Project

General

Profile

Actions

Bug #1762

open

Review LAPD code for race conditions regarding state, particularly in RELEASE

Added by laforge over 7 years ago. Updated almost 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Category:
libosmogsm
Target version:
-
Start date:
07/03/2016
Due date:
% Done:

10%

Spec Reference:

Description

See #1760 and #1761, there are quite some problems that apparently need a more thorough review and/or testing.

Maybe implementing (part of?) the Q.921bis LAPD conformance tests might be an option to catch all of those kind of bugs?

See https://www.itu.int/rec/T-REC-Q.921bis-199303-I/en


Related issues

Related to libosmocore - Bug #1760: LAPD: segfault in T200 call-backClosedlaforge07/03/2016

Actions
Related to OsmoBSC - Bug #1761: LAPD: segfault when bootstrapping Nokia InSiteResolvedlaforge07/03/2016

Actions
Related to libosmocore - Bug #1982: LAPD: segfault in lapd_est_req functionResolvedlaforge03/14/2017

Actions
Related to OsmocomBB - Bug #2694: SIGSEGV in lapdm codeNew11/30/2017

Actions
Actions #1

Updated by laforge over 7 years ago

  • Related to Bug #1760: LAPD: segfault in T200 call-back added
Actions #2

Updated by laforge over 7 years ago

  • Related to Bug #1761: LAPD: segfault when bootstrapping Nokia InSite added
Actions #3

Updated by laforge over 7 years ago

Mh. Q.021bis contains TTNC.MP (machine parseable TTCN), but I don't think there are any FOSS tools for old TTCN (pre-TTCN3) available :/

Actions #4

Updated by laforge about 7 years ago

  • Related to Bug #1982: LAPD: segfault in lapd_est_req function added
Actions #5

Updated by laforge over 4 years ago

  • Assignee set to laforge
Actions #6

Updated by laforge almost 4 years ago

  • Related to Bug #2694: SIGSEGV in lapdm code added
Actions #7

Updated by laforge about 3 years ago

  • % Done changed from 0 to 10

I'm currently seeing a related osmo-bsc heap-use-after-free:

The RBS6k is first fully brought up, and then the cable removed (or the RBS powered down)

<0019> input/dahdi.c:140 E1TS(0:1) Line 0((null)) / TS 1 DAHDI EVENT HDLC ABORT
<0019> input/dahdi.c:140 E1TS(0:1) Line 0((null)) / TS 1 DAHDI EVENT ALARM
<0004> bts_ericsson_rbs2000.c:118 inp_sig_cb(): Input signal 'LINE-ALARM' received
<0016> input/lapd.c:550 (0:1-T62-S62): LAPD DL-RELEASE request TEI=62 SAPI=62
<0016> input/lapd.c:550 (0:1-T0-S62): LAPD DL-RELEASE request TEI=0 SAPI=62
<0016> input/lapd.c:550 (0:1-T0-S0): LAPD DL-RELEASE request TEI=0 SAPI=0
<0016> lapd_core.c:426 ((0:1-T0-S0)) sending MDL-ERROR-IND cause 1 from state LAPD_STATE_DISC_SENT
<0016> input/lapd.c:663 ((0:1-T0-S0)) LAPD DL-RELEASE confirm TEI=0 SAPI=0
<0016> input/lapd.c:288 (0:1-T0-S0): LAPD Freeing SAP for SAPI=0 / TEI=0 (dl=0x615000001c80, sap=0x615000001c60)
<0004> bts_ericsson_rbs2000.c:118 inp_sig_cb(): Input signal 'TEI-DOWN' received
<0004> bts_ericsson_rbs2000.c:138 Line-0 TS-1 TEI-0 SAPI-0: Link Lost for Ericsson RBS2000. Re-starting DL Establishment
<0004> abis_om2000.c:2344 OM2000-TRX(0-0)[0x612000008320]{DONE}: Received Event RESET
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-07)[0x6120000093a0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-07)[0x6120000093a0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-06)[0x612000009220]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-06)[0x612000009220]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-05)[0x6120000090a0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-05)[0x6120000090a0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-04)[0x612000008f20]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-04)[0x612000008f20]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-03)[0x612000008da0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-03)[0x612000008da0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-02)[0x612000008c20]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-02)[0x612000008c20]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-01)[0x612000008aa0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-01)[0x612000008aa0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-00)[0x612000008920]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-00)[0x612000008920]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-RX-00-ff-00)[0x6120000087a0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-RX-00-ff-00)[0x6120000087a0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TX-00-ff-00)[0x612000008620]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TX-00-ff-00)[0x612000008620]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TRXC-00-ff-00)[0x6120000084a0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TRXC-00-ff-00)[0x6120000084a0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2213 OM2000-TRX(0-0)[0x612000008320]{DONE}: state_chg to INIT
<0019> osmo_bsc_main.c:401 (bts=0,trx=0) Lost E1 RSL link
<000f> lchan_fsm.c:81 lchan(0-0-0-CCCH_SDCCH4-0)[0x6120000096a0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-0-CCCH_SDCCH4-0)[0x6120000096a0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-0-CCCH_SDCCH4-1)[0x612000009820]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-0-CCCH_SDCCH4-1)[0x612000009820]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-0-CCCH_SDCCH4-2)[0x6120000099a0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-0-CCCH_SDCCH4-2)[0x6120000099a0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-0-CCCH_SDCCH4-3)[0x612000009b20]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-0-CCCH_SDCCH4-3)[0x612000009b20]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-1-TCH_F-0)[0x612000009ca0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-1-TCH_F-0)[0x612000009ca0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-2-TCH_F-0)[0x612000009e20]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-2-TCH_F-0)[0x612000009e20]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-3-TCH_F-0)[0x612000009fa0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-3-TCH_F-0)[0x612000009fa0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-4-TCH_F-0)[0x61200000a120]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-4-TCH_F-0)[0x61200000a120]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-5-TCH_F-0)[0x61200000a2a0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-5-TCH_F-0)[0x61200000a2a0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-6-TCH_F-0)[0x61200000a420]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-6-TCH_F-0)[0x61200000a420]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-7-TCH_F-0)[0x61200000a5a0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-7-TCH_F-0)[0x61200000a5a0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
=================================================================
==11023==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000001da0 at pc 0x7faedf41519a bp 0x7ffc715bc340 sp 0x7ffc715bc338
READ of size 8 at 0x615000001da0 thread T0
    #0 0x7faedf415199 in llist_empty ../include/osmocom/core/linuxlist.h:171
    #1 0x7faedf415199 in msgb_dequeue /space/home/laforge/projects/git/libosmocore/src/msgb.c:149
    #2 0x7faedf5ed9a7 in lapd_dl_flush_tx src/gsm/lapd_core.c:179
    #3 0x7faedf5ee65e in lapd_t200_cb src/gsm/lapd_core.c:630
    #4 0x7faedf40f2b6 in osmo_timers_update /space/home/laforge/projects/git/libosmocore/src/timer.c:273
    #5 0x7faedf412e72 in _osmo_select_main /space/home/laforge/projects/git/libosmocore/src/select.c:373
    #6 0x7faedf4134f8 in osmo_select_main_ctx /space/home/laforge/projects/git/libosmocore/src/select.c:434
    #7 0x55d45ac4f2f0 in main /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:1001
    #8 0x7faede5bc09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #9 0x55d45ac502c9 in _start (/root/osmo-bsc+0x5d82c9)

0x615000001da0 is located 416 bytes inside of 504-byte region [0x615000001c00,0x615000001df8)
freed by thread T0 here:
    #0 0x7faedf736b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
    #1 0x7faedf6524d2 in _talloc_free (/lib/x86_64-linux-gnu/libtalloc.so.2+0x64d2)
    #2 0x7faedf303bc0 in send_dlsap input/lapd.c:664
    #3 0x7faedf5ee656 in send_dl_l3 src/gsm/lapd_core.c:408
    #4 0x7faedf5ee656 in send_dl_simple src/gsm/lapd_core.c:415
    #5 0x7faedf5ee656 in lapd_t200_cb src/gsm/lapd_core.c:628
    #6 0x7faedf40f2b6 in osmo_timers_update /space/home/laforge/projects/git/libosmocore/src/timer.c:273
    #7 0x7faedf412e72 in _osmo_select_main /space/home/laforge/projects/git/libosmocore/src/select.c:373
    #8 0x7faedf4134f8 in osmo_select_main_ctx /space/home/laforge/projects/git/libosmocore/src/select.c:434
    #9 0x55d45ac4f2f0 in main /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:1001
    #10 0x7faede5bc09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #11 0x55d45ac502c9 in _start (/root/osmo-bsc+0x5d82c9)

previously allocated by thread T0 here:
    #0 0x7faedf736e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7faedf655140 in _talloc_zero (/lib/x86_64-linux-gnu/libtalloc.so.2+0x9140)
    #2 0x7faedf303c4a in lapd_sap_alloc input/lapd.c:245
    #3 0x7faedf304cfb in lapd_sap_start input/lapd.c:519
    #4 0x55d45add9f17 in start_sabm_in_line /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:81
    #5 0x55d45adda898 in inp_sig_cb /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:158
    #6 0x55d45adda898 in inp_sig_cb /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:109
    #7 0x7faedf4149bc in osmo_signal_dispatch /space/home/laforge/projects/git/libosmocore/src/signal.c:118
    #8 0x7faedf2fc318 in e1inp_line_update src/e1_input.c:887
    #9 0x55d45ae08184 in e1_reconfig_bts /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/e1_config.c:206
    #10 0x55d45ac4e246 in bsc_network_configure /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:550
    #11 0x55d45ac4e246 in main /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:916
    #12 0x7faede5bc09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #13 0x55d45ac502c9 in _start (/root/osmo-bsc+0x5d82c9)

The problem is that lapd_core first sends the PRIM_DL_REL.ind up the stack, and aftrewards still wants to access the datalink. We must always first performa any operations of the datalink before dispatching the primitive to the user. Afterwards the datalink might no longer be around.

Actions #8

Updated by laforge almost 3 years ago

  • Category set to libosmogsm
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)