Bug #3975
closedosmo-bsc crash during startup with nokia insite
0%
Description
After issuing the reset of the BTS, something goes wrong.
Relevant end of the log :
<0004> bts_nokia_site.c:1693 ABIS_OM_MDISC_FOM <0004> bts_nokia_site.c:1521 (0x81) NOKIA_BTS_ACK <0004> bts_nokia_site.c:1553 ACK = 1 <0014> input/lapd.c:541 LAPD DL-RELEASE request TEI=1 SAPI=62 <0014> lapd_core.c:2243 Message DL-RELEASE-REQUEST received in state LAPD_STATE_MF_EST (dl=0x91171c8) <0014> lapd_core.c:2083 perform local release (dl=0x91171c8) <0014> lapd_core.c:237 new state LAPD_STATE_MF_EST -> LAPD_STATE_IDLE (dl=0x91171c8) <0014> lapd_core.c:230 stop T203 (dl=0x91171c8) <0014> input/lapd.c:656 LAPD DL-RELEASE confirm TEI=1 SAPI=62 <0014> input/lapd.c:274 LAPD Freeing SAP for SAPI=62 / TEI=1 (dl=0x91171c8, sap=0x91171b8) <0014> lapd_core.c:310 Resetting LAPDm instance <0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_IDLE (dl=0x91171c8) <0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_NULL (dl=0x91171c8) <0014> lapd_core.c:1681 we are busy, send RNR (dl=0x91171c8) Segmentation fault
So right after freeing the SAP, we try to send a RNR on the dl that was just freed so obviously this doesn't workout ...
I couldn't really generate a backtrace, gdb didn't give anything meaningful even on a binary with debug symbols.
Related issues
Updated by laforge almost 5 years ago
On Sat, May 04, 2019 at 11:14:10AM +0000, tnt [REDMINE] wrote:
So right after freeing the SAP, we try to send a RNR on the dl that was just freed so obviously this doesn't workout ...
The RNR is generated from the lapd_rx_i() function, which seems to suggest we receive an I frame on a LAPD
instance (dl) that had just been free'd ?
Updated by tnt almost 5 years ago
With breakpoints I captured that during the same call chain to process the received LAPD message, we first free the SAP instance and a bit later we try to send a RNR over it.
lapd_core.c:1604 - This will trigger the SAP release
lapd_core.c:1683 - This tries to send a RNR
Breakpoint 1, lapd_sap_free (sap=0x822f1b8) at input/lapd.c:271 warning: Source file is more recent than executable. 271 { (gdb) bt #0 lapd_sap_free (sap=0x822f1b8) at input/lapd.c:271 #1 0xb7f09200 in send_dlsap (dp=0xbfffe640, lctx=0x822f1ec) at input/lapd.c:659 #2 0xb7f69448 in send_dl_l3 (msg=0x0, op=3 '\003', prim=3 '\003', lctx=0x822f1ec) at lapd_core.c:375 #3 send_dl_simple (lctx=0x822f1ec, op=3 '\003', prim=3 '\003') at lapd_core.c:382 #4 lapd_rel_req (dp=0xbfffe72c, lctx=0x822f1ec) at lapd_core.c:2095 #5 0xb7f6e51a in lapd_recv_dlsap (dp=dp@entry=0xbfffe72c, lctx=lctx@entry=0x822f1ec) at lapd_core.c:2247 #6 0xb7f0a6e9 in lapd_sap_stop (li=0x822f098, tei=1 '\001', sapi=62 '>') at input/lapd.c:551 #7 0x08084eb3 in start_sabm_in_line (line=0x822f688, start=start@entry=0, sapi=sapi@entry=-1) at bts_nokia_site.c:119 #8 0x08086035 in abis_nm_rcvmsg_fom (mb=mb@entry=0x825ff38) at bts_nokia_site.c:1595 #9 0x0808672f in abis_nokia_rcvmsg (msg=0x825ff38) at bts_nokia_site.c:1694 #10 0xb7efeca4 in e1inp_rx_ts (ts=ts@entry=0x8230758, msg=msg@entry=0x825ff38, tei=tei@entry=1 '\001', sapi=sapi@entry=62 '>') at e1_input.c:598 #11 0xb7eff28a in e1inp_dlsap_up (dp=0xbffff290, tei=1 '\001', sapi=62 '>', rx_cbdata=0x8230758) at e1_input.c:681 #12 0xb7f0913e in send_dlsap (dp=0xbffff290, lctx=0xbffff324) at input/lapd.c:666 #13 0xb7f6df86 in send_dl_l3 (msg=0x825ff38, lctx=0xbffff324, op=2 '\002', prim=1 '\001') at lapd_core.c:375 #14 lapd_rx_i (lctx=0xbffff324, msg=0x825ff38) at lapd_core.c:1604 #15 lapd_ph_data_ind (msg=msg@entry=0x825ff38, lctx=lctx@entry=0xbffff324) at lapd_core.c:1708 #16 0xb7f09b65 in lapd_receive (li=0x822f098, msg=msg@entry=0x825ff38, error=error@entry=0xbffff3ac) at input/lapd.c:491 #17 0xb7eff39b in e1inp_rx_ts_lapd (e1i_ts=e1i_ts@entry=0x8230758, msg=msg@entry=0x825ff38) at e1_input.c:642 #18 0xb7f038c7 in handle_ts1_read (bfd=0x8230cc4) at input/dahdi.c:193 #19 dahdi_fd_cb (bfd=0x8230cc4, what=1) at input/dahdi.c:496 #20 0xb7f21baf in osmo_fd_disp_fds (_eset=0xbffff570, _wset=0xbffff4f0, _rset=0xbffff470) at select.c:223 #21 osmo_select_main (polling=polling@entry=0) at select.c:263 #22 0x0804f72c in main (argc=4, argv=0xbffff704) at osmo_bsc_main.c:952 (gdb) b lapd_send_rnr Breakpoint 2 at 0xb7f6a690: file lapd_core.c, line 468. (gdb) c Continuing. <0014> input/lapd.c:274 LAPD Freeing SAP for SAPI=62 / TEI=1 (dl=0x822f1c8, sap=0x822f1b8) <0014> lapd_core.c:310 Resetting LAPDm instance <0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_IDLE (dl=0x822f1c8) <0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_NULL (dl=0x822f1c8) <0014> lapd_core.c:1681 we are busy, send RNR2 (dl=0x822f1c8) Breakpoint 2, lapd_send_rnr (lctx=lctx@entry=0xbffff324, f_bit=f_bit@entry=0 '\000', cmd=cmd@entry=0 '\000') at lapd_core.c:468 468 { (gdb) bt #0 lapd_send_rnr (lctx=lctx@entry=0xbffff324, f_bit=f_bit@entry=0 '\000', cmd=cmd@entry=0 '\000') at lapd_core.c:468 #1 0xb7f6d3bf in lapd_rx_i (lctx=0xbffff324, msg=0x825ff38) at lapd_core.c:1683 #2 lapd_ph_data_ind (msg=msg@entry=0x825ff38, lctx=lctx@entry=0xbffff324) at lapd_core.c:1708 #3 0xb7f09b65 in lapd_receive (li=0x822f098, msg=msg@entry=0x825ff38, error=error@entry=0xbffff3ac) at input/lapd.c:491 #4 0xb7eff39b in e1inp_rx_ts_lapd (e1i_ts=e1i_ts@entry=0x8230758, msg=msg@entry=0x825ff38) at e1_input.c:642 #5 0xb7f038c7 in handle_ts1_read (bfd=0x8230cc4) at input/dahdi.c:193 #6 dahdi_fd_cb (bfd=0x8230cc4, what=1) at input/dahdi.c:496 #7 0xb7f21baf in osmo_fd_disp_fds (_eset=0xbffff570, _wset=0xbffff4f0, _rset=0xbffff470) at select.c:223 #8 osmo_select_main (polling=polling@entry=0) at select.c:263 #9 0x0804f72c in main (argc=4, argv=0xbffff704) at osmo_bsc_main.c:952
Updated by tnt almost 5 years ago
- Related to Bug #1761: LAPD: segfault when bootstrapping Nokia InSite added
Updated by laforge almost 4 years ago
- Related to Feature #4514: OM2000 Support for Ericsson RBS6000 / DUG 20 added