Project

General

Profile

Bug #3975

osmo-bsc crash during startup with nokia insite

Added by tnt 7 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
05/04/2019
Due date:
% Done:

0%

Spec Reference:

Description

After issuing the reset of the BTS, something goes wrong.

Relevant end of the log :

<0004> bts_nokia_site.c:1693 ABIS_OM_MDISC_FOM
<0004> bts_nokia_site.c:1521 (0x81) NOKIA_BTS_ACK
<0004> bts_nokia_site.c:1553 ACK = 1
<0014> input/lapd.c:541 LAPD DL-RELEASE request TEI=1 SAPI=62
<0014> lapd_core.c:2243 Message DL-RELEASE-REQUEST received in state LAPD_STATE_MF_EST (dl=0x91171c8)
<0014> lapd_core.c:2083 perform local release (dl=0x91171c8)
<0014> lapd_core.c:237 new state LAPD_STATE_MF_EST -> LAPD_STATE_IDLE (dl=0x91171c8)
<0014> lapd_core.c:230 stop T203 (dl=0x91171c8)
<0014> input/lapd.c:656 LAPD DL-RELEASE confirm TEI=1 SAPI=62
<0014> input/lapd.c:274 LAPD Freeing SAP for SAPI=62 / TEI=1 (dl=0x91171c8, sap=0x91171b8)
<0014> lapd_core.c:310 Resetting LAPDm instance
<0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_IDLE (dl=0x91171c8)
<0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_NULL (dl=0x91171c8)
<0014> lapd_core.c:1681 we are busy, send RNR (dl=0x91171c8)
Segmentation fault

So right after freeing the SAP, we try to send a RNR on the dl that was just freed so obviously this doesn't workout ...

I couldn't really generate a backtrace, gdb didn't give anything meaningful even on a binary with debug symbols.


Related issues

Related to libosmocore - Bug #1761: LAPD: segfault when bootstrapping Nokia InSiteNew07/03/2016

History

#1 Updated by laforge 7 months ago

On Sat, May 04, 2019 at 11:14:10AM +0000, tnt [REDMINE] wrote:

So right after freeing the SAP, we try to send a RNR on the dl that was just freed so obviously this doesn't workout ...

The RNR is generated from the lapd_rx_i() function, which seems to suggest we receive an I frame on a LAPD
instance (dl) that had just been free'd ?

#2 Updated by tnt 7 months ago

With breakpoints I captured that during the same call chain to process the received LAPD message, we first free the SAP instance and a bit later we try to send a RNR over it.

lapd_core.c:1604 - This will trigger the SAP release
lapd_core.c:1683 - This tries to send a RNR

Breakpoint 1, lapd_sap_free (sap=0x822f1b8) at input/lapd.c:271
warning: Source file is more recent than executable.
271    {
(gdb) bt
#0  lapd_sap_free (sap=0x822f1b8) at input/lapd.c:271
#1  0xb7f09200 in send_dlsap (dp=0xbfffe640, lctx=0x822f1ec) at input/lapd.c:659
#2  0xb7f69448 in send_dl_l3 (msg=0x0, op=3 '\003', prim=3 '\003', lctx=0x822f1ec) at lapd_core.c:375
#3  send_dl_simple (lctx=0x822f1ec, op=3 '\003', prim=3 '\003') at lapd_core.c:382
#4  lapd_rel_req (dp=0xbfffe72c, lctx=0x822f1ec) at lapd_core.c:2095
#5  0xb7f6e51a in lapd_recv_dlsap (dp=dp@entry=0xbfffe72c, lctx=lctx@entry=0x822f1ec) at lapd_core.c:2247
#6  0xb7f0a6e9 in lapd_sap_stop (li=0x822f098, tei=1 '\001', sapi=62 '>') at input/lapd.c:551
#7  0x08084eb3 in start_sabm_in_line (line=0x822f688, start=start@entry=0, sapi=sapi@entry=-1) at bts_nokia_site.c:119
#8  0x08086035 in abis_nm_rcvmsg_fom (mb=mb@entry=0x825ff38) at bts_nokia_site.c:1595
#9  0x0808672f in abis_nokia_rcvmsg (msg=0x825ff38) at bts_nokia_site.c:1694
#10 0xb7efeca4 in e1inp_rx_ts (ts=ts@entry=0x8230758, msg=msg@entry=0x825ff38, tei=tei@entry=1 '\001', sapi=sapi@entry=62 '>')
    at e1_input.c:598
#11 0xb7eff28a in e1inp_dlsap_up (dp=0xbffff290, tei=1 '\001', sapi=62 '>', rx_cbdata=0x8230758) at e1_input.c:681
#12 0xb7f0913e in send_dlsap (dp=0xbffff290, lctx=0xbffff324) at input/lapd.c:666
#13 0xb7f6df86 in send_dl_l3 (msg=0x825ff38, lctx=0xbffff324, op=2 '\002', prim=1 '\001') at lapd_core.c:375
#14 lapd_rx_i (lctx=0xbffff324, msg=0x825ff38) at lapd_core.c:1604
#15 lapd_ph_data_ind (msg=msg@entry=0x825ff38, lctx=lctx@entry=0xbffff324) at lapd_core.c:1708
#16 0xb7f09b65 in lapd_receive (li=0x822f098, msg=msg@entry=0x825ff38, error=error@entry=0xbffff3ac) at input/lapd.c:491
#17 0xb7eff39b in e1inp_rx_ts_lapd (e1i_ts=e1i_ts@entry=0x8230758, msg=msg@entry=0x825ff38) at e1_input.c:642
#18 0xb7f038c7 in handle_ts1_read (bfd=0x8230cc4) at input/dahdi.c:193
#19 dahdi_fd_cb (bfd=0x8230cc4, what=1) at input/dahdi.c:496
#20 0xb7f21baf in osmo_fd_disp_fds (_eset=0xbffff570, _wset=0xbffff4f0, _rset=0xbffff470) at select.c:223
#21 osmo_select_main (polling=polling@entry=0) at select.c:263
#22 0x0804f72c in main (argc=4, argv=0xbffff704) at osmo_bsc_main.c:952
(gdb) b lapd_send_rnr
Breakpoint 2 at 0xb7f6a690: file lapd_core.c, line 468.
(gdb) c
Continuing.
<0014> input/lapd.c:274 LAPD Freeing SAP for SAPI=62 / TEI=1 (dl=0x822f1c8, sap=0x822f1b8)
<0014> lapd_core.c:310 Resetting LAPDm instance
<0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_IDLE (dl=0x822f1c8)
<0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_NULL (dl=0x822f1c8)
<0014> lapd_core.c:1681 we are busy, send RNR2 (dl=0x822f1c8)

Breakpoint 2, lapd_send_rnr (lctx=lctx@entry=0xbffff324, f_bit=f_bit@entry=0 '\000', cmd=cmd@entry=0 '\000') at lapd_core.c:468
468    {
(gdb) bt
#0  lapd_send_rnr (lctx=lctx@entry=0xbffff324, f_bit=f_bit@entry=0 '\000', cmd=cmd@entry=0 '\000') at lapd_core.c:468
#1  0xb7f6d3bf in lapd_rx_i (lctx=0xbffff324, msg=0x825ff38) at lapd_core.c:1683
#2  lapd_ph_data_ind (msg=msg@entry=0x825ff38, lctx=lctx@entry=0xbffff324) at lapd_core.c:1708
#3  0xb7f09b65 in lapd_receive (li=0x822f098, msg=msg@entry=0x825ff38, error=error@entry=0xbffff3ac) at input/lapd.c:491
#4  0xb7eff39b in e1inp_rx_ts_lapd (e1i_ts=e1i_ts@entry=0x8230758, msg=msg@entry=0x825ff38) at e1_input.c:642
#5  0xb7f038c7 in handle_ts1_read (bfd=0x8230cc4) at input/dahdi.c:193
#6  dahdi_fd_cb (bfd=0x8230cc4, what=1) at input/dahdi.c:496
#7  0xb7f21baf in osmo_fd_disp_fds (_eset=0xbffff570, _wset=0xbffff4f0, _rset=0xbffff470) at select.c:223
#8  osmo_select_main (polling=polling@entry=0) at select.c:263
#9  0x0804f72c in main (argc=4, argv=0xbffff704) at osmo_bsc_main.c:952

#3 Updated by tnt 7 months ago

  • Related to Bug #1761: LAPD: segfault when bootstrapping Nokia InSite added

#4 Updated by laforge 5 months ago

  • Assignee set to laforge

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)