Created attachment 1628480 [details]
File: backtrace

Created attachment 1628481 [details]
File: core_backtrace

Created attachment 1628482 [details]
File: cpuinfo

Created attachment 1628483 [details]
File: dso_list

Created attachment 1628484 [details]
File: environ

Created attachment 1628485 [details]
File: limits

Created attachment 1628486 [details]
File: maps

Created attachment 1628487 [details]
File: mountinfo

Created attachment 1628488 [details]
File: open_fds

Created attachment 1628489 [details]
File: proc_pid_status

*** Bug 1765915 has been marked as a duplicate of this bug. ***

I've seen five aborts of udev-configure-printer with system-config-printer-udev-1.5.12-2.fc31.x86_64 from updates-testing. The aborts occurred when I connected an HP PSC 1200 printer via USB to an HP laptop and then powered the printer on or off. The trace indicated that an invalid pointer was freed in frame #3 "free(): invalid pointer" by for_each_matching_queue in frame #5 at udev/udev-configure-printer.c:1518 of system-config-printer-udev-1.5.12-2.fc31.x86_64.

Core was generated by `/usr/lib/udev/udev-configure-printer remove /devices/pci0000:00/0000:00:10.0/us'.
Program terminated with signal SIGABRT, Aborted.
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50        return ret;
Missing separate debuginfos, use: dnf debuginfo-install system-config-printer-udev-1.5.12-2.fc31.x86_64
(gdb) bt full
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
        set = {__val = {0, 0, 0, 139957361577761, 18446744073709551615, 0, 139957362854464, 
            139955804307456, 60700772794367, 2598612845789615360, 272, 15, 94871543442635, 
            139957362849664, 94871543442635, 139957361571771}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007f4a5ccbb8d9 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x7ffc536a7930, sa_sigaction = 0x7ffc536a7930}, 
          sa_mask = {__val = {20, 94871531033952, 1, 140721707972912, 2, 94871543400064, 
              139957362039666, 64, 0, 4, 1572415667, 94871543442624, 150, 30064771119, 128849018882, 
              511101108233}}, sa_flags = 3, sa_restorer = 0x564800000001}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007f4a5cd164af in __libc_message (action=action@entry=do_abort, 
    fmt=fmt@entry=0x7f4a5ce25f4b "%s\n") at ../sysdeps/posix/libc_fatal.c:181
        ap = {{gp_offset = 24, fp_offset = 4294967295, overflow_arg_area = 0x7ffc536a79a0, 
            reg_save_area = 0x7ffc536a7930}}
        fd = <optimized out>
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
        written = <optimized out>
#3  0x00007f4a5cd1da6c in malloc_printerr (str=str@entry=0x7f4a5ce240e0 "free(): invalid pointer")
    at malloc.c:5332
--Type <RET> for more, q to quit, c to continue without paging--c
No locals.
#4  0x00007f4a5cd1f44c in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:4173
        size = 2333554503823943680
        fb = <optimized out>
        nextchunk = <optimized out>
        nextsize = <optimized out>
        nextinuse = <optimized out>
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = <optimized out>
        __PRETTY_FUNCTION__ = "_int_free"
#5  0x00005648ffe7e7a7 in for_each_matching_queue (flags=0, fn=0x5648ffe7d340 <disable_queue>, usblpdev=0x7ffc536a7b50 "", usblpdevlen=<optimized out>, device_uris=<optimized out>, device_uris=<optimized out>, context=0x0) at udev/udev-configure-printer.c:1518
        this_printer_uri = 0x564900a55014 "ipp://localhost/printers/psc_1200"
        printer_state_message = <optimized out>
        device_uri_n = 0x564900a54267 "psc 1200 series serial my3chg83tw5h"
        pi1 = 0x0
        this_device_uri = <optimized out>
        state = 3
        ps1 = 0x564900a550ac "serial=MY3CHG83TW5H"
        pi2 = <optimized out>
        i = 0
        l = <optimized out>
        this_device_uri_n = 0x564900a54477 "psc 1200 series serial my3chg83tw5h"
        ps2 = 0x0
        matched = 1
        cups = <optimized out>
        request = <optimized out>
        answer = <optimized out>
        attr = 0x0
        attributes = {0x5648ffe81156 "printer-uri-supported", 0x5648ffe8116c "device-uri", 0x5648ffe81177 "printer-state", 0x5648ffe81052 "printer-state-message"}
        usblpdevstr1 = '\000' <repeats 31 times>
        usblpdevstr2 = '\000' <repeats 31 times>
        firstqueue = 0
#6  0x00005648ffe7ce74 in do_remove (devaddr=<optimized out>) at udev/udev-configure-printer.c:1839
        map = 0x564900a46ef0
        entry = 0x564900a53360
        prev = 0x564900a46ef0
        uris = 0x564900a53370
        usblpdev = "\000\000\000\000\000\000\000"
        devpath = 0x564900a4c890 "/devices/pci0000:00/0000:00:10.0/usb2/2-3"
        map = <optimized out>
        entry = <optimized out>
        prev = <optimized out>
        uris = <optimized out>
        usblpdev = <optimized out>
        devpath = <optimized out>
        device_uri = <optimized out>
        udev = <optimized out>
#7  main (argc=<optimized out>, argv=<optimized out>) at udev/udev-configure-printer.c:1881
        add = <optimized out>
        enumerate = <optimized out>

device_uri_n appeared to be the invalid pointer since udev/udev-configure-printer.c:1518 was free(device_uri_n); and the address of device_uri_n in frame #5 of the trace was 0x564900a54267 which pointed to the inaccessible address 0x20637370

(gdb) l udev/udev-configure-printer.c:1518
1513
1514          firstqueue = 0;
1515
1516        skip:
1517          if (device_uri_n != NULL)
1518            free(device_uri_n);
1519            device_uri_n = NULL;
1520          if (this_device_uri_n != NULL)
1521            free(this_device_uri_n);
1522            this_device_uri_n = NULL;

(gdb) x 0x564900a54267
0x564900a54267: 0x20637370
(gdb) x 0x20637370
0x20637370:     Cannot access memory at address 0x20637370

I powered on the printer and ran sudo valgrind --log-file=valgrind-udev-configure-printer-remove-2.txt /usr/lib/udev/udev-configure-printer remove /devices/pci0000:00/0000:00:10.0/usb2/2-3 based on the command shown in the abrt by coredumpctl gdb. Two invalid frees in for_each_matching_queue.isra.0.constprop.0 at udev-configure-printer.c:1518 and 1521 were detected. udev-configure-printer.c:1521 was free(this_device_uri_n); so this_device_uri_n might also have been pointing to an inaccessible address.

==5657== Invalid free() / delete / delete[] / realloc()
==5657==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==5657==    by 0x10C7A6: for_each_matching_queue.isra.0.constprop.0 (udev-configure-printer.c:1518)
==5657==    by 0x10AE73: do_remove (udev-configure-printer.c:1839)
==5657==    by 0x10AE73: main (udev-configure-printer.c:1881)
==5657==  Address 0x5c5f427 is 7 bytes inside a block of size 44 alloc'd
==5657==    at 0x483880B: malloc (vg_replace_malloc.c:309)
==5657==    by 0x4B05F2E: strdup (strdup.c:42)
==5657==    by 0x10C0B9: normalize_device_uri (udev-configure-printer.c:1293)
==5657==    by 0x10C68C: for_each_matching_queue.isra.0.constprop.0 (udev-configure-printer.c:1450)
==5657==    by 0x10AE73: do_remove (udev-configure-printer.c:1839)
==5657==    by 0x10AE73: main (udev-configure-printer.c:1881)
==5657== 
==5657== Invalid free() / delete / delete[] / realloc()
==5657==    at 0x4839A0C: free (vg_replace_malloc.c:540)
==5657==    by 0x10C7B8: for_each_matching_queue.isra.0.constprop.0 (udev-configure-printer.c:1521)
==5657==    by 0x10AE73: do_remove (udev-configure-printer.c:1839)
==5657==    by 0x10AE73: main (udev-configure-printer.c:1881)
==5657==  Address 0x5c5f3b7 is 7 bytes inside a block of size 44 alloc'd
==5657==    at 0x483880B: malloc (vg_replace_malloc.c:309)
==5657==    by 0x4B05F2E: strdup (strdup.c:42)
==5657==    by 0x10C0B9: normalize_device_uri (udev-configure-printer.c:1293)
==5657==    by 0x10C61B: for_each_matching_queue.isra.0.constprop.0 (udev-configure-printer.c:1445)
==5657==    by 0x10AE73: do_remove (udev-configure-printer.c:1839)
==5657==    by 0x10AE73: main (udev-configure-printer.c:1881)
==5657== 

I could provide more details if that would help. Thanks.

> I could provide more details if that would help. Thanks.

The valgrind report is already a pretty excellent bug report, thanks!

Looks like this got fixed in https://github.com/OpenPrinting/system-config-printer/commit/cf9903466c1a2d18a701f3b5e8c7e03483e1244d.

(In reply to Michael Catanzaro from comment #13)
> > I could provide more details if that would help. Thanks.
> 
> The valgrind report is already a pretty excellent bug report, thanks!
> 
> Looks like this got fixed in
> https://github.com/OpenPrinting/system-config-printer/commit/
> cf9903466c1a2d18a701f3b5e8c7e03483e1244d.

Michael, the commit you referred to was added to system-config-printer-1.5.12-2.fc31.x86_64 in https://src.fedoraproject.org/rpms/system-config-printer/c/b13b64c8bf6252ebafc18e7689392664dacb22de?branch=f31 which appeared to check if device_uri_n and this_device_uri_n are not null before freeing them. The aborts I reported were with system-config-printer-1.5.12-2 with that commit. The remaining problem in my case might be that device_uri_n and maybe this_device_uri_n weren't null but pointed to invalid/inaccessible addresses, so that possibility could be checked for as well. The printer printed two pages normally even with the udev-configure-printer crash when I powered on the printer. No problem. Thanks.

*** Bug 1767674 has been marked as a duplicate of this bug. ***

Hi Matt,

thank you for checking the update and I'm deeply sorry for the trouble.

The problem was more hidden than I expected, but the newest update should work correctly for now.

FEDORA-2019-08f824c7d5 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-08f824c7d5

(In reply to Zdenek Dohnal from comment #16)
> Hi Matt,
> 
> thank you for checking the update and I'm deeply sorry for the trouble.
> 
> The problem was more hidden than I expected, but the newest update should
> work correctly for now.

Zdenek, I upgraded to system-config-printer-udev-1.5.12-3.fc31. I turned the printer on and off four times, and no aborts happened. I ran valgrind twice as in comment 12, and no invalid frees were shown. I printed two pages which ran normally. Thanks for the fix.

system-config-printer-1.5.12-3.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-08f824c7d5

*** Bug 1768240 has been marked as a duplicate of this bug. ***

*** Bug 1768121 has been marked as a duplicate of this bug. ***

Similar problem has been detected:

Upstream appears to be aware of the problem, see:
https://sourceforge.net/projects/gimp-print/files/gutenprint-5.3/5.3.3/

The README states:

    WARNING: The "canon" and "epson" CUPS backends that previously
    were distributed with Gutenprint are no longer distributed, so you
    will need to ensure that none of your printer queues use these
    backends.  Please read the Critical Upgrade Note in the release
    notes for more information and the procedure for modifying your
    printer queues.

I configured a Canon MP510 printer (USB)  using the Gnome printers setup 
tool.     Cups default configured with the wrong backend, per the above
warning.  I removed the printer  and configured again selecting the USB 
connection, which gives (see MP510 entry):

$ lpstat -s
	no system default destination
	device for Canon_MG7500_series: dnssd://Canon%20MG7500%20series._ipp._tcp.local/?uuid=00000000-0000-1000-8000-D8492FDBF1D0
	device for Canon_MP510: usb://Canon/MP510?serial=20C162&interface=1


reporter:       libreport-2.10.1
backtrace_rating: 4
cgroup:         0::/system.slice/system-configure\x2dprinter.slice/configure-printer
cmdline:        /usr/lib/udev/udev-configure-printer add usb-002-005
crash_function: for_each_matching_queue
executable:     /usr/lib/udev/udev-configure-printer
journald_cursor: s=041ddb00ad7f45d7b8fbadeef86296d1;i=e7939;b=6928b1309870448abdbe98a8484af6f7;m=1468ccc;t=596a2e5ef60e2;x=48d0d41d7a63d36
kernel:         5.3.8-300.fc31.x86_64
package:        system-config-printer-udev-1.5.12-1.fc31
reason:         udev-configure-printer killed by SIGABRT
rootdir:        /
runlevel:       unknown
type:           CCpp
uid:            0

*** Bug 1770255 has been marked as a duplicate of this bug. ***

system-config-printer-1.5.12-3.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.