Project

General

Profile

Bug #1760

LAPD: segfault in T200 call-back

Added by laforge almost 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
07/03/2016
Due date:
% Done:

100%

Spec Reference:

Description

<001c> input/lapd.c:628 LAPD DL-RELEASE indication TEI=62 SAPI=62
<001c> lapd_core.c:378 sending MDL-ERROR-IND cause 1
Program received signal SIGSEGV, Segmentation fault.
0xb7f87783 in lapd_dl_flush_hist (dl=<optimized out>, dl=<optimized out>) at lapd_core.c:162
162                     if (dl->tx_hist[i].msg) {
(gdb) p dl
$1 = <optimized out>
(gdb) bt
#0  0xb7f87783 in lapd_dl_flush_hist (dl=<optimized out>, dl=<optimized out>) at lapd_core.c:162
#1  0xb7f892cd in lapd_t200_cb (data=0x8194230) at lapd_core.c:581
#2  0xb7f5a99b in osmo_timers_update () at timer.c:244
#3  0xb7f5b0e3 in osmo_select_main (polling=0) at select.c:188
#4  0x0804d575 in main (argc=3, argv=0xbffffd44) at bsc_hack.c:375

further inspection discovers:

  • dl->tx_hist == NULL
  • dl->range_hist = 2
flush.diff flush.diff 378 Bytes laforge, 07/03/2016 04:52 PM

Related issues

Related to libosmocore - Bug #1761: LAPD: segfault when bootstrapping Nokia InSiteNew2016-07-03

Related to libosmocore - Bug #1762: Review LAPD code for race conditions regarding state, particularly in RELEASENew2016-07-03

History

#1 Updated by laforge almost 3 years ago

  • Status changed from New to In Progress

So it seems T200 is expiring, but the tx_hist array is NULL at that point.

tx_hist is allocated in lapd_dl_init() and set to NULL in lapd_dl_exit().

The latter appears to be executed before the crash:

Breakpoint 1, lapd_dl_exit (dl=0x8194230) at lapd_core.c:319
319     {
(gdb) bt
#0  lapd_dl_exit (dl=0x8194230) at lapd_core.c:319
#1  0xb7f257d3 in lapd_sap_free (sap=0x8194220) at input/lapd.c:249
#2  0xb7f26996 in send_dlsap (dp=0xbffffa14, lctx=0x8194254) at input/lapd.c:629
#3  0xb7f892ba in send_dl_l3 (msg=<optimized out>, lctx=<optimized out>, op=<optimized out>, prim=<optimized out>) at lapd_core.c:359
#4  send_dl_simple (lctx=<optimized out>, op=<optimized out>, prim=<optimized out>) at lapd_core.c:368
#5  lapd_t200_cb (data=0x8194230) at lapd_core.c:577
#6  0xb7f5a99b in osmo_timers_update () at timer.c:244
#7  0xb7f5b0e3 in osmo_select_main (polling=0) at select.c:188
#8  0x0804d575 in main (argc=3, argv=0xbffffd44) at bsc_hack.c:375

#2 Updated by laforge almost 3 years ago

attached diff fixes the crash, but I'm facing other LAPD related issues, not submitting until it is clear.

#3 Updated by laforge almost 3 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 50 to 100

#4 Updated by laforge almost 3 years ago

  • Related to Bug #1761: LAPD: segfault when bootstrapping Nokia InSite added

#5 Updated by laforge almost 3 years ago

  • Related to Bug #1762: Review LAPD code for race conditions regarding state, particularly in RELEASE added

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)