoints           1
      bInterfaceClass        14 Video
      bInterfaceSubClass      2 Video Streaming
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            5
          Transfer Type            Isochronous
          Synch Type               Asynchronous
          Usage Type               Data
        wMaxPacketSize     0x1400  3x 1024 bytes
        bInterval               1
Device Qualifier (for other device speed):
  bLength                10
  bDescriptorType         6
  bcdUSB               2.00
  bDeviceClass          239 Miscellaneous Device
  bDeviceSubClass         2 ?
  bDeviceProtocol         1 Interface Association
  bMaxPacketSize0        64
  bNumConfigurations      1
Device Status:     0x0000
  (Bus Powered)
Comment 3 Sibiao Luo 2013-07-05 07:49:53 UTC 
hit the same issue with passthrough the usb-kbd to guest var xhci controller.
# lsusb | grep Keyboard
Bus 003 Device 004: ID 03f0:0024 Hewlett-Packard KU-0316 Keyboard

# /usr/libexec/qemu-kvm -M q35 -cpu SandyBridge -enable-kvm -m 4096 -smp 4,sockets=2,cores=2,threads=1 -no-kvm-pit-reinjection... -device nec-usb-xhci,id=xhci,bus=bridge1,addr=0x8 -device usb-host,hostbus=3,hostaddr=4,id=hostdev,bus=xhci.0
(qemu) info usqemu-kvm: hw/usb/core.c:413: usb_handle_packet: Assertion `p->ep->type != 3 || (dev->flags & (1 << USB_DEV_FLAG_IS_HOST))' failed.
Aborted (core dumped)

(gdb) bt
#0  0x00007f2bf9864a19 in raise () from /lib64/libc.so.6
#1  0x00007f2bf9866128 in abort () from /lib64/libc.so.6
#2  0x00007f2bf985d986 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007f2bf985da32 in __assert_fail () from /lib64/libc.so.6
#4  0x00007f2bfe07ad37 in usb_handle_packet (dev=<optimized out>, p=p@entry=0x7f2be40051b0) at hw/usb/core.c:412
#5  0x00007f2bfe08e29b in xhci_submit (epctx=0x7f2be4005180, xfer=0x7f2be40051a8, xhci=0x7f2be1d38010)
    at hw/usb/hcd-xhci.c:1861
#6  xhci_fire_transfer (epctx=0x7f2be4005180, xfer=0x7f2be40051a8, xhci=0x7f2be1d38010) at hw/usb/hcd-xhci.c:1873
#7  xhci_kick_ep (xhci=0x7f2be1d38010, slotid=1, epid=3, streamid=0) at hw/usb/hcd-xhci.c:1995
#8  0x00007f2bfe16dc62 in access_with_adjusted_size (addr=addr@entry=4, value=value@entry=0x7f2bf122ea40, 
    size=size@entry=4, access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=
    0x7f2bfe16e220 <memory_region_write_accessor>, opaque=opaque@entry=0x7f2be1d38a30)
    at /usr/src/debug/qemu-1.5.1/memory.c:364
#9  0x00007f2bfe172bfb in memory_region_dispatch_write (size=4, data=3, addr=4, mr=0x7f2be1d38a30)
    at /usr/src/debug/qemu-1.5.1/memory.c:916
#10 io_mem_write (mr=0x7f2be1d38a30, addr=4, val=<optimized out>, size=4) at /usr/src/debug/qemu-1.5.1/memory.c:1597
#11 0x00007f2bfe16dc62 in access_with_adjusted_size (addr=addr@entry=4, value=value@entry=0x7f2bf122eaf0, 
    size=size@entry=4, access_size_min=<optimized out>, access_size_max=<optimized out>, access=access@entry=
    0x7f2bfe16e220 <memory_region_write_accessor>, opaque=opaque@entry=0x7f2bdc04f6e0)
    at /usr/src/debug/qemu-1.5.1/memory.c:364
#12 0x00007f2bfe172bfb in memory_region_dispatch_write (size=4, data=3, addr=4, mr=0x7f2bdc04f6e0)
    at /usr/src/debug/qemu-1.5.1/memory.c:916
#13 io_mem_write (mr=0x7f2bdc04f6e0, addr=4, val=<optimized out>, size=size@entry=4)
    at /usr/src/debug/qemu-1.5.1/memory.c:1597
#14 0x00007f2bfe1211dd in address_space_rw (as=as@entry=0x7f2bfee35fc0 <address_space_memory>, addr=4272168964, 
    buf=buf@entry=0x7f2bfdf2d028 <Address 0x7f2bfdf2d028 out of bounds>, len=4, is_write=true)
---Type <return> to continue, or q <return> to quit---
    at /usr/src/debug/qemu-1.5.1/exec.c:1916
#15 0x00007f2bfe1212d5 in cpu_physical_memory_rw (addr=<optimized out>, 
    buf=buf@entry=0x7f2bfdf2d028 <Address 0x7f2bfdf2d028 out of bounds>, len=<optimized out>, is_write=<optimized out>)
    at /usr/src/debug/qemu-1.5.1/exec.c:1998
#16 0x00007f2bfe16c6f5 in kvm_cpu_exec (env=env@entry=0x7f2bff093520) at /usr/src/debug/qemu-1.5.1/kvm-all.c:1643
#17 0x00007f2bfe117dd5 in qemu_kvm_cpu_thread_fn (arg=0x7f2bff093520) at /usr/src/debug/qemu-1.5.1/cpus.c:759
#18 0x00007f2bfc19dc53 in start_thread () from /lib64/libpthread.so.0
#19 0x00007f2bf992413d in clone () from /lib64/libc.so.6
(gdb)
Comment 4 Gerd Hoffmann 2013-07-24 07:29:53 UTC 

*** This bug has been marked as a duplicate of bug 981183 ***