Bug 141900

Summary: Kernel oops when hot-pulling usb dvdrom device.
Product: [Fedora] Fedora Reporter: Dams <anvil>
Component: kernelAssignee: Dave Jones <davej>
Status: CLOSED DUPLICATE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: anvil, pfrields, sitsofe, wtogami
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-12-06 13:34:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dams 2004-12-04 23:58:37 UTC 
Description of problem:
I've pulled the plugged of my dvd rom device for <insert bogus reason
here> and i've noticed that kernel dumped a stack trace in the dmesg. 

Here's the trace : 

usb 4-3: USB disconnect, address 2
scsi: Device offlined - not ready after error recovery: host 1 channel
0 id 0 lun 0
sr 1:0:0:0: Illegal state transition cancel->offline
Badness in scsi_device_set_state at drivers/scsi/scsi_lib.c:1691
 [<22857495>] scsi_device_set_state+0xc8/0xd3 [scsi_mod]
 [<228556db>] scsi_eh_offline_sdevs+0x49/0x5e [scsi_mod]
 [<22855bc1>] scsi_unjam_host+0x15a/0x16b [scsi_mod]
 [<22855ce4>] scsi_error_handler+0x112/0x15a [scsi_mod]
 [<22855bd2>] scsi_error_handler+0x0/0x15a [scsi_mod]
 [<021041f1>] kernel_thread_helper+0x5/0xb
Unable to handle kernel NULL pointer dereference at virtual address
00000008
 printing eip:
02219e23
*pde = 00004001
Oops: 0000 [#1]
SMP
Modules linked in: radeon pcspkr nfsd exportfs lockd autofs4 eeprom
w83781d i2c_sensor i2c_isa i2c_amd756 sunrpc ds yenta_socket
pcmcia_core nls_utf8 loop sr_mod joydev button battery ac md5 ipv6
usb_storage ehci_hcd ohci_hcd tuner bttv video_buf i2c_algo_bit
v4l2_common btcx_risc i2c_core videodev snd_bt87x hw_random emu10k1_gp
gameport snd_emu10k1 snd_rawmidi snd_pcm_oss snd_mixer_oss snd_pcm
snd_timer snd_seq_device snd_ac97_codec snd_page_alloc snd_util_mem
snd_hwdep snd soundcore 3c59x ext3 jbd raid1 dm_mod aic7xxx sd_mod
scsi_mod
CPU:    0
EIP:    0060:[<02219e23>]    Not tainted VLI
EFLAGS: 00010046   (2.6.9-1.681_FC3smp)
EIP is at cfq_insert_request+0x45/0xdf
eax: 21a38088   ebx: 03634eb0   ecx: 00000001   edx: 03634eb0
esi: 00000001   edi: 00000000   ebp: 00000000   esp: 1d55df28
ds: 007b   es: 007b   ss: 0068
Process scsi_eh_1 (pid: 2330, threadinfo=1d55d000 task=1d550bd0)
Stack: 21a38088 21a38088 00000001 03634eb0 00000001 0221125e 00000001
03634eb0
       21a38088 02211220 00000000 0221311f 00000202 20652860 202bcc00
21e04400
       00001057 22855f9e 20652860 00000001 20652860 1d55dfa4 1d55dfa4
1d55dfac
Call Trace:
 [<0221125e>] __elv_add_request+0x3c/0x71
 [<02211220>] elv_requeue_request+0x29/0x2b
 [<0221311f>] blk_insert_request+0x38/0xa1
 [<22855f9e>] scsi_queue_insert+0x84/0x8d [scsi_mod]
 [<22855a16>] scsi_eh_flush_done_q+0x7d/0xce [scsi_mod]
 [<22855bca>] scsi_unjam_host+0x163/0x16b [scsi_mod]
 [<22855ce4>] scsi_error_handler+0x112/0x15a [scsi_mod]
 [<22855bd2>] scsi_error_handler+0x0/0x15a [scsi_mod]
 [<021041f1>] kernel_thread_helper+0x5/0xb
Code: 74 29 eb 51 83 f9 03 74 33 eb 4a 8b 04 24 89 fa e8 08 fd ff ff
85 c0 75 f2 8b 47 08 8b 50 04 89 03 89 58 04 89 1a 89 53 04 eb 3f <8b>
47 08 8b 10 89 5a 04 89 13 89 43 04 89 18 eb 2e f6 42 08 10
 <6>eth0: Setting half-duplex based on MII #24 link partner capability
of 0000.

After a fresh reboot, i've been able to reproduce it. Didnt try further.

Here's the entry matching the dvdrom device in proc/scsi/scsi: 
Host: scsi1 Channel: 00 Id: 00 Lun: 00
  Vendor: PIONEER  Model: DVD-RW  DVR-107D Rev: 1.10
  Type:   CD-ROM                           ANSI SCSI revision: 02

Since it seems to be scsi-related, i also have a scsi u160 controler: 
00:08.0 SCSI storage controller: Adaptec AIC-7892B U160/m (rev 02)
with 3 hard drives plugged on it:

Host: scsi0 Channel: 00 Id: 00 Lun: 00
  Vendor: IBM      Model: ST318305LW       Rev: C507
  Type:   Direct-Access                    ANSI SCSI revision: 03
Host: scsi0 Channel: 00 Id: 01 Lun: 00
  Vendor: IBM      Model: DDYS-T18350N     Rev: S93E
  Type:   Direct-Access                    ANSI SCSI revision: 03
Host: scsi0 Channel: 00 Id: 02 Lun: 00
  Vendor: IBM      Model: DDYS-T18350N     Rev: S93E
  Type:   Direct-Access                    ANSI SCSI revision: 03

I've got an onboard usb1 controler and an usb2 controler on a pci
card. Result is the same whatever the controller the device is
unplugged from. lspci references to usb controllers: 

00:09.0 USB Controller: NEC Corporation USB (rev 41)
00:09.1 USB Controller: NEC Corporation USB (rev 41)
00:09.2 USB Controller: NEC Corporation USB 2.0 (rev 02)
02:00.0 USB Controller: Advanced Micro Devices [AMD] AMD-768 [Opus]
USB (rev 07)

Version-Release number of selected component: kernel-smp-2.6.9-1.681_FC3

Steps to Reproduce:
1. Pull the usb plug of the dvdrom device.
2. run dmesg
3. Look at the shiny oops
Comment 1 Sitsofe Wheeler 2004-12-06 09:21:49 UTC 
There are quite a few USB oops bugs already... in bug #139665 someone has posted
a trace which is identical to this one though.
Comment 2 Sitsofe Wheeler 2004-12-06 09:34:16 UTC 
Lots of similar traces in bug #138755
Comment 3 Dams 2004-12-06 13:34:38 UTC 

*** This bug has been marked as a duplicate of 138755 ***