[Qemu-devel] Guests are crashing on startup, seem related to usb-audio

[Leonardo Soares Müller]

Linux guests are crashing on startup, this crash happens rarely and,
after boot, it is even rarer but happened at least once with an Ubuntu
18.04 guest.

The host OS is Xubuntu 18.04, happens with multiple kernel versions,
current is 4.20.0-rc5-drm-tip-d63c50f2b014037b43c1c0f108c61e0a31ede3c1+

QEMU version from git: 4750e1a888ac3d320607f33b676f299005be98e6

$ qemu-system-x86_64 --version
QEMU emulator version 3.0.93 (v3.1.0-rc3-dirty)
Copyright (c) 2003-2018 Fabrice Bellard and the QEMU Project developers

The crashes were observed with the following guests, being very rare:

Ubuntu 18.04;
Ubuntu 18.10;
CentOS 7.5;
openSUSE Leap 15.0;
Mageia 6;

The following guest OS is crashing with this much more commonly than
others and is the guest used to get the backtrace:

Mageia 7 Beta 1;

Pastes with information:

Backtrace: https://paste.ubuntu.com/p/XzK4vcHTwF/
QEMU command line: https://paste.ubuntu.com/p/4NqM4k9JPS/

This particular guest uses Intel GVT-g, but the crash was observed using
virtio-vga and qxl-vga too. The command line to start the guest was (If
the pastes expire):

env QEMU_AUDIO_ADC_VOICES=0 QEMU_AUDIO_DRV=pa \
QEMU_AUDIO_DAC_FIXED_FREQ=96000 \
QEMU_AUDIO_ADC_FIXED_FREQ=96000 \
QEMU_AUDIO_ADC_VOICES=0 \
gdb -ex "handle SIGUSR1 nostop nopass noprint" -ex "run" --args
qemu-system-x86_64 \
-name "Mageia 7" -k pt-br -nodefaults -enable-kvm -cpu host -smp
cores=2,threads=1 -m 2G \
-device
vfio-pci,sysfsdev=/sys/bus/pci/devices/0000:00:02.0/7c6999bc-d8a6-11e8-951d-a75a7e70a07f,rombar=0,display=on,addr=0x3,id=iHD520
\
-device qemu-xhci,id=xhcihub -device usb-tablet,id=usbtablet -device
usb-audio,id=usbaudio,buffer=6144 -bios /usr/share/ovmf/OVMF.fd \
-display gtk,gl=on -hda
/home/usuario/.local/share/libvirt/images/mageia7.qcow2 -monitor vc
-serial mon:stdio \
-machine kernel_irqchip=on -global PIIX4_PM.disable_s3=1 -global
PIIX4_PM.disable_s4=1 -M pc,usb=true \
-netdev user,id=net0 -device e1000,netdev=net0,addr=8

The backtrace obtained:

(gdb) bt
#0  0x00007ffff01cce97 in __GI_raise (address@hidden) at
../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff01ce801 in __GI_abort () at abort.c:79
#2  0x00007ffff01be39a in __assert_fail_base (fmt=0x7ffff7e1f202
"%s%s%s:%u: %s%sAssertiva “%s” falhou.\n%n",
address@hidden "p->actual_length + bytes <=
iov->size", address@hidden "hw/usb/core.c",
address@hidden, address@hidden
<__PRETTY_FUNCTION__.26351> "usb_packet_copy") at assert.c:92
#3  0x00007ffff01be412 in __GI___assert_fail (assertion=0x555555fb8738
"p->actual_length + bytes <= iov->size", file=0x555555fb8456
"hw/usb/core.c", line=592, function=0x555555fb8980
<__PRETTY_FUNCTION__.26351> "usb_packet_copy") at assert.c:101
#4  0x0000555555bd5ed7 in usb_packet_copy (p=0x7fffc4722ea8,
ptr=0x7fffbc053ee0, bytes=192) at hw/usb/core.c:592
#5  0x0000555555c024d8 in streambuf_put (buf=0x555557ed1040,
p=0x7fffc4722ea8) at hw/usb/dev-audio.c:325
#6  0x0000555555c02d78 in usb_audio_handle_dataout (s=0x555557ecf950,
p=0x7fffc4722ea8) at hw/usb/dev-audio.c:596
#7  0x0000555555c02e16 in usb_audio_handle_data (dev=0x555557ecf950,
p=0x7fffc4722ea8) at hw/usb/dev-audio.c:608
#8  0x0000555555bd7c39 in usb_device_handle_data (dev=0x555557ecf950,
p=0x7fffc4722ea8) at hw/usb/bus.c:184
#9  0x0000555555bd54a9 in usb_process_one (p=0x7fffc4722ea8) at
hw/usb/core.c:388
#10 0x0000555555bd5668 in usb_handle_packet (dev=0x555557ecf950,
p=0x7fffc4722ea8) at hw/usb/core.c:420
#11 0x0000555555bf6d8e in xhci_submit (xhci=0x7fffce40b010,
xfer=0x7fffc4722ea0, epctx=0x7fffc41c35b0) at hw/usb/hcd-xhci.c:1819
#12 0x0000555555bf6df6 in xhci_fire_transfer (xhci=0x7fffce40b010,
xfer=0x7fffc4722ea0, epctx=0x7fffc41c35b0) at hw/usb/hcd-xhci.c:1828
#13 0x0000555555bf73eb in xhci_kick_epctx (epctx=0x7fffc41c35b0,
streamid=0) at hw/usb/hcd-xhci.c:1969
#14 0x0000555555bf6eef in xhci_kick_ep (xhci=0x7fffce40b010, slotid=2,
epid=2, streamid=0) at hw/usb/hcd-xhci.c:1853
#15 0x0000555555bfa0ac in xhci_doorbell_write (ptr=0x7fffce40b010,
reg=2, val=2, size=4) at hw/usb/hcd-xhci.c:3125
#16 0x000055555587f44e in memory_region_write_accessor
(mr=0x7fffce40bd60, addr=8, value=0x7fffcfeba0b8, size=4, shift=0,
mask=4294967295, attrs=...)
    at /home/usuario/Documentos/qemu/memory.c:504
#17 0x000055555587f65e in access_with_adjusted_size (addr=8,
value=0x7fffcfeba0b8, size=4, access_size_min=1, access_size_max=4,
access_fn=
    0x55555587f365 <memory_region_write_accessor>, mr=0x7fffce40bd60,
attrs=...) at /home/usuario/Documentos/qemu/memory.c:570
#18 0x0000555555882359 in memory_region_dispatch_write
(mr=0x7fffce40bd60, addr=8, data=2, size=4, attrs=...) at
/home/usuario/Documentos/qemu/memory.c:1452
#19 0x000055555581d359 in flatview_write_continue (fv=0x7fffbc896810,
addr=34644959240, attrs=..., buf=0x7ffff7ff3028 "\002", len=4, addr1=8,
l=4, mr=0x7fffce40bd60)
    at /home/usuario/Documentos/qemu/exec.c:3233
#20 0x000055555581d4a3 in flatview_write (fv=0x7fffbc896810,
addr=34644959240, attrs=..., buf=0x7ffff7ff3028 "\002", len=4) at
/home/usuario/Documentos/qemu/exec.c:3272
#21 0x000055555581d7a9 in address_space_write (as=0x5555567d6460
<address_space_memory>, addr=34644959240, attrs=..., buf=0x7ffff7ff3028
"\002", len=4)
    at /home/usuario/Documentos/qemu/exec.c:3362
#22 0x000055555581d7fa in address_space_rw (as=0x5555567d6460
<address_space_memory>, addr=34644959240, attrs=..., buf=0x7ffff7ff3028
"\002", len=4, is_write=true)
    at /home/usuario/Documentos/qemu/exec.c:3373
#23 0x000055555589ea33 in kvm_cpu_exec (cpu=0x555556b9c960) at
/home/usuario/Documentos/qemu/accel/kvm/kvm-all.c:2031
#24 0x000055555586453b in qemu_kvm_cpu_thread_fn (arg=0x555556b9c960) at
/home/usuario/Documentos/qemu/cpus.c:1281
#25 0x0000555555e11d07 in qemu_thread_start (args=0x555556bbcf30) at
util/qemu-thread-posix.c:498
#26 0x00007ffff05866db in start_thread (arg=0x7fffcfebd700) at
pthread_create.c:463
#27 0x00007ffff02af88f in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

It was suggested I should send information about this problem here.