Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 981183

Summary: qemu core dump and host reboot automatically when pass through usb speaker into guest with uhci controller
Product: Red Hat Enterprise Linux 7 Reporter: Sibiao Luo <sluo>
Component: qemu-kvmAssignee: Gerd Hoffmann <kraxel>
Status: CLOSED CURRENTRELEASE QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.0CC: acathrow, chayang, hhuang, jjaburek, juzhang, kraxel, michen, mvadkert, qzhang, rhod, shuang, vg.aetera, virt-maint, xfu
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qemu-kvm-1.5.3-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:30:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 879454, 949385, 986296    

Description Sibiao Luo 2013-07-04 08:27:30 UTC 
Description of problem:
try to pass through usb speaker into guest with uhci controller, but qemu core dump and then host reboot automatically. 
this issue similar to bug 980738, but controller and bt log are different.

Version-Release number of selected component (if applicable):
host info:
3.10.0-0.rc7.64.el7.x86_64
qemu-kvm-1.5.1-2.el7.x86_64
guest info:
3.10.0-0.rc7.64.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1.insert a usb speaker into host.
# lsusb | grep JMTek
Bus 001 Device 003: ID 0c76:160c JMTek, LLC.
2.try to pass through usb speaker into guest with uhci controller.
# /usr/libexec/qemu-kvm -M q35 -cpu SandyBridge -enable-kvm -m 4096 -smp 4,sockets=2,cores=2,threads=1 -no-kvm-pit-reinjection -name sluo -uuid 355a2475-4e03-4cdd-bf7b-5d6a59edaa61 -rtc base=localtime,clock=host,driftfix=slew -device pci-bridge,bus=pcie.0,id=bridge1,chassis_nr=1,addr=0x3 -device virtio-serial-pci,id=virtio-serial0,max_ports=16,vectors=0,bus=bridge1,addr=0x4 -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port1 -chardev socket,id=channel2,path=/tmp/helloworld2,server,nowait -device virtserialport,chardev=channel2,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port2 -drive file=/home/RHEL-7.0-20130628.0-Server-x86_64.qcow3,if=none,id=drive-system-disk,format=qcow2,cache=none,aio=native,werror=stop,rerror=stop,serial="QEMU-DISK1" -device virtio-scsi-pci,num_queues=4,id=scsi0,bus=bridge1,addr=0x5 -device scsi-hd,bus=scsi0.0,drive=drive-system-disk,id=system-disk,bootindex=1 -device virtio-balloon-pci,id=ballooning,bus=bridge1,addr=0x6 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -netdev tap,id=hostnet0,vhost=on,queues=4,script=/etc/qemu-ifup -device virtio-net-pci,mq=on,vectors=17,netdev=hostnet0,id=virtio-net-pci0,mac=08:2e:5f:0a:0d:b1,bus=bridge1,addr=0x7,bootindex=2 -k en-us -boot menu=on -qmp tcp:0:4444,server,nowait -serial unix:/tmp/ttyS0,server,nowait -vnc :1 -spice port=5931,disable-ticketing -monitor stdio -usb -device usb-host,hostbus=1,hostaddr=3,id=hostdev,port=1,isobufs=4

Actual results:
after step 2, qemu core dump and then host reboot automatically, i will attach the bt log later.
(qemu) qemu-kvm: hw/usb/core.c:413: usb_handle_packet: Assertion `p->ep->type != 3 || (dev->flags & (1 << USB_DEV_FLAG_IS_HOST))' failed.
Aborted (core dumped)

Expected results:
it should no core dump.

Additional info:
(qemu) info qtree
...
      dev: ich9-usb-ehci1, id ""
        maxframes = 128
        addr = 1d.7
        romfile = <null>
        rombar = 1
        multifunction = on
        command_serr_enable = on
        class USB controller, addr 00:1d.7, pci id 8086:293a (sub 1af4:1100)
        bar 0: mem at 0xffffffffffffffff [0xffe]
        bus: usb-bus.0
          type usb-bus
          dev: usb-host, id "hostdev"
            hostbus = 1
            hostaddr = 3
            hostport = <null>
            vendorid = 0x0
            productid = 0x0
            isobufs = 4
            isobsize = 32
            bootindex = -1
            loglevel = 2
            pipeline = on
            port = "1"
            full-path = on
            addr 0.0, port 1, speed 1.5, name USB Host Device
...
Comment 1 Sibiao Luo 2013-07-04 08:29:51 UTC 
(gdb) bt
#0  0x00007fedc1688a19 in raise () from /lib64/libc.so.6
#1  0x00007fedc168a128 in abort () from /lib64/libc.so.6
#2  0x00007fedc1681986 in __assert_fail_base () from /lib64/libc.so.6
#3  0x00007fedc1681a32 in __assert_fail () from /lib64/libc.so.6
#4  0x00007fedc5e9ed37 in usb_handle_packet (dev=<optimized out>, p=p@entry=0x7fedc866d870) at hw/usb/core.c:412
#5  0x00007fedc5eae32f in uhci_handle_td (s=s@entry=0x7fedc85d8fb0, q=0x7fedc8389e50, q@entry=0x0, 
    qh_addr=qh_addr@entry=922768898, td=td@entry=0x7fff18076e90, td_addr=<optimized out>, 
    int_mask=int_mask@entry=0x7fff18076e7c) at hw/usb/hcd-uhci.c:904
#6  0x00007fedc5eae7a6 in uhci_process_frame (s=s@entry=0x7fedc85d8fb0) at hw/usb/hcd-uhci.c:1084
#7  0x00007fedc5eaeab5 in uhci_frame_timer (opaque=0x7fedc85d8fb0) at hw/usb/hcd-uhci.c:1183
#8  0x00007fedc5ef8136 in qemu_run_timers (clock=0x7fedc8376bb0) at qemu-timer.c:394
#9  0x00007fedc5ef83d5 in qemu_run_timers (clock=<optimized out>) at qemu-timer.c:459
#10 qemu_run_all_timers () at qemu-timer.c:452
#11 0x00007fedc5ecbede in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:470
#12 0x00007fedc5dcc609 in main_loop () at vl.c:2029
#13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4419
(gdb) bt full
#0  0x00007fedc1688a19 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007fedc168a128 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x00007fedc1681986 in __assert_fail_base () from /lib64/libc.so.6
No symbol table info available.
#3  0x00007fedc1681a32 in __assert_fail () from /lib64/libc.so.6
No symbol table info available.
#4  0x00007fedc5e9ed37 in usb_handle_packet (dev=<optimized out>, p=p@entry=0x7fedc866d870) at hw/usb/core.c:412
        __PRETTY_FUNCTION__ = "usb_handle_packet"
#5  0x00007fedc5eae32f in uhci_handle_td (s=s@entry=0x7fedc85d8fb0, q=0x7fedc8389e50, q@entry=0x0, 
    qh_addr=qh_addr@entry=922768898, td=td@entry=0x7fff18076e90, td_addr=<optimized out>, 
    int_mask=int_mask@entry=0x7fff18076e7c) at hw/usb/hcd-uhci.c:904
        max_len = 4
        spd = <optimized out>
        queuing = false
        pid = 105 'i'
        async = <optimized out>
        __PRETTY_FUNCTION__ = "uhci_handle_td"
#6  0x00007fedc5eae7a6 in uhci_process_frame (s=s@entry=0x7fedc85d8fb0) at hw/usb/hcd-uhci.c:1084
        frame_addr = <optimized out>
        link = 922763328
        old_td_ctrl = 427819008
        val = 3934623232
        int_mask = 0
        curr_qh = 922768898
        td_count = 0
        cnt = 254
        ret = <optimized out>
        td = {link = 922763520, ctrl = 427819008, token = 6390377, buffer = 922796032}
        qh = {link = 922768514, el_link = 922763328}
        qhdb = {addr = {922767874, 922768898, 922768642, 922768642, 3362090568, 32749, 3361090352, 32749, 4, 0, 0, 0, 
            403140352, 32767, 3288105177, 32749, 336, 0, 3365783256, 32749, 1, 0, 41938816, 0, 8, 0, 3244853401, 32749, 
            3362171696, 32749, 3359500104, 32749, 3359485728, 32749, 3288103977, 32749, 3359500104, 32749, 3319891274, 
            32749, 3320804144, 32749, 67108864, 0, 3288108960, 32749, 2147221247, 4294967294, 1, 0, 3365783200, 32749, 
            3362171696, 32749, 3320801922, 32749, 8, 0, 3934623232, 2495673974, 3362174288, 32749, 3319683386, 32749, 
            49240, 0, 3891826657, 4294934528, 3078, 0, 3288105081, 32749, 0, 0, 3322239968, 32749, 403140640, 32767, 
            3288105177, 32749, 0, 0, 3320625885, 32749, 14, 0, 4294967294, 0 <repeats 15 times>, 3359075248, 32749, 
            4294967295, 0, 403141288, 32767, 3361574832, 32749, 3334837312, 32749, 1912314509, 2, 3245718957, 32749, 
            3320804144, 32749, 3321084142, 32749, 10450, 0, 594434525, 0, 0, 0, 3934623232, 2495673974}, 
          count = -935872752}
        __PRETTY_FUNCTION__ = "uhci_process_frame"
#7  0x00007fedc5eaeab5 in uhci_frame_timer (opaque=0x7fedc85d8fb0) at hw/usb/hcd-uhci.c:1183
        t_now = 10502249416
        t_last_run = <optimized out>
        i = 0
        frames = 1
#8  0x00007fedc5ef8136 in qemu_run_timers (clock=0x7fedc8376bb0) at qemu-timer.c:394
        ts = <optimized out>
        current_time = <optimized out>
#9  0x00007fedc5ef83d5 in qemu_run_timers (clock=<optimized out>) at qemu-timer.c:459
No locals.
#10 qemu_run_all_timers () at qemu-timer.c:452
No locals.
#11 0x00007fedc5ecbede in main_loop_wait (nonblocking=<optimized out>) at main-loop.c:470
        ret = 1
        timeout = 4294967295
#12 0x00007fedc5dcc609 in main_loop () at vl.c:2029
        nonblocking = <optimized out>
        last_io = 1
#13 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at vl.c:4419
        i = <optimized out>
        snapshot = 0
        linux_boot = <optimized out>
        icount_option = 0x0
        initrd_filename = <optimized out>
        kernel_filename = <optimized out>
        kernel_cmdline = <optimized out>
        boot_devices = '\000' <repeats 32 times>
        ds = <optimized out>
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        hda_opts = <optimized out>
        opts = <optimized out>
        machine_opts = <optimized out>
        olist = <optimized out>
        optind = 62
        optarg = 0x7fff180797d2 "usb-host,hostbus=1,hostaddr=3,id=hostdev,port=1,isobufs=4"
        loadvm = 0x0
        machine = 0x7fedc643cf60 <pc_q35_machine_rhel700>
        cpu_model = 0x7fff18079227 "SandyBridge"
        vga_model = 0x7fedc609b2ef "cirrus"
        pid_file = 0x0
        incoming = 0x0
        show_vnc_port = 0
        defconfig = <optimized out>
        userconfig = false
        log_mask = 0x0
        log_file = 0x0
        mem_trace = {malloc = 0x7fedc5f35060 <malloc_and_trace>, realloc = 0x7fedc5f35020 <realloc_and_trace>, 
          free = 0x7fedc5f34fe0 <free_and_trace>, calloc = 0x0, try_malloc = 0x0, try_realloc = 0x0}
        trace_events = 0x0
        trace_file = 0x0
        __PRETTY_FUNCTION__ = "main"
        args = {ram_size = 4294967296, boot_device = 0x7fedc60717a6 "cad", kernel_filename = 0x0, 
          kernel_cmdline = 0x7fedc60b7c90 "", initrd_filename = 0x0, cpu_model = 0x7fff18079227 "SandyBridge"}
(gdb)
Comment 2 Sibiao Luo 2013-07-04 08:30:41 UTC 
# lsusb -vv
Bus 001 Device 003: ID 0c76:160c JMTek, LLC. 
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x0c76 JMTek, LLC.
  idProduct          0x160c 
  bcdDevice            1.00
  iManufacturer           0 
  iProduct                1 USB Speaker
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength          135
    bNumInterfaces          3
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              500mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           0
      bInterfaceClass         1 Audio
      bInterfaceSubClass      1 Control Device
      bInterfaceProtocol      0 
      iInterface              0 
      AudioControl Interface Descriptor:
        bLength                 9
        bDescriptorType        36
        bDescriptorSubtype      1 (HEADER)
        bcdADC               1.00
        wTotalLength           40
        bInCollection           1
        baInterfaceNr( 0)       1
      AudioControl Interface Descriptor:
        bLength                12
        bDescriptorType        36
        bDescriptorSubtype      2 (INPUT_TERMINAL)
        bTerminalID             1
        wTerminalType      0x0101 USB Streaming
        bAssocTerminal          0
        bNrChannels             2
        wChannelConfig     0x0003
          Left Front (L)
          Right Front (R)
        iChannelNames           0 
        iTerminal               0 
      AudioControl Interface Descriptor:
        bLength                 9
        bDescriptorType        36
        bDescriptorSubtype      3 (OUTPUT_TERMINAL)
        bTerminalID            17
        wTerminalType      0x0301 Speaker
        bAssocTerminal          0
        bSourceID              49
        iTerminal               0 
      AudioControl Interface Descriptor:
        bLength                10
        bDescriptorType        36
        bDescriptorSubtype      6 (FEATURE_UNIT)
        bUnitID                49
        bSourceID               1
        bControlSize            1
        bmaControls( 0)      0x01
          Mute Control
        bmaControls( 1)      0x02
          Volume Control
        bmaControls( 2)      0x02
          Volume Control
        iFeature                0 
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           0
      bInterfaceClass         1 Audio
      bInterfaceSubClass      2 Streaming
      bInterfaceProtocol      0 
      iInterface              0 
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       1
      bNumEndpoints           1
      bInterfaceClass         1 Audio
      bInterfaceSubClass      2 Streaming
      bInterfaceProtocol      0 
      iInterface              0 
      AudioStreaming Interface Descriptor:
        bLength                 7
        bDescriptorType        36
        bDescriptorSubtype      1 (AS_GENERAL)
        bTerminalLink           1
        bDelay                  1 frames
        wFormatTag              1 PCM
      AudioStreaming Interface Descriptor:
        bLength                11
        bDescriptorType        36
        bDescriptorSubtype      2 (FORMAT_TYPE)
        bFormatType             1 (FORMAT_TYPE_I)
        bNrChannels             2
        bSubframeSize           2
        bBitResolution         16
        bSamFreqType            1 Discrete
        tSamFreq[ 0]        48000
      Endpoint Descriptor:
        bLength                 9
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            9
          Transfer Type            Isochronous
          Synch Type               Adaptive
          Usage Type               Data
        wMaxPacketSize     0x00c8  1x 200 bytes
        bInterval               1
        bRefresh                0
        bSynchAddress           0
        AudioControl Endpoint Descriptor:
          bLength                 7
          bDescriptorType        37
          bDescriptorSubtype      1 (EP_GENERAL)
          bmAttributes         0x00
          bLockDelayUnits         1 Milliseconds
          wLockDelay              1 Milliseconds
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        2
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass         3 Human Interface Device
      bInterfaceSubClass      0 No Subclass
      bInterfaceProtocol      0 None
      iInterface              0 
        HID Device Descriptor:
          bLength                 9
          bDescriptorType        33
          bcdHID               1.00
          bCountryCode            0 Not supported
          bNumDescriptors         1
          bDescriptorType        34 Report
          wDescriptorLength      50
         Report Descriptors: 
           ** UNAVAILABLE **
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x83  EP 3 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0004  1x 4 bytes
        bInterval              32
Device Status:     0x0000
  (Bus Powered)
Comment 3 Gerd Hoffmann 2013-07-24 07:17:50 UTC 
upstream commit 628e54857a82a3cb65ef96c12640c30d6307a064
Comment 4 Gerd Hoffmann 2013-07-24 07:22:44 UTC 
Upstream commit is tagged for stable, so it should show up in 1.5.2
Comment 5 Gerd Hoffmann 2013-07-24 07:29:53 UTC 
*** Bug 980738 has been marked as a duplicate of this bug. ***
Comment 6 Gerd Hoffmann 2013-07-24 07:53:54 UTC 
*** Bug 986291 has been marked as a duplicate of this bug. ***
Comment 9 Gerd Hoffmann 2013-08-30 08:28:09 UTC 
Fixed in upstreqm qemu 1.5.3.
Comment 10 Sibiao Luo 2013-08-30 09:55:34 UTC 
Verify this issue on qemu-kvm-1.5.3-2.el7.x86_64, qemu no call dumped any more.

host info:
# uname -r && rpm -q qemu-kvm
3.10.0-11.el7.x86_64
qemu-kvm-1.5.3-2.el7.x86_64
gust info:
windows_server_2012_x64

# lsusb | grep JMTek
Bus 001 Device 003: ID 0c76:160c JMTek, LLC.

# /usr/libexec/qemu-kvm -S -M q35 -cpu SandyBridge -enable-kvm -m 4096 -smp 2,sockets=2,cores=1,threads=1 -no-kvm-pit-reinjection -name sluo-test -uuid ed09fa10-6ffe-4811-a42f-0294afcb5a42 -rtc base=localtime,clock=host,driftfix=slew -device virtio-serial-pci,id=virtio-serial0,max_ports=16,vectors=0,bus=pcie.0,addr=0x3 -chardev socket,id=channel1,path=/tmp/helloworld1,server,nowait -device virtserialport,chardev=channel1,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port1 -chardev socket,id=channel2,path=/tmp/helloworld2,server,nowait -device virtserialport,chardev=channel2,name=com.redhat.rhevm.vdsm,bus=virtio-serial0.0,id=port2 -drive file=/home/windows_server_2012_x64.qcow2,if=none,id=drive-system-disk,format=qcow2,aio=native,werror=stop,rerror=stop,serial=QEMU-DISK1 -device virtio-scsi-pci,bus=pcie.0,addr=0x4,id=scsi0 -device scsi-hd,bus=scsi0.0,drive=drive-system-disk,id=system-disk,bootindex=1 -net none -device virtio-balloon-pci,id=ballooning,bus=pcie.0,addr=0x6 -global PIIX4_PM.disable_s3=0 -global PIIX4_PM.disable_s4=0 -serial unix:/tmp/ttyS0,server,nowait -qmp tcp:0:4444,server,nowait -k en-us -boot menu=on -vnc :1 -spice disable-ticketing,port=5931 -monitor stdio -usb -device usb-host,hostbus=1,hostaddr=3,id=usb-stick
(qemu) info usb
  Device 0.1, Port 1, Speed 12 Mb/s, Product USB Speaker
(qemu) info usbhost 
  Bus 3, Addr 2, Port 3, Speed 1.5 Mb/s
    Class 00: USB device 413c:3012, Dell USB Optical Mouse
  Bus 3, Addr 3, Port 4, Speed 1.5 Mb/s
    Class 00: USB device 03f0:0024, HP Basic USB Keyboard
  Bus 1, Addr 3, Port 1.1, Speed 12 Mb/s
    Class 00: USB device 0c76:160c, USB Speaker
(qemu) info qtree
...
      dev: ich9-usb-ehci1, id ""
        maxframes = 128
        addr = 1d.7
        romfile = <null>
        rombar = 1
        multifunction = on
        command_serr_enable = on
        class USB controller, addr 00:1d.7, pci id 8086:293a (sub 1af4:1100)
        bar 0: mem at 0xfebf2000 [0xfebf2fff]
        bus: usb-bus.0
          type usb-bus
          dev: usb-host, id "usb-stick"
            hostbus = 1
            hostaddr = 3
            hostport = <null>
            vendorid = 0x0
            productid = 0x0
            isobufs = 4
            isobsize = 32
            bootindex = -1
            loglevel = 2
            pipeline = on
            port = <null>
            full-path = on
            addr 0.1, port 1, speed 12, name USB Speaker, attached
...

Base on above, this issue has been fixed correctly.

Best Regards,
sluo
Comment 14 Ludek Smid 2014-06-13 12:30:40 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.