QEMU

Assertion !usb_packet_is_inflight(p) fails in OHCI

Bug #1687309 reported by Henrik Pitkala on 2017-04-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Expired	Undecided	Unassigned

Bug Description

I'm trying to get a USB web camera working in Qemu & Raspbian. USB works and V4L shows device info correctly and capturing frames from the camera works sometimes, but mostly it crashes with error message:

qemu-system-arm: hw/usb/core.c:558: usb_packet_setup: Assertion `!usb_packet_is_inflight(p)' failed.

This looks similar to the previous bug which also caused a crash on the same kind of assertion but the culprit was XHCI: https://bugs.launchpad.net/qemu/+bug/1653384

== Versions ==

QEMU emulator version 2.9.50 (v2.9.0-303-g81b2d5c-dirty),
configured with
./configure --target-list=arm-softmmu,arm-linux-user,armeb-linux-user --enable-libusb --enable-libssh2 --enable-debug

libusb: 1.0.21

Guest: 2017-04-10-raspbian-jessie-lite.img with kernel 4.4.34 for Raspbian on Qemu

Host: Ubuntu 16.04.2 LTS, kernel 4.4.0-72-generic

Command: /usr/local/bin/qemu-system-arm -kernel qemu-rpi-kernel/kernel-qemu-4.4.34-v4lm-jessie -cpu arm1176 -m 256 -M versatilepb -no-reboot -append "root=/dev/sda2 panic=1" -drive format=raw,file=2017-04-10-raspbian-jessie-lite.img -usb -usbdevice host:046d:0928 -net nic,model=virtio -net user,hostfwd=tcp::2222-:22

Web camera is an old Logitech QuickCam Express Etch2 (046d:0928). It works otherwise without problems.

== GDB Backtrace ==

qemu-system-arm: hw/usb/core.c:558: usb_packet_setup: Assertion `!usb_packet_is_inflight(p)' failed.

Thread 1 "qemu-system-arm" received signal SIGABRT, Aborted.
0x00007fffdea6f428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: Tiedostoa tai hakemistoa ei ole.
(gdb) bt full
#0 0x00007fffdea6f428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
        resultvar = 0
        pid = 16526
        selftid = 16526
#1 0x00007fffdea7102a in __GI_abort () at abort.c:89
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x4, sa_sigaction = 0x4}, sa_mask = {__val = {140737488345776,
              140737488351076, 140737488345856, 48702688480, 140737352876032, 93825001457954, 558, 93825001458576, 0, 0,
              140736929192332, 140736930289240, 140736930302896, 260615966, 140736930289240, 93825001457954}},
          sa_flags = -135479296, sa_restorer = 0x555555e20922}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007fffdea67bd7 in __assert_fail_base (fmt=<optimized out>,
    assertion=assertion@entry=0x555555e20922 "!usb_packet_is_inflight(p)",
    file=file@entry=0x555555e20686 "hw/usb/core.c", line=line@entry=558,
    function=function@entry=0x555555e20b90 <__PRETTY_FUNCTION__.27044> "usb_packet_setup") at assert.c:92
        str = 0x5555573e0800 ""
        total = 4096
#3 0x00007fffdea67c82 in __GI___assert_fail (assertion=0x555555e20922 "!usb_packet_is_inflight(p)",
    file=0x555555e20686 "hw/usb/core.c", line=558,
    function=0x555555e20b90 <__PRETTY_FUNCTION__.27044> "usb_packet_setup") at assert.c:101
No locals.
#4 0x0000555555b4015a in usb_packet_setup (p=0x555556e81bc8, pid=105, ep=0x55555733e180, stream=0, id=260615936,
    short_not_ok=false, int_req=false) at hw/usb/core.c:558
        __PRETTY_FUNCTION__ = "usb_packet_setup"
#5 0x0000555555b4f2ee in ohci_service_iso_td (ohci=0x555556e814c0, ed=0x7fffffffdda0, completion=0)
    at hw/usb/hcd-ohci.c:852
        int_req = false
        dir = 2
        len = 1023
        str = 0x555555e233cf "in"
        pid = 105
        ret = -8788
        i = -8912
        dev = 0x55555733d070
        ep = 0x55555733e180
        iso_td = {flags = 4039218540, bp = 251170816, next = 260615872, be = 251173880, offset = {59386, 0, 6, 0, 53328,
            53376, 0, 0}}
        addr = 260615936
        starting_frame = 38252
        relative_frame_number = 0
        frame_count = 0
        start_offset = 59386
        next_offset = 0
        end_offset = 0
        start_addr = 251172858
        end_addr = 251173880
#6 0x0000555555b5055c in ohci_service_ed_list (ohci=0x555556e814c0, head=260608080, completion=0)
    at hw/usb/hcd-ohci.c:1239
        ed = {flags = 67080322, tail = 260614272, head = 260615936, next = 0}
        next_ed = 0
        cur = 260608080
        active = 1
        link_cnt = 1
#7 0x0000555555b50857 in ohci_frame_boundary (opaque=0x555556e814c0) at hw/usb/hcd-ohci.c:1304
        n = 12
        ohci = 0x555556e814c0
        hcca = {intr = {260608080 <repeats 32 times>}, frame = 38252, pad = 0, done = 0}
#8 0x0000555555d12050 in timerlist_run_timers (timer_list=0x555556939600) at util/qemu-timer.c:536
        ts = 0x555556ebc9b0
        current_time = 224991592167
        progress = false
        cb = 0x555555b50778 <ohci_frame_boundary>
        opaque = 0x555556e814c0
#9 0x0000555555d1209c in qemu_clock_run_timers (type=QEMU_CLOCK_VIRTUAL) at util/qemu-timer.c:547
No locals.
#10 0x0000555555d1244e in qemu_clock_run_all_timers () at util/qemu-timer.c:662
        progress = false
        type = QEMU_CLOCK_VIRTUAL
#11 0x0000555555d12bf9 in main_loop_wait (nonblocking=0) at util/main-loop.c:525
        ret = 0
        timeout = 499
        timeout_ns = 977642
#12 0x0000555555969440 in main_loop () at vl.c:1899
No locals.
#13 0x0000555555971229 in main (argc=21, argv=0x7fffffffe358, envp=0x7fffffffe408) at vl.c:4717
        i = 0
        snapshot = 0
        linux_boot = 1
        initrd_filename = 0x0
        kernel_filename = 0x5555568d78c0 "qemu-rpi-kernel/kernel-qemu-4.4.34-v4lm-jessie"
        kernel_cmdline = 0x5555568d8c80 "root=/dev/sda2 panic=1 "
        boot_order = 0x0
        boot_once = 0x0
        ds = 0x55555718f750
        cyls = 0
        heads = 0
        secs = 0
        translation = 0
        opts = 0x0
        machine_opts = 0x5555568d8b20
        hda_opts = 0x0
        icount_opts = 0x0
        accel_opts = 0x0
        olist = 0x55555629fc80 <qemu_machine_opts>
        optind = 21
        optarg = 0x7fffffffe780 "user,hostfwd=tcp::2222-:22"
        loadvm = 0x0
        machine_class = 0x5555568eff50
        cpu_model = 0x7fffffffe6c2 "arm1176"
        vga_model = 0x555555d8d8c4 "std"
        qtest_chrdev = 0x0
        qtest_log = 0x0
        pid_file = 0x0
        incoming = 0x0
        defconfig = true
        userconfig = true
        nographic = false
        display_type = DT_GTK
        display_remote = 0
        log_mask = 0x0
        log_file = 0x0
        trace_file = 0x0
        maxram_size = 268435456
        ram_slots = 0
        vmstate_dump_file = 0x0
        main_loop_err = 0x0
        err = 0x0
        list_data_dirs = false
        bdo_queue = {sqh_first = 0x0, sqh_last = 0x7fffffffe140}
        __func__ = "main"

(P.S. Tiedostoa tai hakemistoa ei ole = file or directory doesn't exist.)

See original description

Tags:

Henrik Pitkala (hekkup) on 2017-04-30

description:

updated

Revision history for this message

Henrik Pitkala (hekkup) wrote on 2017-05-01:

usb-packet-capture-on-qemu-crash-170501.zip Edit (65.4 KiB, application/zip)

The attached ZIP file contains USB packet capture file made with Wireshark on host OS side during crash.

What happens in the capture:

- packets 1-202: starting Qemu

- running lsusb and v4l-info -> no packets produced

- packets 203-268: fswebcam testpic05.jpg -> OK

- packets 269-320: fswebcam testpic05b.jpg -> crash as described in the bug report

For your reference, testpic05.jpg is attached, too.

Revision history for this message

Thomas Huth (th-huth) wrote on 2020-11-09:

The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting older bugs to "Incomplete" now.
If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Thank you and sorry for the inconvenience.