[sane-devel] segfault while canceling (mustek/scsi)
Henning Meier-Geinitz
henning at meier-geinitz.de
Sun Mar 9 19:33:52 GMT 2003
Hi,
[responding to myself:]
On Mon, Mar 03, 2003 at 12:38:28AM +0100, Henning Meier-Geinitz wrote:
> The crash happens with different Mustek SCSI scanners. So it sure
> looks like a mustek backend problem.
Finally, the reason for the bug is known: it's in sanei_scsi.c,
function sanei_scsi_flush_all_extended(). That code doesn't wait for
all SCSI commands to finish. So if the backend frees the read buffer
after flush_all, the SCSI code writes to an invalid memory area. That
may cause trouble later and it did in case of the mustek backend. The
reader process is killed after a cancel. So a SCSI read command will
try to write to a buffer of a process that is already killed.
This bug affects all SCSI backends that use sanei_scsi_flush_all when
a SCSI command is still running. The segmentation fault seems to
depend on the code flow and it happens rather seldom so users of other
backends may not notice it at all.
> Sure looks like a red herring but if I only change the O_NONBLOCK the
> segfaults go away.
Not a red herring. Without O_NONBLOCK flush waits for the command to
finish.
The fix is in CVS now. Thanks to Abel Deuring who found the real
problem and showed the solution.
Bye,
Henning
More information about the sane-devel
mailing list