kvm husb: ctrl buffer too small

Bug #790145 reported by Attb2 on 2011-05-30
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qemu-kvm (Ubuntu)
Low
Unassigned
Lucid
Medium
Unassigned
Maverick
Medium
Unassigned

Bug Description

SRU justification:
1. Impact: USB devices which use large control buffers (like some PDAs) cannot be used with a VM.
2. How bug was addressed: A one-line patch was taken from upstream, increasing the size of the control buffer.
3. patch: see patch in the description
4. TEST CASE: connect a usb device which uses control buffers > 2k.
5. Regression potential: the size of a buffer is increased, with no other changes. The only potential for regression, therefore, would be due to kvm consuming more memory.

Binary package hint: qemu-kvm

I would like to connect my PDA to kvm virtual machine with the following command:
kvm -m 1024 -k hu -usb --usbdevice host:2.4 VM.img

It finds my USB device, but after throws:
husb: 2 interfaces claimed for configuration 1
husb: grabbed usb device 2.4
husb: config #1 need 1
husb: 2 interfaces claimed for configuration 1
husb: config #1 need 1
husb: 2 interfaces claimed for configuration 1
husb: config #1 need 1
husb: 2 interfaces claimed for configuration 1
husb: config #1 need 1
husb: 2 interfaces claimed for configuration 1
husb: config #1 need 1
husb: 2 interfaces claimed for configuration 1
husb: config #1 need 1
husb: 2 interfaces claimed for configuration 1
husb: ctrl buffer too small (4104 > 2048)

VM starts but without USB device. :-(

I've found similar problem on Redhat bugs, and they solved it with a patch.
https://bugzilla.redhat.com/show_bug.cgi?id=672720

thx

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: kvm 1:84+dfsg-0ubuntu16+0.12.3+noroms+0ubuntu9.7
ProcVersionSignature: Ubuntu 2.6.32-30.59-generic 2.6.32.29+drm33.13
Uname: Linux 2.6.32-30-generic i686
Architecture: i386
Date: Mon May 30 11:56:40 2011
InstallationMedia: Ubuntu 10.04.1 LTS "Lucid Lynx" - Release i386 (20100816.1)
KvmCmdLine: Error: command ['ps', '-C', 'kvm', '-F'] failed with exit code 1: UID PID PPID C SZ RSS PSR STIME TTY TIME CMD
Lsusb:
 Bus 002 Device 003: ID 046d:c312 Logitech, Inc. DeLuxe 250 Keyboard
 Bus 002 Device 002: ID 046d:c05f Logitech, Inc.
 Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
 Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
MachineType: Dell Inc Dimension E521
ProcCmdLine: root=/dev/md1 ro quiet splash
ProcEnviron:
 LANGUAGE=hu_HU:en
 PATH=(custom, user)
 LANG=hu_HU.utf8
 SHELL=/bin/bash
SourcePackage: qemu-kvm
dmi.bios.date: 04/07/2007
dmi.bios.vendor: Dell Inc
dmi.bios.version: 1.1.6
dmi.board.name: 0UW457
dmi.board.vendor: Dell Inc
dmi.board.version: A03
dmi.chassis.type: 3
dmi.chassis.vendor: Dell Inc
dmi.modalias: dmi:bvnDellInc:bvr1.1.6:bd04/07/2007:svnDellInc:pnDimensionE521:pvr:rvnDellInc:rn0UW457:rvrA03:cvnDellInc:ct3:cvr:
dmi.product.name: Dimension E521
dmi.sys.vendor: Dell Inc

Attb2 (aszuts) wrote :
Chuck Short (zulcss) wrote :

Thanks for the bug report. Can you see if its fixed in natty so we can probably backport this?

chuck

Changed in qemu-kvm (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Attb2 (aszuts) wrote :

I've downloaded RH bugfix and latest Ubuntu source code.
https://bugzilla.redhat.com/attachment.cgi?id=441018

https://launchpad.net/ubuntu/lucid/+source/qemu-kvm
qemu-kvm_0.12.3+noroms.orig.tar.gz

usb-linux.c source file is exactly the same, so this patch will fix the bug. :-)
Tomorrow morning I'll test it.

commit fd7a446f162768c044b3bf3844f7605eeef351af
Author: Christian Krause <email address hidden>
Date: Sun Jan 24 17:34:52 2010 +0100

    usb-linux: increase buffer for USB control requests

    The WLAN USB stick ZyXEL NWD271N (0586:3417) uses very large
    usb control transfers of more than 2048 bytes which won't fit
    into the buffer of the ctrl_struct. This results in an error message
    "husb: ctrl buffer too small" and a non-working device.
    Increasing the buffer size to 8192 seems to be a safe choice.

    Signed-off-by: Christian Krause <email address hidden>
    Signed-off-by: Aurelien Jarno <email address hidden>

diff --git a/usb-linux.c b/usb-linux.c
index ba8facf..122cdbf 100644
--- a/usb-linux.c
+++ b/usb-linux.c
@@ -113,7 +113,7 @@ struct ctrl_struct {
     uint16_t offset;
     uint8_t state;
     struct usb_ctrlrequest req;
- uint8_t buffer[2048];
+ uint8_t buffer[8192];
 };

 struct USBAutoFilter {

Attb2 (aszuts) wrote :

Sorry I misunderstood You!
Yes in Natty (11.04) this bug is already fixed with the same patch above. :-)

Attb2 (aszuts) wrote :

I've modified the source code and built deb package.
Error message goes away, but for some other reason XP doesnt see PDA.

dmesg:
[85011.628047] usb 2-7: new full speed USB device using ohci_hcd and address 16
[85011.854203] usb 2-7: configuration #1 chosen from 1 choice
[85012.087034] rndis_host 2-7:1.0: RNDIS_MSG_QUERY(0x00010202) failed, -47
[85012.100755] eth1: register 'rndis_host' at usb-0000:00:0b.0-7, RNDIS device, 80:00:60:0f:e8:00
[85012.153171] udev: renamed network interface eth1 to eth2
[85023.312024] eth2: no IPv6 routers present
[85074.776006] eth2: unregister 'rndis_host' usb-0000:00:0b.0-7, RNDIS device
[85076.512050] usb 2-7: reset full speed USB device using ohci_hcd and address 16
[85077.760991] rndis_host 2-7:1.0: RNDIS_MSG_QUERY(0x00010202) failed, -47
[85077.774824] eth1: register 'rndis_host' at usb-0000:00:0b.0-7, RNDIS device, 80:00:60:0f:e8:00
[85077.774918] eth1: unregister 'rndis_host' usb-0000:00:0b.0-7, RNDIS device
[85087.128052] usb 2-7: reset full speed USB device using ohci_hcd and address 16
[85087.887995] rndis_host 2-7:1.0: RNDIS_MSG_QUERY(0x00010202) failed, -47
[85087.902959] eth1: register 'rndis_host' at usb-0000:00:0b.0-7, RNDIS device, 80:00:60:0f:e8:00
[85087.903304] eth1: unregister 'rndis_host' usb-0000:00:0b.0-7, RNDIS device
[85099.604546] usb 2-7: reset full speed USB device using ohci_hcd and address 16
[85100.419995] rndis_host 2-7:1.0: RNDIS_MSG_QUERY(0x00010202) failed, -47
[85100.434941] eth1: register 'rndis_host' at usb-0000:00:0b.0-7, RNDIS device, 80:00:60:0f:e8:00
[85100.435038] eth1: unregister 'rndis_host' usb-0000:00:0b.0-7, RNDIS device
[85103.324060] usb 2-7: reset full speed USB device using ohci_hcd and address 16
[85104.438991] rndis_host 2-7:1.0: RNDIS_MSG_QUERY(0x00010202) failed, -47
[85104.453991] eth1: register 'rndis_host' at usb-0000:00:0b.0-7, RNDIS device, 80:00:60:0f:e8:00
[85104.454092] eth1: unregister 'rndis_host' usb-0000:00:0b.0-7, RNDIS device
[85105.156066] usb 2-7: reset full speed USB device using ohci_hcd and address 16
[85105.905993] rndis_host 2-7:1.0: RNDIS_MSG_QUERY(0x00010202) failed, -47
[85105.919937] eth1: register 'rndis_host' at usb-0000:00:0b.0-7, RNDIS device, 80:00:60:0f:e8:00
[85105.920039] eth1: unregister 'rndis_host' usb-0000:00:0b.0-7, RNDIS device
[85415.007924] usb 2-7: USB disconnect, address 16

So the original bug is fixed with the patch above. :-)

Serge Hallyn (serge-hallyn) wrote :

Thanks very much for the patch. Do you have any idea what is still going wrong? The patch is worth SRUing in any case, but if a pair of patches together makes it fully work, then I'd prefer to handle them together

Changed in qemu-kvm (Ubuntu):
status: Incomplete → Triaged
Attb2 (aszuts) wrote :

Maybe something is wrong with my PDA?
If I *uncheck* "Enable advanced network functionality" on WinMobile 6 (Start menu -> Settings -> Connections -> USBtoPC) everything works well!
This checkbox changes PDA connection mode from RNDIS to ttyUSB0 (serial).
And then I can use Activesync!

Serge Hallyn (serge-hallyn) wrote :

Thanks, Attb2. If I understand right, the workaround suffices? In that case, until someone hits a case which is solved by this patch, I'd prefer not to risk a regression with an SRU. I'll mark this WONTFIX for now. If I misunderstood you, please change back to Confirmed.

If anyone else hits this bug and the patch works for them, then I'll request the SRU.

Thanks very much.

Changed in qemu-kvm (Ubuntu):
status: Triaged → Won't Fix
status: Won't Fix → Fix Released
Changed in qemu-kvm (Ubuntu Lucid):
status: New → Won't Fix
importance: Undecided → Low
Attb2 (aszuts) wrote :

Ok, I agree!
I've created a step by step workaround process.

Step 0. You encounter "husb: ctrl buffer too small" error message during kvm start.

Step 1. Fix kvm bug in usb-linux.c source with this patch
diff --git a/usb-linux.c b/usb-linux.c
index ba8facf..122cdbf 100644
--- a/usb-linux.c
+++ b/usb-linux.c
@@ -113,7 +113,7 @@ struct ctrl_struct {
     uint16_t offset;
     uint8_t state;
     struct usb_ctrlrequest req;
- uint8_t buffer[2048];
+ uint8_t buffer[8192];
 };

 struct USBAutoFilter {

Step 2. Build kvm from source.

Step 3. If kvm GuestOS doesn't see your USB device: *uncheck* "Enable advanced network functionality" on (Start menu -> Settings -> Connections -> USBtoPC) your USB device. (If this menu exists on your device)

Step 4. Try to attach USB device to your GuestOS with similar command:
kvm -m 1024 -k hu -usb --usbdevice host:045e:00ce GuestOS.img
(lsusb command helps to figure out device ID)

Serge Hallyn (serge-hallyn) wrote :

I've changed my mind on this. There doesn't appear to be a chance of a buffer overflow as the size of the buffer is checked before copying into it, but this just looks like it's begging to cause us trouble down the road. I'll push a package with the fix and request SRU.

Thanks again for reporting the bug and identifying the patch!

Changed in qemu-kvm (Ubuntu Lucid):
status: Won't Fix → In Progress
importance: Low → Medium
Changed in qemu-kvm (Ubuntu Maverick):
status: New → In Progress
importance: Undecided → Medium
description: updated

Quoting Attb2 (<email address hidden>):
> Ok, I agree!
> I've created a step by step workaround process.

Oh, thanks - I hadn't noticed this update (and decided I should
do the SRU anyway during a commute :).

IIUC the workaround will still be necessary for your particular
PDA. This fix however should still be helpful for other devices.

Accepted qemu-kvm into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in qemu-kvm (Ubuntu Lucid):
status: In Progress → Fix Committed
tags: added: verification-needed
Clint Byrum (clint-fewbar) wrote :

Accepted qemu-kvm into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in qemu-kvm (Ubuntu Maverick):
status: In Progress → Fix Committed
Clint Byrum (clint-fewbar) wrote :

Please note that even if this bug is verified in lucid/maverick, there are two other bugs that have been waiting a while in qemu-kvm in lucid and maverick, which will block this fix from moving to -updates until they are verified too:

lucid:
  bug #786941 - Cannot boot from non-existent NIC
maverick:
  bug #719448 - The "once" parameter does not work with "-boot"

So, anybody verifying this bug in one of those releases, please go there and verify the respective fix as well to speed the propagation to -updates.

Jamie Strandboge (jdstrand) wrote :

0.12.5+noroms-0ubuntu7.4 has been superseded by 0.12.5+noroms-0ubuntu7.5 in maverick-security. 0.12.3+noroms-0ubuntu9.8 has been superseded by 0.12.3+noroms-0ubuntu9.9 in lucid-security.

Serge Hallyn (serge-hallyn) wrote :

Thanks for the warning, Jamie. New versions have been uploaded to -proposed (awaiting approval).

---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

Attb2 (aszuts) wrote :

I'm not familiar with bug statuses:

What "Fix Released" means? Latest release (0.12.3+noroms-0ubuntu9.9) contains my bugfix or not?
May I update my local qemu-kvm package to 0.12.3+noroms-0ubuntu9.9? (Lucid 10.04 LTS)

thx

Serge Hallyn (serge-hallyn) wrote :

@Attb2,

no, 0.12.3+noroms-0ubuntu9.9 does not have the fix. I uploaded a new 0.12.3+noroms-0ubuntu9.10 to lucid-proposed.

Serge Hallyn (serge-hallyn) wrote :

Hm, but it appears to have been rejected, so I just re-uploaded it.

This fix was NOT included in the security fix, please accept this upload.

Excerpts from Attb2's message of Wed Jun 29 07:01:04 UTC 2011:
> I'm not familiar with bug statuses:
>
> What "Fix Released" means? Latest release (0.12.3+noroms-0ubuntu9.9) contains my bugfix or not?
> May I update my local qemu-kvm package to 0.12.3+noroms-0ubuntu9.9? (Lucid 10.04 LTS)

Fix Released in "ubuntu" just means in the current dev release or later
it has been fixed.

The other statuses are for Lucid and Maverick, and indicate that the
fix has been uploaded to their "Proposed updates" sections.

If you'd like to test the fix so it can moved to lucid updates, the
process is outlined here:

https://wiki.ubuntu.com/QATeam/PerformingSRUVerification

Following that process will get you the proposed fix on lucid, but be
aware that we don't know if it has been tested.

Chris Halse Rogers (raof) wrote :

It looks like the 0.12.3+noroms-0ubuntu9.10 does not have the fixes from 0.12.3+noroms-0ubuntu9.7 included in it. Could you please re-roll these changes to include the previous proposed fixes as well.

Changed in qemu-kvm (Ubuntu Lucid):
status: Fix Committed → Incomplete
Serge Hallyn (serge-hallyn) wrote :

Where did you look at 0.12.3+noroms-0ubuntu9.10? And which particular change were you looking for?

Chris Halse Rogers (raof) wrote :

I'm looking at 0.12.3+noroms-0ubuntu9.10 in the lucid-proposed unapproved queue here: https://launchpad.net/ubuntu/lucid/+queue?queue_state=1

It appears to be missing the changelog for 0.12.3+noroms-0ubuntu9.7 and the associated fixes for bug #786941.

Serge Hallyn (serge-hallyn) wrote :

Quoting Chris Halse Rogers (<email address hidden>):
> I'm looking at 0.12.3+noroms-0ubuntu9.10 in the lucid-proposed
> unapproved queue here:
> https://launchpad.net/ubuntu/lucid/+queue?queue_state=1
>
> It appears to be missing the changelog for 0.12.3+noroms-0ubuntu9.7 and
> the associated fixes for bug #786941.

Looking at bug #786941, the lucid-proposed package was never verified.
So when the security team issued 0.12.3+noroms-0ubuntu9.9, the
unverified fixes (.7 and .8) were dropped.

If you'd like us to try that fix again, please comment on bug #786941,
and, when it gets pushed to -proposed, please verify the fix so that
we can push it to the archive.

Martin Pitt (pitti) wrote :

@Chris: Indeed the queuediff output is confusing here. In these special cases, when a version got removed/superseded from -proposed, Launchpad will generate a confusing diff (against the removed SRU, not against what's actually in Ubuntu). Doing a manual debdiff against lucid-updates looks very reasonable.

Changed in qemu-kvm (Ubuntu Lucid):
status: Incomplete → Fix Committed

Hello Attb2, or anyone else affected,

Accepted qemu-kvm into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Martin Pitt (pitti) wrote :

Hello Attb2, or anyone else affected,

Accepted qemu-kvm into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Jamie Strandboge (jdstrand) wrote :

Sorry to do this to you again, but 0.12.5+noroms-0ubuntu7.6 has been superseded by 0.12.5+noroms-0ubuntu7.8 in maverick-security. 0.12.3+noroms-0ubuntu9.10 has been superseded by 0.12.3+noroms-0ubuntu9.12 in lucid-security.

Martin Pitt (pitti) wrote :

Hello Attb2, or anyone else affected,

Accepted qemu-kvm into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Martin Pitt (pitti) wrote :

Hello Attb2, or anyone else affected,

Accepted qemu-kvm into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Attb2 (aszuts) wrote :

Thanks Martin!

Sorry my late answer, I was on holiday last week. :-)
I've just tested the new 0.12.3+noroms-0ubuntu9.12 package. It works with my Mobile device.
(ActiveSync and every other app can use it.)

Serge Hallyn (serge-hallyn) wrote :

@Attb2

is there any chance you would be able to verify the maverick package?

Martin Pitt (pitti) wrote :

Not actually uploaded to lucid-proposed yet.

Changed in qemu-kvm (Ubuntu Lucid):
status: Fix Committed → Triaged
Clint Byrum (clint-fewbar) wrote :

Hello Attb2, or anyone else affected,

Accepted qemu-kvm into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in qemu-kvm (Ubuntu Lucid):
status: Triaged → Fix Committed
Jamie Strandboge (jdstrand) wrote :

I'm sorry, but these have been superseded by security updates in 0.12.3+noroms-0ubuntu9.15 and 0.12.5+noroms-0ubuntu7.10.

Serge Hallyn (serge-hallyn) wrote :

I'm sorry - per the rules listed in https://wiki.ubuntu.com/StableReleaseUpdates, only bugs which are >= high priority are eligible for SRU. If you feel this bug should be high priority, please say so (with rationale) here.

An updated package for lucid through natty will be placed in the ubuntu-virt ppa (https://launchpad.net/~ubuntu-virt/+archive/ppa) as an alternative way to get this fix.

Changed in qemu-kvm (Ubuntu Lucid):
status: Fix Committed → Won't Fix
Changed in qemu-kvm (Ubuntu Maverick):
status: Fix Committed → Won't Fix
tags: added: testcase
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers