Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 593388 - cupsd crashes with segfault when printing and print server is busy
cupsd crashes with segfault when printing and print server is busy
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: cups (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Tim Waugh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-18 13:33 EDT by Orion Poplawski
Modified: 2011-01-10 18:56 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-10 18:56:26 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2010-05-18 13:33:36 EDT
Description of problem:

Had a print job queued and with print server busy, cups crashed.

Core was generated by `cupsd -C /etc/cups/cupsd.conf'.
Program terminated with signal 11, Segmentation fault.
#0  __strcmp_ia32 () at ../sysdeps/i386/i686/strcmp.S:39
39      L(oop): movb    (%ecx), %al
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.23-11.fc13.i686 keyutils-libs-1.2-6.fc12.i686 libattr-2.4.44-3.fc13.i686 libgcrypt-1.4.5-4.fc13.i686 libgpg-error-1.7-1.fc13.i686 libtasn1-2.4-2.fc13.i686 nss-softokn-freebl-3.12.4-17.fc13.i686 openssl-1.0.0-1.fc13.i686
(gdb) bt
#0  __strcmp_ia32 () at ../sysdeps/i386/i686/strcmp.S:39
#1  0x00154776 in compare_sp_items (a=0x5ec, b=0x1a4cc08) at string.c:787
#2  0x0012bb70 in cups_array_find (a=0x1a15038, e=0x5ec, prev=74, rdiff=0xbfd84118)
    at array.c:1037
#3  0x0012bcd3 in cupsArrayFind (a=0x1a15038, e=0x5ec) at array.c:375
#4  0x0015429d in _cupsStrFree (s=0x5f0 <Address 0x5f0 out of bounds>) at string.c:335
#5  0x00d4a562 in cupsdSetString (s=0x1a25590, 
    v=0xbfd84229 "Network host 'earth.cora.nwra.com' is busy; will retry in 5 seconds...")
    at main.c:1442
#6  0x00d6c001 in update_job (job=0x1a23150) at job.c:4630
#7  0x00d7afb8 in cupsdDoSelect (timeout=1) at select.c:501
#8  0x00d4b0ce in main (argc=3, argv=0xbfd85064) at main.c:863
(gdb) up
#1  0x00154776 in compare_sp_items (a=0x5ec, b=0x1a4cc08) at string.c:787
787       return (strcmp(a->str, b->str));
(gdb) print *(char[50]*)b->str
$4 = "com.apple.print.recoverable-warning\000\000\000\000\000Y\000\000\000\001\000\000\000Ne"
(gdb) print *job
$9 = {id = 29, priority = 50, dirty = 1, state_value = IPP_JOB_PROCESSING, 
  pending_timeout = 0, username = 0x1a21e74 "orion", dest = 0x1a23d9c "poe", dtype = 2, 
  num_files = 1, filetypes = 0x1a39548, compressions = 0x1a394e0, sheets = 0x1a21bf8, 
  access_time = 0, kill_time = 0, hold_until = 1274201296, state = 0x1a426f0, 
  job_sheets = 0x1a21bf8, printer_message = 0x1a3de98, printer_reasons = 0x1a24210, 
  current_file = 1, attrs = 0x1a1c828, print_pipes = {-1, -1}, back_pipes = {-1, -1}, 
  side_pipes = {-1, -1}, status_pipes = {14, -1}, status_buffer = 0x1a41308, status_level = 7, 
  cost = 100, pending_cost = 0, filters = {0 <repeats 21 times>}, backend = 8154, status = 0, 
  printer = 0x1a24fa8, tries = 0, auth_username = 0x0, auth_domain = 0x0, auth_password = 0x0, 
  profile = 0x0, history = 0x1a24ab0, progress = 0, ccache = 0x0, ccname = 0x0, 
  scon = 0x1a24a9c "UNKNOWN SL", auid = 0}
(gdb) print *job->printer
$10 = {uri = 0x1a23718 "", hostname = 0xfe6640 "8f\376", name = 0x1a24fa0 "", 
  location = 0x1a24fa0 "", make_model = 0x0, info = 0x0, op_policy = 0x0, error_policy = 0x0, 
  op_policy_ptr = 0x1a1e8e8, shared = 0, accepting = 1, holding_new_jobs = 0, 
  in_implicit_class = 0, state = IPP_PRINTER_IDLE, 
  state_message = "Connecting to printer...", '\000' <repeats 999 times>, num_reasons = 2, 
  reasons = {0x1a3e30c "connecting-to-device", 
    0x1a4cc0c "com.apple.print.recoverable-warning", 0x0 <repeats 62 times>}, 
  state_time = 1274193365, job_sheets = {0x0, 0x0}, type = 16781398, browse_attrs = 0x0, 
  browse_expire = 1274201630, browse_time = 1274201330, device_uri = 0x0, 
  sanitized_device_uri = 0x0, port_monitor = 0x0, raw = 1, remote = 1, filetype = 0x1a236d8, 
  prefiltertype = 0x0, filetypes = 0x0, job = 0x1a23150, attrs = 0x1a40780, ppd_attrs = 0x0, 
  num_printers = 0, last_printer = 0, printers = 0x0, quota_period = 0, page_limit = 0, 
  k_limit = 0, quotas = 0x0, deny_users = 0, num_users = 0, users = 0x0, num_history = 0, 
  history = 0x0, sequence_number = 0, num_options = 2, options = 0x1a54830, 
  num_auth_info_required = 0, auth_info_required = {0x0, 0x0, 0x0, 0x0}, alert = 0x0, 
  alert_description = 0x0, marker_time = 0, filters = 0x0, pre_filters = 0x0, 
  recoverable = 0x5f0 <Address 0x5f0 out of bounds>}

looks like jobs->printer->recoverable is garbage.

Version-Release number of selected component (if applicable):
cups-1.4.3-6.fc13.i686
Comment 1 Orion Poplawski 2010-05-18 13:34:22 EDT
Seemed to trigger a crash in F12 as well, but the backtrace there is quite different.
Comment 2 Tim Waugh 2010-05-19 10:43:51 EDT
So, the problem is that for some reason job->printer->recoverable has some sort of uninitialized or corrupted value, 0x5f0.

#4  0x0015429d in _cupsStrFree (s=0x5f0 <Address 0x5f0 out of bounds>) at
string.c:335
#5  0x00d4a562 in cupsdSetString (s=0x1a25590, 
    v=0xbfd84229 "Network host 'earth.cora.nwra.com' is busy; will retry in 5
seconds...")
    at main.c:1442
#6  0x00d6c001 in update_job (job=0x1a23150) at job.c:4630

But it's worse than that: job->printer is almost entirely garbage.  No name, no device_uri, etc.

Are you able to repeat this?  It almost seems like the printer object is getting freed while we're still using it.

Can you create a tarball of the contents of /etc/cups and /var/cache/cups, to see if it can be reproduced elsewhere?
Comment 3 Orion Poplawski 2010-05-20 12:57:28 EDT
I think I need to re-create the server busy condition.  Have any suggestions on how to do that?
Comment 4 Tim Waugh 2010-05-21 08:09:40 EDT
Adjust the hostname in the URI to point to any host that will refuse the connection.
Comment 5 Orion Poplawski 2010-05-25 12:11:28 EDT
Here's how I setup a reproducer:

CentOS 5.5 (don't know if this matters) server - created a generic printer "test" going to file:///dev/null and shared it.

Fedora 13 client - spool a job on test.  In my case I got a "/usr/lib/cups/filter/foomatic-rip failed" error so the job stayed active.

Shutdown the cups service on the server - cupsd on the client crashes.

I also have several shared printers from another server - not sure if this matters or not.  Tarball of etc/cups and var/cache/cups is here:

http://sw.cora.nwra.com/tmp/cups.tar.gz
Comment 6 Tim Waugh 2011-01-10 10:43:30 EST
I hope that cups-1.4.5-4.fc13 contains the fix for this.  See bug #660604.

Could you please re-test with cups-1.4.5-4.fc13 or newer?
Comment 7 Orion Poplawski 2011-01-10 18:56:26 EST
I appear to be unable to reproduce the original conditions.  I'll mark as closed though and reopen if I ever see it again.

Note You need to log in before you can comment on or make changes to this bug.