I found an assertion failure in usb_cancel_packet() and posted my analysis in https://gitlab.com/qemu-project/qemu/-/issues/1180. I think this issue is because the inconsistency when resetting ohci root hubs.
There are two ways to reset ohci root hubs: 1) through HcRhPortStatus, 2) through HcControl. However, when the packet's status is USB_PACKET_ASYNC, resetting through HcRhPortStatus will complete the packet and thus resetting through HcControl will fail. That is because IMO resetting through HcRhPortStatus should first detach the port and then invoked usb_device_reset() just like through HcControl. Therefore, I change usb_device_reset() to usb_port_reset() where usb_detach() and usb_device_reset() are invoked consequently. Fixes: d28f4e2d8631 ("usb: kill USB_MSG_RESET") Reported-by: Qiang Liu <cyruscy...@gmail.com> Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1180 Signed-off-by: Qiang Liu <cyruscy...@gmail.com> --- hw/usb/hcd-ohci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hw/usb/hcd-ohci.c b/hw/usb/hcd-ohci.c index 895b29fb86..72df917834 100644 --- a/hw/usb/hcd-ohci.c +++ b/hw/usb/hcd-ohci.c @@ -1426,7 +1426,7 @@ static void ohci_port_set_status(OHCIState *ohci, int portnum, uint32_t val) if (ohci_port_set_if_connected(ohci, portnum, val & OHCI_PORT_PRS)) { trace_usb_ohci_port_reset(portnum); - usb_device_reset(port->port.dev); + usb_port_reset(&port->port); port->ctrl &= ~OHCI_PORT_PRS; /* ??? Should this also set OHCI_PORT_PESC. */ port->ctrl |= OHCI_PORT_PES | OHCI_PORT_PRSC; -- 2.25.1