Open Source Mobile Communications: Issues
https://osmocom.org/
https://osmocom.org/favicon.ico?1664741409
2017-03-14T14:54:26Z
Open Source Mobile Communications
Redmine
libosmocore - Bug #1982 (Resolved): LAPD: segfault in lapd_est_req function
https://osmocom.org/issues/1982
2017-03-14T14:54:26Z
kluchnikov
<p>This issue occurs once a day on one of loaded BTS (osmo-bts-trx is used).<br />It seems that this issue is related with <a class="issue tracker-1 status-5 priority-2 priority-default closed" title="Bug: LAPD: segfault in T200 call-back (Closed)" href="https://osmocom.org/issues/1760">#1760</a> <a class="issue tracker-1 status-3 priority-2 priority-default closed" title="Bug: LAPD: segfault when bootstrapping Nokia InSite (Resolved)" href="https://osmocom.org/issues/1761">#1761</a> <a class="issue tracker-1 status-1 priority-2 priority-default" title="Bug: Review LAPD code for race conditions regarding state, particularly in RELEASE (New)" href="https://osmocom.org/issues/1762">#1762</a>.<br />As you can see it crashes in lapd_est_req funtion on line:<br /><pre>
lapd_core.c 1769: dl->tx_hist[0].msg = lapd_msgb_alloc(msg->len, "HIST");
</pre><br /> because dl->tx_hist = 0x0 at this point.</p>
<p>The cause of this issue is not obvious for me, so any help will be appreciated.</p>
<p>See full backtrace below.<br /><pre>
#0 0x00007f46ecd99aa5 in lapd_est_req (dp=<optimized out>, lctx=0x7f46ed80b8b8) at lapd_core.c:1769
dl = 0x7f46ed80b888
msg = 0x7f46eeab4940
nctx = {dl = 0x7f46ed80b888, n201 = 20, cr = 1 '\001', sapi = 3 '\003', tei = 0 '\000', lpd = 0 '\000', format = 3 '\003', p_f = 1 '\001', n_send = 0 '\000',
n_recv = 0 '\000', s_u = 7 '\a', length = 0, more = 0 '\000'}
#1 0x00007f46ecd9dda8 in rslms_rx_rll_est_req (msg=msg@entry=0x7f46eeab4940, dl=dl@entry=0x7f46ed80b888) at lapdm.c:845
rllh = <optimized out>
chan_nr = <optimized out>
link_id = <optimized out>
sapi = <optimized out>
tv = {lv = {{len = 0, val = 0x0} <repeats 256 times>}}
length = 0 '\000'
n201 = 20 '\024'
dp = {oph = {sap = 0, primitive = 2, operation = PRIM_OP_REQUEST, msg = 0x7f46eeab4940}, u = {error_ind = {cause = 1 '\001'}, rel_req = {mode = 1 '\001'}}}
#2 0x00007f46ecd9fc03 in rslms_rx_rll (lc=0x7f46ed80b398, msg=0x7f46eeab4940) at lapdm.c:1157
rllh = <optimized out>
msg_type = 4
dl = 0x7f46ed80b888
sapi = 3 '\003'
le = <optimized out>
rc = 0
#3 lapdm_rslms_recvmsg (msg=0x7f46eeab4940, lc=0x7f46ed80b398) at lapdm.c:1223
rslh = <optimized out>
#4 0x00007f46ed63773d in rsl_rx_rll (msg=<optimized out>, trx=<optimized out>) at rsl.c:2178
rh = <optimized out>
lchan = <optimized out>
#5 down_rsl (trx=<optimized out>, msg=<optimized out>) at rsl.c:2541
rslh = <optimized out>
ret = 0
#6 0x00007f46ed641529 in sign_link_cb (msg=<optimized out>) at abis.c:169
link = <optimized out>
#7 0x00007f46ec54b111 in ipaccess_bts_read_cb (link=0x7f46eeab4940, msg=0x0) at input/ipaccess.c:807
hh = 0x1
e1i_ts = <optimized out>
sign_link = <optimized out>
ret = -290764341
#8 0x00007f46ec548a8e in ipa_client_read (link=0x7f46ee26ae30) at input/ipa.c:74
ofd = 0x7f46ee25ce18
msg = 0x7f46eeab4940
ret = <optimized out>
#9 ipa_client_fd_cb (ofd=<optimized out>, what=1) at input/ipa.c:137
link = 0x7f46ee26ae30
error = -290764480
ret = <optimized out>
len = 4
#10 0x00007f46ecfc726f in osmo_fd_disp_fds (_eset=0x7ffe7a9fcd20, _wset=0x7ffe7a9fcca0, _rset=0x7ffe7a9fcc20) at select.c:167
flags = 1
ufd = 0x7f46ee25ce18
tmp = 0x7f46ee25d3f0
work = 1
#11 osmo_select_main (polling=polling@entry=0) at select.c:207
readset = {__fds_bits = {0 <repeats 16 times>}}
writeset = {__fds_bits = {0 <repeats 16 times>}}
exceptset = {__fds_bits = {0 <repeats 16 times>}}
rc = <optimized out>
no_time = {tv_sec = 0, tv_usec = 0}
#12 0x00007f46ed63fc25 in bts_main (argc=5, argv=<optimized out>) at main.c:359
btsb = 0x7f46ee22f6b0
trx = <optimized out>
line = <optimized out>
rc = <optimized out>
i = <optimized out>
#13 0x00007f46ebd76f45 in __libc_start_main (main=0x7f46ed61b120 <main>, argc=5, argv=0x7ffe7a9fcf18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7ffe7a9fcf08) at libc-start.c:287
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 4313346456460387904, 139942607040805, 140730955714320, 0, 0, -4314201601083251136, -4228385196325935552}, mask_was_saved = 0}},
priv = {pad = {0x0, 0x0, 0x7ffe7a9fcf48, 0x7f46ed60f1c8}, data = {prev = 0x0, cleanup = 0x0, canceltype = 2057293640}}}
not_first_call = <optimized out>
#14 0x00007f46ed61b14e in _start ()
</pre></p>
<pre>
(gdb) print *dl
$2 = {send_dlsap = 0x7f46ecd9e600 <send_rslms_dlsap>, send_ph_data_req = 0x7f46ecd9e3f0 <lapdm_send_ph_data_req>, update_pending_frames = 0x7f46ecd9dad0 <update_pending_frames>, cr = {
loc2rem = {cmd = 1 '\001', resp = 0 '\000'}, rem2loc = {cmd = 0 '\000', resp = 1 '\001'}}, mode = LAPD_MODE_NETWORK, use_sabme = 0, reestablish = 0, n200 = 23, n200_est_rel = 5,
lctx = {dl = 0x7f46ed80b888, n201 = 20, cr = 0 '\000', sapi = 3 '\003', tei = 0 '\000', lpd = 0 '\000', format = 0 '\000', p_f = 0 '\000', n_send = 0 '\000', n_recv = 0 '\000',
s_u = 0 '\000', length = 0, more = 0 '\000'}, maxf = 200, k = 1 '\001', v_range = 8 '\b', v_send = 3 '\003', v_ack = 2 '\002', v_recv = 0 '\000', state = 4, seq_err_cond = 0,
own_busy = 0 '\000', peer_busy = 0 '\000', t200_sec = 1, t200_usec = 0, t203_sec = 0, t203_usec = 0, t200 = {node = {rb_parent_color = 139942619707121, rb_right = 0x7f46ee23f158,
rb_left = 0x0}, list = {next = 0x7f46ed80b918, prev = 0x7f46ed80b918}, timeout = {tv_sec = 1489476828, tv_usec = 792795}, active = 0, cb = 0x7f46ecd9acb0 <lapd_t200_cb>,
data = 0x7f46ed80b888}, t203 = {node = {rb_parent_color = 0, rb_right = 0x0, rb_left = 0x0}, list = {next = 0x0, prev = 0x0}, timeout = {tv_sec = 0, tv_usec = 0}, active = 0,
cb = 0x7f46ecd996c0 <lapd_t203_cb>, data = 0x7f46ed80b888}, retrans_ctr = 5 '\005', tx_queue = {next = 0x7f46ed80b9a8, prev = 0x7f46ed80b9a8}, send_queue = {next = 0x7f46ed80b9b8,
prev = 0x7f46ed80b9b8}, send_buffer = 0x0, send_out = 49, tx_hist = 0x0, range_hist = 2 '\002', rcv_buffer = 0x0, cont_res = 0x0}
</pre>