Bug 136087

Summary: (sr_mod - usb(?)) kernel oops due to grip w/ cdparanoia
Product: [Fedora] Fedora Reporter: Dams <anvil>
Component: kernelAssignee: Dave Jones <davej>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: anvil, pfrields, pjones, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-29 07:56:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dams 2004-10-17 19:28:30 UTC 
Description of problem:
(Sorry if it's not a 100% fedora kernel. I've applied a small patch to
fix detection of my usb cd-rom device. See bug #131127)

Here is the proc/scsi/scsi entry for the cdrom device : 
Host: scsi1 Channel: 00 Id: 00 Lun: 00
  Vendor: PIONEER  Model: DVD-RW  DVR-107D Rev: 1.10
  Type:   CD-ROM                           ANSI SCSI revision: 02

It's plugged to an usb2 controller.

I'm pretty sure this happened when I killed grip. I was extracting an
audio cd, but it seemed the medium was "bad". Since grip was stuck in
the audio extraction, I had to kill it (sigterm, no sigkill). grip was
using cdparanoia. (I'm CCing pjones, since it's not the first I
encounter problems with cdparanoia and kernel).

Here is the kernel oops trace : 

usb 4-3: reset high speed USB device using address 2
SCSI error : <1 0 0 0> return code = 0x6000000
usb 4-3: reset high speed USB device using address 2
scsi: Device offlined - not ready after error recovery: host 1 channel
0 id 0 lun 0
SCSI error : <1 0 0 0> return code = 0x70000
scsi1 (0:0): rejecting I/O to offline device
scsi1 (0:0): rejecting I/O to offline device
Unable to handle kernel NULL pointer dereference at virtual address
00000008
 printing eip:
22aac6f5
*pde = 00004001
Oops: 0000 [#1]
SMP 
Modules linked in: pcspkr nfsd exportfs lockd autofs4 sunrpc ds
yenta_socket pcmcia_core nls_utf8 loop sr_mod joydev button battery ac
radeon md5 ipv6 usb_storage ehci_hcd ohci_hcd tuner bttv video_buf
i2c_algo_bit v4l2_common btcx_risc i2c_core videodev hw_random
snd_bt87x emu10k1_gp gameport snd_emu10k1 snd_rawmidi snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_seq_device snd_ac97_codec
snd_page_alloc snd_util_mem snd_hwdep snd soundcore 3c59x ext3 jbd
raid1 dm_mod aic7xxx sd_mod scsi_mod
CPU:    0
EIP:    0060:[<22aac6f5>]    Not tainted VLI
EFLAGS: 00010287   (2.6.8-1.610.anvilsmp) 
EIP is at sr_block_ioctl+0x1f/0x4a [sr_mod]
eax: 036d23c0   ebx: 00002285   ecx: 099cb080   edx: 00000000
esi: 1c128c14   edi: 110f3740   ebp: 036d23c0   esp: 1bf27f58
ds: 007b   es: 007b   ss: 0068
Process grip (pid: 2384, threadinfo=1bf27000 task=1880f3a0)
Stack: 00002285 099cb080 22aaf160 022131d8 099cb080 110f3740 1c128c14
032d54e0 
       13411d20 0230d580 00002285 110f3740 1dc42e70 02159e77 099cb080
021626ea 
       099cb080 ffffffe7 00000001 f567e2e8 00000000 021234bf 1bf27fc4
1842e274 
Call Trace:
 [<022131d8>] blkdev_ioctl+0x34b/0x358
 [<02159e77>] block_ioctl+0x11/0x13
 [<021626ea>] sys_ioctl+0x211/0x253
 [<021234bf>] sys_gettimeofday+0x25/0x55
Code: <3>Debug: sleeping function called from invalid context at
include/linux/rwsem.h:43
in_atomic():0[expected: 0], irqs_disabled():1
 [<0211dbf3>] __might_sleep+0x7d/0x8a
 [<0214e011>] rw_vm+0xe5/0x28c
 [<22aac6ca>] sr_block_release+0x61/0x6d [sr_mod]
 [<22aac6ca>] sr_block_release+0x61/0x6d [sr_mod]
 [<0214e475>] get_user_size+0x30/0x57
 [<22aac6ca>] sr_block_release+0x61/0x6d [sr_mod]
 [<021061c4>] show_registers+0x115/0x16c
 [<0210635b>] die+0xdb/0x16b
 [<02120290>] vprintk+0x136/0x14a
 [<02119997>] do_page_fault+0x421/0x5e7
 [<22aac6f5>] sr_block_ioctl+0x1f/0x4a [sr_mod]
 [<02145747>] do_wp_page+0x2d9/0x2f2
 [<021462f4>] handle_mm_fault+0xbd/0x175
 [<02119734>] do_page_fault+0x1be/0x5e7
 [<02119576>] do_page_fault+0x0/0x5e7
 [<22aac6f5>] sr_block_ioctl+0x1f/0x4a [sr_mod]
 [<022131d8>] blkdev_ioctl+0x34b/0x358
 [<02159e77>] block_ioctl+0x11/0x13
 [<021626ea>] sys_ioctl+0x211/0x253
 [<021234bf>] sys_gettimeofday+0x25/0x55
 Bad EIP value.

Version-Release number of selected component:
kernel-smp-2.6.8-1.610.anvil - cdparanoia-alpha9.8-24

How reproducible: Didn't try
Comment 1 Peter Jones 2004-10-18 16:07:47 UTC 
What version of cdparanoia is installed?  If you run "cdparanoia -v
-Q", what does it say after "Checking /dev/foo for cdrom..."?

Basically, I'm wondering if you're using sg, SG_IO, or the cooked
ioctls.  I suspect it's the cooked mode, since it's in block_ioctl and
not scsi_cmd_ioctl (like you'd see for SG_IO), but I'd like to be sure.
Comment 2 Dave Jones 2005-07-15 20:10:03 UTC 
An update has been released for Fedora Core 3 (kernel-2.6.12-1.1372_FC3) which
may contain a fix for your problem.   Please update to this new kernel, and
report whether or not it fixes your problem.

If you have updated to Fedora Core 4 since this bug was opened, and the problem
still occurs with the latest updates for that release, please change the version
field of this bug to 'fc4'.

Thank you.