From: Longpeng <longpeng2@huawei.com>
we found the following core in our environment:
0 0x00007fc6b06c2237 in raise ()
1 0x00007fc6b06c3928 in abort ()
2 0x00007fc6b06bb056 in __assert_fail_base ()
3 0x00007fc6b06bb102 in __assert_fail ()
4 0x0000000000702e36 in xhci_kick_ep (...)
5 0x000000000047897a in memory_region_write_accessor (...)
6 0x000000000047767f in access_with_adjusted_size (...)
7 0x000000000047944d in memory_region_dispatch_write (...)
(mr=mr@entry=0x7fc6a0138df0, addr=addr@entry=156, data=1648892416,
size=size@entry=4, attrs=attrs@entry=...)
8 0x000000000042df17 in address_space_write_continue (...)
10 0x000000000043084d in address_space_rw (...)
11 0x000000000047451b in kvm_cpu_exec (cpu=cpu@entry=0x1ab11b0)
12 0x000000000045dcf5 in qemu_kvm_cpu_thread_fn (arg=0x1ab11b0)
13 0x0000000000870631 in qemu_thread_start (args=args@entry=0x1acfb50)
14 0x00000000008959a7 in thread_entry_for_hotfix (pthread_cb=<optimized out>)
15 0x00007fc6b0a60dd5 in start_thread ()
16 0x00007fc6b078a59d in clone ()
(gdb) f 5
5 0x000000000047897a in memory_region_write_accessor (...)
529 mr->ops->write(mr->opaque, addr, tmp, size);
(gdb) p /x tmp
$9 = 0x62481a00 <-- last byte 0x00 is @epid
xhci_doorbell_write() already check the upper bound of @slotid an @epid,
it also need to check the lower bound.
Cc: Gonglei <arei.gonglei@huawei.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Longpeng <longpeng2@huawei.com>
---
v1 -> v2:
1) update the description, include the full backtrace
2) remove unnecessary check: 'reg == 0'
---
hw/usb/hcd-xhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c
index ec28bee..d8472b4 100644
--- a/hw/usb/hcd-xhci.c
+++ b/hw/usb/hcd-xhci.c
@@ -3137,7 +3137,7 @@ static void xhci_doorbell_write(void *ptr, hwaddr reg,
streamid = (val >> 16) & 0xffff;
if (reg > xhci->numslots) {
DPRINTF("xhci: bad doorbell %d\n", (int)reg);
- } else if (epid > 31) {
+ } else if (epid == 0 || epid > 31) {
DPRINTF("xhci: bad doorbell %d write: 0x%x\n",
(int)reg, (uint32_t)val);
} else {
--
1.8.3.1
On 4/30/19 8:21 AM, Longpeng(Mike) wrote: > From: Longpeng <longpeng2@huawei.com> > > we found the following core in our environment: > 0 0x00007fc6b06c2237 in raise () > 1 0x00007fc6b06c3928 in abort () > 2 0x00007fc6b06bb056 in __assert_fail_base () > 3 0x00007fc6b06bb102 in __assert_fail () > 4 0x0000000000702e36 in xhci_kick_ep (...) > 5 0x000000000047897a in memory_region_write_accessor (...) > 6 0x000000000047767f in access_with_adjusted_size (...) > 7 0x000000000047944d in memory_region_dispatch_write (...) > (mr=mr@entry=0x7fc6a0138df0, addr=addr@entry=156, data=1648892416, > size=size@entry=4, attrs=attrs@entry=...) > 8 0x000000000042df17 in address_space_write_continue (...) > 10 0x000000000043084d in address_space_rw (...) > 11 0x000000000047451b in kvm_cpu_exec (cpu=cpu@entry=0x1ab11b0) > 12 0x000000000045dcf5 in qemu_kvm_cpu_thread_fn (arg=0x1ab11b0) > 13 0x0000000000870631 in qemu_thread_start (args=args@entry=0x1acfb50) > 14 0x00000000008959a7 in thread_entry_for_hotfix (pthread_cb=<optimized out>) > 15 0x00007fc6b0a60dd5 in start_thread () > 16 0x00007fc6b078a59d in clone () > > (gdb) f 5 > 5 0x000000000047897a in memory_region_write_accessor (...) > 529 mr->ops->write(mr->opaque, addr, tmp, size); > (gdb) p /x tmp > $9 = 0x62481a00 <-- last byte 0x00 is @epid > > xhci_doorbell_write() already check the upper bound of @slotid an @epid, > it also need to check the lower bound. > > Cc: Gonglei <arei.gonglei@huawei.com> > Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> > Signed-off-by: Longpeng <longpeng2@huawei.com> Tested-by: Philippe Mathieu-Daudé <philmd@redhat.com> > --- > v1 -> v2: > 1) update the description, include the full backtrace > 2) remove unnecessary check: 'reg == 0' > > --- > hw/usb/hcd-xhci.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c > index ec28bee..d8472b4 100644 > --- a/hw/usb/hcd-xhci.c > +++ b/hw/usb/hcd-xhci.c > @@ -3137,7 +3137,7 @@ static void xhci_doorbell_write(void *ptr, hwaddr reg, > streamid = (val >> 16) & 0xffff; > if (reg > xhci->numslots) { > DPRINTF("xhci: bad doorbell %d\n", (int)reg); > - } else if (epid > 31) { > + } else if (epid == 0 || epid > 31) { > DPRINTF("xhci: bad doorbell %d write: 0x%x\n", > (int)reg, (uint32_t)val); > } else { >
Patchew URL: https://patchew.org/QEMU/1556605301-44112-1-git-send-email-longpeng2@huawei.com/ Hi, This series failed the docker-mingw@fedora build test. Please find the testing commands and their output below. If you have Docker installed, you can probably reproduce it locally. === TEST SCRIPT BEGIN === #!/bin/bash time make docker-test-mingw@fedora SHOW_ENV=1 J=14 NETWORK=1 === TEST SCRIPT END === The full log is available at http://patchew.org/logs/1556605301-44112-1-git-send-email-longpeng2@huawei.com/testing.docker-mingw@fedora/?type=message. --- Email generated automatically by Patchew [https://patchew.org/]. Please send your feedback to patchew-devel@redhat.com
On Tue, Apr 30, 2019 at 02:21:41PM +0800, Longpeng(Mike) wrote: > From: Longpeng <longpeng2@huawei.com> > > we found the following core in our environment: > 0 0x00007fc6b06c2237 in raise () > 1 0x00007fc6b06c3928 in abort () > 2 0x00007fc6b06bb056 in __assert_fail_base () > 3 0x00007fc6b06bb102 in __assert_fail () > 4 0x0000000000702e36 in xhci_kick_ep (...) > 5 0x000000000047897a in memory_region_write_accessor (...) > 6 0x000000000047767f in access_with_adjusted_size (...) > 7 0x000000000047944d in memory_region_dispatch_write (...) > (mr=mr@entry=0x7fc6a0138df0, addr=addr@entry=156, data=1648892416, > size=size@entry=4, attrs=attrs@entry=...) > 8 0x000000000042df17 in address_space_write_continue (...) > 10 0x000000000043084d in address_space_rw (...) > 11 0x000000000047451b in kvm_cpu_exec (cpu=cpu@entry=0x1ab11b0) > 12 0x000000000045dcf5 in qemu_kvm_cpu_thread_fn (arg=0x1ab11b0) > 13 0x0000000000870631 in qemu_thread_start (args=args@entry=0x1acfb50) > 14 0x00000000008959a7 in thread_entry_for_hotfix (pthread_cb=<optimized out>) > 15 0x00007fc6b0a60dd5 in start_thread () > 16 0x00007fc6b078a59d in clone () > > (gdb) f 5 > 5 0x000000000047897a in memory_region_write_accessor (...) > 529 mr->ops->write(mr->opaque, addr, tmp, size); > (gdb) p /x tmp > $9 = 0x62481a00 <-- last byte 0x00 is @epid > > xhci_doorbell_write() already check the upper bound of @slotid an @epid, > it also need to check the lower bound. > > Cc: Gonglei <arei.gonglei@huawei.com> > Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com> > Signed-off-by: Longpeng <longpeng2@huawei.com> Added to usb queue. thanks, Gerd
© 2016 - 2024 Red Hat, Inc.