From nobody Mon Nov 25 09:41:37 2024 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org ARC-Seal: i=1; a=rsa-sha256; t=1716532393; cv=none; d=zohomail.com; s=zohoarc; b=EbVdNtr2jqZY7m8hUruvzhDjZlCUiFrr9Uy7kz+MQUqd1S/mt+8FzW+Dgd7OwmaXIDxp01fxpqgIcKRyAK/Scog+KRseqHLlUI+PyVxwxVU8ccvAU69ivg7wzNFZjNaVFPo5DfcxXy2dx1dq6E/5j0kC1Z7JLbrtIDHXX08jU/8= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1716532393; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To; bh=zLSi8jNb6aLJgWzZ+IgVUOGD8rbT/z95MGmZBAD1j5Y=; b=Ed+Jacb590njcwX6az5mR+iidSjuHNN2jMXATn+mbE8R3aA7+SjSX0G+kg/Jha0wg6m6dWmxHsPWZzG3elRzta0MLSZD0VqKQCrcv0Y2c0mEh9v0YBD4u1SulFP4ZiZ7mZtBSKS873kra3rMrxPHG9e/+BBoFi5hUH6Ib5nMATg= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 171653239345036.974310453399426; Thu, 23 May 2024 23:33:13 -0700 (PDT) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sAOSx-0005wx-VQ; Fri, 24 May 2024 02:31:48 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sAOSk-0005vR-F6 for qemu-devel@nongnu.org; Fri, 24 May 2024 02:31:41 -0400 Received: from mail-io1-xd31.google.com ([2607:f8b0:4864:20::d31]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sAOSd-0004MM-Hn for qemu-devel@nongnu.org; Fri, 24 May 2024 02:31:33 -0400 Received: by mail-io1-xd31.google.com with SMTP id ca18e2360f4ac-7e21742025aso387318139f.2 for ; Thu, 23 May 2024 23:29:27 -0700 (PDT) Received: from anolis-dev.zelin.local ([221.122.98.162]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-682274bbbe8sm497918a12.93.2024.05.23.23.29.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 May 2024 23:29:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smartx-com.20230601.gappssmtp.com; s=20230601; t=1716532166; x=1717136966; darn=nongnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zLSi8jNb6aLJgWzZ+IgVUOGD8rbT/z95MGmZBAD1j5Y=; b=o5uMRViOiLGOEzAOlLdmmTyLqjEhAgSEmUwWh4iyBJQZp75vH8Q4uxRz/1Io1iee99 ezwLjcrTCLdrQMrN85DKnQc7vLURo35G8FmoZrEZ/npfcqqE9tfiT5Vh/locu6i7k6/o U5/owv5wPnaKjXmOdaZKZt/OIwyeKcHJUjEqUbhQl0YPol0RVMk77yY9XlmD668wiexn 61S7W4u4SXbvAzHNLojd9GbW9OieZc/QhcSPezmVS1lnDXcqesJlFsunuu33MRDo3M3O gC8yTweoaegzBDgJYphFOus21Qb3aCSQlxmCGDH8aDb7AjdTSsOh5tq3g7eoALHaFbb+ n3iQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1716532166; x=1717136966; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zLSi8jNb6aLJgWzZ+IgVUOGD8rbT/z95MGmZBAD1j5Y=; b=sqzttzyD9NSDXM/090MXvscOyu/HJb1SI206eLKCGYm06BAHzWYhSacnqDnr44sAVC TX1ew2Isp69p6GNeQnSO6u84d5HrzhFqTHeINbfFF2AGXSDuCqKIBO+lZXGkmDp1pP7K z6NvQ3T3zQWb5CbbHpoJTTVqqn3YLYHcJprxuSD5dqb0TQQ9sYChBh8/r9kYRo+pBosX oCJwRRW+AAw+I0E9LgPUjrVl8V/SBsiKPW5JANKXTMrh/iGmaVD5bbtveo13UGo87HqA c68uwSnXwjaL5DWiyQYFaCTQmdaUEpcseARe6gxq/2hyeCMNTjEJzL2PzLbO8M4URyVd Q9zA== X-Gm-Message-State: AOJu0YzavwNV1nRy633aNp2uK+nx/pKV8UK2cpDfbtyyfNVyItC4+PrJ qYCB5zXAqpPAWwvWPEJhCseypZNZxKk4ARfW0Ck0Wbi+ObfSVDAoVH05mSsPAVKd4LxvUPar4w9 7ew4c2w== X-Google-Smtp-Source: AGHT+IHGjSf7eLL9s3gdKJrzMUlYptjopazfFjwToMpPPgNMFdXZ/pqdYU1i24sSXqw+P1ZuPdaNUw== X-Received: by 2002:a05:6e02:2190:b0:371:3085:4345 with SMTP id e9e14a558f8ab-3737b2bc880mr17088015ab.14.1716532165276; Thu, 23 May 2024 23:29:25 -0700 (PDT) From: Hyman Huang To: qemu-devel@nongnu.org Cc: Paolo Bonzini , Fam Zheng , yong.huang@smartx.com Subject: [PATCH 2/2] scsi-disk: Fix crash for VM configured with USB CDROM after live migration Date: Fri, 24 May 2024 14:29:16 +0800 Message-Id: <878c8f093f3fc2f584b5c31cb2490d9f6a12131a.1716531409.git.yong.huang@smartx.com> X-Mailer: git-send-email 2.39.3 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: none client-ip=2607:f8b0:4864:20::d31; envelope-from=yong.huang@smartx.com; helo=mail-io1-xd31.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @smartx-com.20230601.gappssmtp.com) X-ZM-MESSAGEID: 1716532394673100005 Content-Type: text/plain; charset="utf-8" For VMs configured with the USB CDROM device: -drive file=3D/path/to/local/file,id=3Ddrive-usb-disk0,media=3Dcdrom,readon= ly=3Don... -device usb-storage,drive=3Ddrive-usb-disk0,id=3Dusb-disk0... QEMU process may crash after live migration, to reproduce the issue, configure VM (Guest OS ubuntu 20.04 or 21.10) with the following XML:
Do the live migration repeatedly, crash may happen after live migratoin, trace log at the source before live migration is as follows: 324808@1711972823.521945:usb_uhci_frame_start nr 319 324808@1711972823.521978:usb_uhci_qh_load qh 0x35cb5400 324808@1711972823.521989:usb_uhci_qh_load qh 0x35cb5480 324808@1711972823.521997:usb_uhci_td_load qh 0x35cb5480, td 0x35cbe000, ctr= l 0x0, token 0xffe07f69 324808@1711972823.522010:usb_uhci_td_nextqh qh 0x35cb5480, td 0x35cbe000 324808@1711972823.522022:usb_uhci_qh_load qh 0x35cb5680 324808@1711972823.522030:usb_uhci_td_load qh 0x35cb5680, td 0x75ac5180, ctr= l 0x19800000, token 0x3c903e1 324808@1711972823.522045:usb_uhci_packet_add token 0x103e1, td 0x75ac5180 324808@1711972823.522056:usb_packet_state_change bus 0, port 2, ep 2, packe= t 0x559f9ba14b00, state undef -> setup 324808@1711972823.522079:usb_msd_cmd_submit lun 0, tag 0x472, flags 0x00000= 080, len 10, data-len 8 324808@1711972823.522107:scsi_req_parsed target 0 lun 0 tag 1138 command 74= dir 1 length 8 324808@1711972823.522124:scsi_req_parsed_lba target 0 lun 0 tag 1138 comman= d 74 lba 4096 324808@1711972823.522139:scsi_req_alloc target 0 lun 0 tag 1138 324808@1711972823.522169:scsi_req_continue target 0 lun 0 tag 1138 324808@1711972823.522181:scsi_req_data target 0 lun 0 tag 1138 len 8 324808@1711972823.522194:usb_packet_state_change bus 0, port 2, ep 2, packe= t 0x559f9ba14b00, state setup -> complete 324808@1711972823.522209:usb_uhci_packet_complete_success token 0x103e1, td= 0x75ac5180 324808@1711972823.522219:usb_uhci_packet_del token 0x103e1, td 0x75ac5180 324808@1711972823.522232:usb_uhci_td_complete qh 0x35cb5680, td 0x75ac5180 trace log at the destination after live migration is as follows: 3286206@1711972823.951646:usb_uhci_frame_start nr 320 3286206@1711972823.951663:usb_uhci_qh_load qh 0x35cb5100 3286206@1711972823.951671:usb_uhci_qh_load qh 0x35cb5480 3286206@1711972823.951680:usb_uhci_td_load qh 0x35cb5480, td 0x35cbe000, ct= rl 0x1000000, token 0xffe07f69 3286206@1711972823.951693:usb_uhci_td_nextqh qh 0x35cb5480, td 0x35cbe000 3286206@1711972823.951702:usb_uhci_qh_load qh 0x35cb5700 3286206@1711972823.951709:usb_uhci_td_load qh 0x35cb5700, td 0x75ac5240, ct= rl 0x39800000, token 0xe08369 3286206@1711972823.951727:usb_uhci_queue_add token 0x8369 3286206@1711972823.951735:usb_uhci_packet_add token 0x8369, td 0x75ac5240 3286206@1711972823.951746:usb_packet_state_change bus 0, port 2, ep 1, pack= et 0x56066b2fb5a0, state undef -> setup 3286206@1711972823.951766:usb_msd_data_in 8/8 (scsi 8) 2024-04-01 12:00:24.665+0000: shutting down, reason=3Dcrashed The backtrace reveals the following: Program terminated with signal SIGSEGV, Segmentation fault. 0 __memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-= vec-unaligned-erms.S:312 312 movq -8(%rsi,%rdx), %rcx [Current thread is 1 (Thread 0x7f0a9025fc00 (LWP 3286206))] (gdb) bt 0 __memmove_sse2_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-= vec-unaligned-erms.S:312 1 memcpy (__len=3D8, __src=3D, __dest=3D) at= /usr/include/bits/string_fortified.h:34 2 iov_from_buf_full (iov=3D, iov_cnt=3D, off= set=3D, buf=3D0x0, bytes=3Dbytes@entry=3D8) at ../util/iov.c= :33 3 iov_from_buf (bytes=3D8, buf=3D, offset=3D= , iov_cnt=3D, iov=3D) at /usr/src/debug/qemu-6-6.2.0-75.7.oe1.smartx.git.40.x86_64/include/qem= u/iov.h:49 4 usb_packet_copy (p=3Dp@entry=3D0x56066b2fb5a0, ptr=3D, by= tes=3Dbytes@entry=3D8) at ../hw/usb/core.c:636 5 usb_msd_copy_data (s=3Ds@entry=3D0x56066c62c770, p=3Dp@entry=3D0x56066b2= fb5a0) at ../hw/usb/dev-storage.c:186 6 usb_msd_handle_data (dev=3D0x56066c62c770, p=3D0x56066b2fb5a0) at ../hw/= usb/dev-storage.c:496 7 usb_handle_packet (dev=3D0x56066c62c770, p=3Dp@entry=3D0x56066b2fb5a0) a= t ../hw/usb/core.c:455 8 uhci_handle_td (s=3Ds@entry=3D0x56066bd5f210, q=3D0x56066bb7fbd0, q@entr= y=3D0x0, qh_addr=3Dqh_addr@entry=3D902518530, td=3Dtd@entry=3D0x7fffe6e788f= 0, td_addr=3D, int_mask=3Dint_mask@entry=3D0x7fffe6e788e4) at ../hw/usb/hcd-uhci.c:885 9 uhci_process_frame (s=3Ds@entry=3D0x56066bd5f210) at ../hw/usb/hcd-uhci.= c:1061 10 uhci_frame_timer (opaque=3Dopaque@entry=3D0x56066bd5f210) at ../hw/usb/h= cd-uhci.c:1159 11 timerlist_run_timers (timer_list=3D0x56066af26bd0) at ../util/qemu-timer= .c:642 12 qemu_clock_run_timers (type=3DQEMU_CLOCK_VIRTUAL) at ../util/qemu-timer.= c:656 13 qemu_clock_run_all_timers () at ../util/qemu-timer.c:738 14 main_loop_wait (nonblocking=3Dnonblocking@entry=3D0) at ../util/main-loo= p.c:542 15 qemu_main_loop () at ../softmmu/runstate.c:739 16 main (argc=3D, argv=3D, envp=3D) at ../softmmu/main.c:52 (gdb) frame 5 (gdb) p ((SCSIDiskReq *)s->req)->iov $1 =3D {iov_base =3D 0x0, iov_len =3D 0} (gdb) p/x s->req->tag $2 =3D 0x472 When designing the USB mass storage device model, QEMU places SCSI disk device as the backend of USB mass storage device. In addition, USB mass device driver in Guest OS conforms to the "Universal Serial Bus Mass Storage Class Bulk-Only Transport" specification in order to simulate the transform behavior between a USB controller and a USB mass device. The following shows the protocol hierarchy: +----------------+ CDROM driver | scsi command | CDROM +----------------+ +-----------------------+ USB mass | USB Mass Storage Class| USB mass storage driver | Bulk-Only Transport | storage device +-----------------------+ +----------------+ USB Controller | USB Protocol | USB device +----------------+ In the USB protocol layer, between the USB controller and USB device, at least two USB packets will be transformed when guest OS send a read operation to USB mass storage device: 1. The CBW packet, which will be delivered to the USB device's Bulk-Out endpoint. In order to simulate a read operation, the USB mass storage device parses the CBW and converts it to a SCSI command, which would be executed by CDROM(represented as SCSI disk in QEMU internally), and store the result data of the SCSI command in a buffer. 2. The DATA-IN packet, which will be delivered from the USB device's Bulk-In endpoint(fetched directly from the preceding buffer) to the USB controller. We consider UHCI to be the controller. The two packets mentioned above may have been processed by UHCI in two separate frame entries of the Frame List , and also described by two different TDs. Unlike the physical environment, a virtualized environment requires the QEMU to make sure that the result data of CBW is not lost and is delivered to the UHCI controller. Currently, these types of SCSI requests are not migrated, so QEMU cannot ensure the result data of the IO operation is not lost if there are inflight emulated SCSI requests during the live migration. Assume for the moment that the USB mass storage device is processing the CBW and storing the result data of the read operation to a buffre, live migration happens and moves the VM to the destination while not migrating the result data of the read operation. After migration, when UHCI at the destination issues a DATA-IN request to the USB mass storage device, a crash happens because USB mass storage device fetches the result data and get nothing. The scenario this patch addresses is this one. Theoretically, any device that uses the SCSI disk as a back-end would be affected by this issue. In this case, it is the USB CDROM. To fix it, inflight emulated SCSI request be migrated during live migration, similar to the DMA SCSI request. Signed-off-by: Hyman Huang --- hw/scsi/scsi-disk.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/hw/scsi/scsi-disk.c b/hw/scsi/scsi-disk.c index 0985676f73..d6e9d9e8d4 100644 --- a/hw/scsi/scsi-disk.c +++ b/hw/scsi/scsi-disk.c @@ -160,6 +160,16 @@ static void scsi_disk_save_request(QEMUFile *f, SCSIRe= quest *req) } } =20 +static void scsi_disk_emulate_save_request(QEMUFile *f, SCSIRequest *req) +{ + SCSIDiskReq *r =3D DO_UPCAST(SCSIDiskReq, req, req); + SCSIDiskState *s =3D DO_UPCAST(SCSIDiskState, qdev, r->req.dev); + + if (s->migrate_emulate_scsi_request) { + scsi_disk_save_request(f, req); + } +} + static void scsi_disk_load_request(QEMUFile *f, SCSIRequest *req) { SCSIDiskReq *r =3D DO_UPCAST(SCSIDiskReq, req, req); @@ -183,6 +193,16 @@ static void scsi_disk_load_request(QEMUFile *f, SCSIRe= quest *req) qemu_iovec_init_external(&r->qiov, &r->iov, 1); } =20 +static void scsi_disk_emulate_load_request(QEMUFile *f, SCSIRequest *req) +{ + SCSIDiskReq *r =3D DO_UPCAST(SCSIDiskReq, req, req); + SCSIDiskState *s =3D DO_UPCAST(SCSIDiskState, qdev, r->req.dev); + + if (s->migrate_emulate_scsi_request) { + scsi_disk_load_request(f, req); + } +} + /* * scsi_handle_rw_error has two return values. False means that the error * must be ignored, true means that the error has been processed and the @@ -2593,6 +2613,8 @@ static const SCSIReqOps scsi_disk_emulate_reqops =3D { .read_data =3D scsi_disk_emulate_read_data, .write_data =3D scsi_disk_emulate_write_data, .get_buf =3D scsi_get_buf, + .load_request =3D scsi_disk_emulate_load_request, + .save_request =3D scsi_disk_emulate_save_request, }; =20 static const SCSIReqOps scsi_disk_dma_reqops =3D { @@ -3137,7 +3159,7 @@ static Property scsi_hd_properties[] =3D { static int scsi_disk_pre_save(void *opaque) { SCSIDiskState *dev =3D opaque; - dev->migrate_emulate_scsi_request =3D false; + dev->migrate_emulate_scsi_request =3D true; =20 return 0; } --=20 2.39.3