https://osmocom.org/https://osmocom.org/favicon.ico?16647414092019-05-04T11:57:45ZOpen Source Mobile CommunicationsOsmoBSC - Bug #3975: osmo-bsc crash during startup with nokia insitehttps://osmocom.org/issues/3975?journal_id=142152019-05-04T11:57:45Zlaforge
<ul></ul><p>On Sat, May 04, 2019 at 11:14:10AM +0000, tnt [REDMINE] wrote:</p>
<blockquote>
<p>So right after freeing the SAP, we try to send a RNR on the dl that was <em>just</em> freed so obviously this doesn't workout ...</p>
</blockquote>
<p>The RNR is generated from the lapd_rx_i() function, which seems to suggest we receive an I frame on a LAPD<br />instance (dl) that had just been free'd ?</p> OsmoBSC - Bug #3975: osmo-bsc crash during startup with nokia insitehttps://osmocom.org/issues/3975?journal_id=142162019-05-04T12:20:31Ztnt
<ul></ul><p>With breakpoints I captured that during the same call chain to process the received LAPD message, we first free the SAP instance and a bit later we try to send a RNR over it.</p>
<p>lapd_core.c:1604 - This will trigger the SAP release<br />lapd_core.c:1683 - This tries to send a RNR</p>
<pre>
Breakpoint 1, lapd_sap_free (sap=0x822f1b8) at input/lapd.c:271
warning: Source file is more recent than executable.
271 {
(gdb) bt
#0 lapd_sap_free (sap=0x822f1b8) at input/lapd.c:271
#1 0xb7f09200 in send_dlsap (dp=0xbfffe640, lctx=0x822f1ec) at input/lapd.c:659
#2 0xb7f69448 in send_dl_l3 (msg=0x0, op=3 '\003', prim=3 '\003', lctx=0x822f1ec) at lapd_core.c:375
#3 send_dl_simple (lctx=0x822f1ec, op=3 '\003', prim=3 '\003') at lapd_core.c:382
#4 lapd_rel_req (dp=0xbfffe72c, lctx=0x822f1ec) at lapd_core.c:2095
#5 0xb7f6e51a in lapd_recv_dlsap (dp=dp@entry=0xbfffe72c, lctx=lctx@entry=0x822f1ec) at lapd_core.c:2247
#6 0xb7f0a6e9 in lapd_sap_stop (li=0x822f098, tei=1 '\001', sapi=62 '>') at input/lapd.c:551
#7 0x08084eb3 in start_sabm_in_line (line=0x822f688, start=start@entry=0, sapi=sapi@entry=-1) at bts_nokia_site.c:119
#8 0x08086035 in abis_nm_rcvmsg_fom (mb=mb@entry=0x825ff38) at bts_nokia_site.c:1595
#9 0x0808672f in abis_nokia_rcvmsg (msg=0x825ff38) at bts_nokia_site.c:1694
#10 0xb7efeca4 in e1inp_rx_ts (ts=ts@entry=0x8230758, msg=msg@entry=0x825ff38, tei=tei@entry=1 '\001', sapi=sapi@entry=62 '>')
at e1_input.c:598
#11 0xb7eff28a in e1inp_dlsap_up (dp=0xbffff290, tei=1 '\001', sapi=62 '>', rx_cbdata=0x8230758) at e1_input.c:681
#12 0xb7f0913e in send_dlsap (dp=0xbffff290, lctx=0xbffff324) at input/lapd.c:666
#13 0xb7f6df86 in send_dl_l3 (msg=0x825ff38, lctx=0xbffff324, op=2 '\002', prim=1 '\001') at lapd_core.c:375
#14 lapd_rx_i (lctx=0xbffff324, msg=0x825ff38) at lapd_core.c:1604
#15 lapd_ph_data_ind (msg=msg@entry=0x825ff38, lctx=lctx@entry=0xbffff324) at lapd_core.c:1708
#16 0xb7f09b65 in lapd_receive (li=0x822f098, msg=msg@entry=0x825ff38, error=error@entry=0xbffff3ac) at input/lapd.c:491
#17 0xb7eff39b in e1inp_rx_ts_lapd (e1i_ts=e1i_ts@entry=0x8230758, msg=msg@entry=0x825ff38) at e1_input.c:642
#18 0xb7f038c7 in handle_ts1_read (bfd=0x8230cc4) at input/dahdi.c:193
#19 dahdi_fd_cb (bfd=0x8230cc4, what=1) at input/dahdi.c:496
#20 0xb7f21baf in osmo_fd_disp_fds (_eset=0xbffff570, _wset=0xbffff4f0, _rset=0xbffff470) at select.c:223
#21 osmo_select_main (polling=polling@entry=0) at select.c:263
#22 0x0804f72c in main (argc=4, argv=0xbffff704) at osmo_bsc_main.c:952
(gdb) b lapd_send_rnr
Breakpoint 2 at 0xb7f6a690: file lapd_core.c, line 468.
(gdb) c
Continuing.
<0014> input/lapd.c:274 LAPD Freeing SAP for SAPI=62 / TEI=1 (dl=0x822f1c8, sap=0x822f1b8)
<0014> lapd_core.c:310 Resetting LAPDm instance
<0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_IDLE (dl=0x822f1c8)
<0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_NULL (dl=0x822f1c8)
<0014> lapd_core.c:1681 we are busy, send RNR2 (dl=0x822f1c8)
Breakpoint 2, lapd_send_rnr (lctx=lctx@entry=0xbffff324, f_bit=f_bit@entry=0 '\000', cmd=cmd@entry=0 '\000') at lapd_core.c:468
468 {
(gdb) bt
#0 lapd_send_rnr (lctx=lctx@entry=0xbffff324, f_bit=f_bit@entry=0 '\000', cmd=cmd@entry=0 '\000') at lapd_core.c:468
#1 0xb7f6d3bf in lapd_rx_i (lctx=0xbffff324, msg=0x825ff38) at lapd_core.c:1683
#2 lapd_ph_data_ind (msg=msg@entry=0x825ff38, lctx=lctx@entry=0xbffff324) at lapd_core.c:1708
#3 0xb7f09b65 in lapd_receive (li=0x822f098, msg=msg@entry=0x825ff38, error=error@entry=0xbffff3ac) at input/lapd.c:491
#4 0xb7eff39b in e1inp_rx_ts_lapd (e1i_ts=e1i_ts@entry=0x8230758, msg=msg@entry=0x825ff38) at e1_input.c:642
#5 0xb7f038c7 in handle_ts1_read (bfd=0x8230cc4) at input/dahdi.c:193
#6 dahdi_fd_cb (bfd=0x8230cc4, what=1) at input/dahdi.c:496
#7 0xb7f21baf in osmo_fd_disp_fds (_eset=0xbffff570, _wset=0xbffff4f0, _rset=0xbffff470) at select.c:223
#8 osmo_select_main (polling=polling@entry=0) at select.c:263
#9 0x0804f72c in main (argc=4, argv=0xbffff704) at osmo_bsc_main.c:952
</pre> OsmoBSC - Bug #3975: osmo-bsc crash during startup with nokia insitehttps://osmocom.org/issues/3975?journal_id=142932019-05-08T15:14:38Ztnt
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-3 priority-2 priority-default closed" href="/issues/1761">Bug #1761</a>: LAPD: segfault when bootstrapping Nokia InSite</i> added</li></ul> OsmoBSC - Bug #3975: osmo-bsc crash during startup with nokia insitehttps://osmocom.org/issues/3975?journal_id=152952019-07-18T06:00:54Zlaforge
<ul><li><strong>Assignee</strong> set to <i>laforge</i></li></ul> OsmoBSC - Bug #3975: osmo-bsc crash during startup with nokia insitehttps://osmocom.org/issues/3975?journal_id=180932020-04-27T20:23:44Zlaforge
<ul></ul> OsmoBSC - Bug #3975: osmo-bsc crash during startup with nokia insitehttps://osmocom.org/issues/3975?journal_id=180942020-04-27T20:24:28Zlaforge
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-3 priority-2 priority-default closed" href="/issues/4514">Feature #4514</a>: OM2000 Support for Ericsson RBS6000 / DUG 20</i> added</li></ul> OsmoBSC - Bug #3975: osmo-bsc crash during startup with nokia insitehttps://osmocom.org/issues/3975?journal_id=182412020-05-11T05:22:03Ztnt
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li></ul><p>That's fixed actually.</p>