Bug #3976
closedosmo-bsc: heap-use-after-free upon MGW CRCX failure response
0%
Description
While testing osmux related stuff (WIP), osmo-mgw sometimes sends a 400 FAIL message (because it's WIP, I know why but it's no related to this issue).
When that happens, osmo-bsc ends up in a heap-use-after-free catched by ASan.
That happens after last patches merged in osmo-mgw/osmo-bsc related to osmo-msc handover afaik.
20190506125305537 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1130 lchan(0-0-0-CCCH_SDCCH4-0)[0x612000004720]{ESTABLISHED}: (type=SDCCH) Rx MEAS_RES 20190506125305537 DRSL <0003> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1060 (bts=0,trx=0,ts=0,ss=0): meas_rep_count++=2 meas_rep_last_seen_nr=1 20190506125305537 DMEAS <0006> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:931 [(bts=0,trx=0,ts=0,ss=0)] MEASUREMENT RESULT NR=1 RXL-FULL-ul=-54dBm RXL-SUB-ul=-54dBm RXQ-FULL-ul=0 RXQ-SUB-ul=0 BS_POWER=0 MS_TO=0 L1_MS_PWR= 16dBm L1_FPC=0 L1_TA=0 BA1 RXL-FULL-dl=-48dBm RXL-SUB-dl=-48dBm RXQ-FULL-dl=0 RXQ-SUB-dl=0 NUM_NEIGH=0 20190506125305712 DPAG <0005> /git/osmo-bsc/src/osmo-bsc/paging.c:90 (bts=0) Going to send paging commands: imsi: 901700000015254 tmsi: 0x225bbbe1 for ch. type 0 (attempt 0) 20190506125305712 DLMI <0017> /git/libosmo-abis/src/input/ipaccess.c:356 TX 2: 0c 15 01 90 0e 04 0c 05 f4 22 5b bb e1 28 00 20190506125305964 DLMI <0017> /git/libosmo-abis/src/input/ipaccess.c:251 RX 2: 02 06 01 09 02 00 20190506125305964 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1603 lchan(0-0-1-TCH_F-0)[0x612000004d20]{WAIT_RLL_RTP_ESTABLISH}: (type=TCH_F) SAPI=0 ESTABLISH INDICATION 20190506125305964 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1636 lchan(0-0-1-TCH_F-0)[0x612000004d20]{WAIT_RLL_RTP_ESTABLISH}: Received Event LCHAN_EV_RLL_ESTABLISH_IND 20190506125305964 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:803 lchan(0-0-1-TCH_F-0)[0x612000004d20]{WAIT_RLL_RTP_ESTABLISH}: state_chg to ESTABLISHED 20190506125305964 DAS <0012> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:178 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_RR_ASS_COMPLETE}: Received Event ASSIGNMENT_EV_LCHAN_ESTABLISHED 20190506125305964 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:559 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_RR_ASS_COMPLETE}: (bts=0,trx=0,ts=1,ss=0) lchan established, still waiting for RR Assignment Complete 20190506125306141 DLMI <0017> /git/libosmo-abis/src/input/ipaccess.c:251 RX 2: 02 06 01 09 02 00 20190506125306141 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1603 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: (type=TCH_F) SAPI=0 ESTABLISH INDICATION 20190506125306141 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1636 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: Received Event LCHAN_EV_RLL_ESTABLISH_IND 20190506125306202 DLMI <0017> /git/libosmo-abis/src/input/ipaccess.c:251 RX 2: 03 02 01 09 02 00 0b 00 03 06 29 00 20190506125306202 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:1594 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: (type=TCH_F) SAPI=0 DATA INDICATION 20190506125306202 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/gsm_04_08_rr.c:908 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: (type=TCH_F) Rx ASSIGNMENT COMPLETE 20190506125306202 DAS <0012> /git/osmo-bsc/src/osmo-bsc/gsm_04_08_rr.c:946 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_RR_ASS_COMPLETE}: Received Event ASSIGNMENT_EV_RR_ASSIGNMENT_COMPLETE 20190506125306202 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:555 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_RR_ASS_COMPLETE}: state_chg to WAIT_LCHAN_ESTABLISHED 20190506125306202 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:581 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_LCHAN_ESTABLISHED}: (bts=0,trx=0,ts=1,ss=0) lchan fully established, no need to wait 20190506125306202 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:603 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_LCHAN_ESTABLISHED}: state_chg to WAIT_MGW_ENDPOINT_TO_MSC 20190506125306202 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:617 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: (bts=0,trx=0,ts=1,ss=0) Connecting MGW endpoint to the MSC's RTP port: 192.168.30.1:4010 20190506125306202 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:576 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: rtpbridge/2@mgw CI[1] to-MSC: CRCX: notify=assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0] 20190506125306202 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:623 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: rtpbridge/2@mgw CI[1] to-MSC: CRCX 192.168.30.1:4010: Scheduling 20190506125306202 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:626 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: state_chg to WAIT_MGW_RESPONSE 20190506125306202 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:646 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI[1] to-MSC: CRCX 192.168.30.1:4010: Sending 20190506125306202 DRLL <0000> /git/libosmocore/src/fsm.c:423 MGCP_CONN(conn2)[0x6120000063a0]{ST_CRCX}: Allocated 20190506125306202 DRLL <0000> /git/libosmocore/src/fsm.c:453 MGCP_CONN(conn2)[0x6120000063a0]{ST_CRCX}: is child of mgw-endpoint(conn2)[0x6120000060a0] 20190506125306203 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:627 MGCP_CONN(conn2)[0x6120000063a0]{ST_CRCX}: Received Event EV_CRCX 20190506125306203 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:215 MGCP_CONN(conn2)[0x6120000063a0]{ST_CRCX}: MGW/CRCX: creating connection on MGW endpoint:rtpbridge/2@mgw... 20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:960 Queued 172 bytes for MGCP GW 20190506125306203 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:233 MGCP_CONN(conn2)[0x6120000063a0]{ST_CRCX}: state_chg to ST_CRCX_RESP 20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:798 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw Sent messages: 1 20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:724 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: MDCX 192.168.30.1:16384: done (rtpbridge/2@mgw:192.168.30.1:4014) 20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:722 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI[1] to-MSC: CRCX 192.168.30.1:4010: waiting for response 20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:742 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI in use: 2, waiting for response: 1 20190506125306203 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:724 Tx MGCP: r=192.168.30.1:2427<->l=192.168.30.1:2727: len=172 'CRCX 3 rtpbridge/2@mgw MGCP 1.0\r\nC: 2\r\nM: '... 20190506125306204 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:263 MGCP_CONN(to-MSC)[0x6120000063a0]{ST_CRCX_RESP}: MGW/CRCX: response yields error: 400 FAIL <---------- HERE!!!!!! 20190506125306204 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264 MGCP_CONN(to-MSC)[0x6120000063a0]{ST_CRCX_RESP}: Terminating (cause = OSMO_FSM_TERM_ERROR) 20190506125306204 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264 MGCP_CONN(to-MSC)[0x6120000063a0]{ST_CRCX_RESP}: Removing from parent mgw-endpoint(conn2)[0x6120000060a0] 20190506125306204 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264 MGCP_CONN(to-MSC)[0x6120000063a0]{ST_CRCX_RESP}: Freeing instance 20190506125306204 DRLL <0000> /git/libosmocore/src/fsm.c:535 MGCP_CONN(to-MSC)[0x6120000063a0]{ST_CRCX_RESP}: Deallocated 20190506125306204 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: Received Event MGW Response for CI #1 20190506125306204 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:724 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: MDCX 192.168.30.1:16384: done (rtpbridge/2@mgw:192.168.30.1:4014) 20190506125306204 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:742 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI in use: 1, waiting for response: 0 20190506125306204 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:753 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: state_chg to IN_USE 20190506125306204 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:724 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: MDCX 192.168.30.1:16384: done (rtpbridge/2@mgw:192.168.30.1:4014) 20190506125306204 DAS <0012> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:374 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: Received Event ASSIGNMENT_EV_MSC_MGW_FAIL 20190506125306204 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:658 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: (bts=0,trx=0,ts=1,ss=0) Assignment failed in state WAIT_MGW_ENDPOINT_TO_MSC, cause EQUIPMENT FAILURE: Unable to connect MGW endpoint to the MSC side 20190506125306204 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:658 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: (bts=0,trx=0,ts=1,ss=0) incrementing rate counter: assignment:error Assigment failed for other reason. 20190506125306204 DMSC <0007> /git/osmo-bsc/src/osmo-bsc/osmo_bsc_sigtran.c:386 Tx MSC: BSSMAP: ASSIGNMENT FAIL 20190506125306204 DMSC <0007> /git/osmo-bsc/src/osmo-bsc/osmo_bsc_sigtran.c:409 Sending connection (id=2) oriented data to MSC: RI=SSN_PC,PC=0.23.1,SSN=BSSAP (00 04 03 04 01 20 ) 20190506125306204 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1711 Received SCCP User Primitive (N-DATA.request) 20190506125306204 DLSCCP <0020> /git/libosmo-sccp/src/sccp_scoc.c:1751 SCCP-SCOC(2)[0x612000005c20]{ACTIVE}: Received Event N-DATA.req 20190506125306205 DLSS7 <001f> /git/libosmo-sccp/src/sccp_scrc.c:398 sccp_scrc_rx_scoc_conn_msg: HDR=(CO:CODT,V=0,LEN=0), PART(T=Routing Context,L=4,D=00000000), PART(T=Destination Reference,L=4,D=00000004), PART(T=Data,L=6,D=000403040120) 20190506125306205 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:278 m3ua_hmdc_rx_from_l2(): dpc=185=0.23.1 not local, message is for routing 20190506125306205 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:227 Found route for dpc=185=0.23.1: pc=0=0.0.0 mask=0x0=0.0.0 via AS as-clnt-msc-0 proto=m3ua 20190506125306205 DLSS7 <001f> /git/libosmo-sccp/src/osmo_ss7_hmrt.c:233 rt->dest.as proto is M3UA for dpc=185=0.23.1 20190506125306205 DLSS7 <001f> /git/libosmo-sccp/src/m3ua.c:507 XUA_AS(as-clnt-msc-0)[0x612000003e20]{AS_ACTIVE}: Received Event AS-TRANSFER.req 20190506125306205 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:126 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: (bts=0,trx=0,ts=1,ss=0) Assignment failed 20190506125306205 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:127 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: Terminating (cause = OSMO_FSM_TERM_ERROR) 20190506125306205 DAS <0012> /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:127 assignment(conn2_0-0-1-TCH_F-0)[0x612000005da0]{WAIT_MGW_ENDPOINT_TO_MSC}: Removing from parent SUBSCR_CONN(conn2)[0x612000005920] 20190506125306205 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:1350 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{READY}: Received Event LCHAN_RTP_EV_ROLLBACK 20190506125306205 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_rtp_fsm.c:506 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{READY}: state_chg to ROLLBACK 20190506125306205 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_rtp_fsm.c:520 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{ROLLBACK}: Terminating (cause = OSMO_FSM_TERM_REQUEST) 20190506125306205 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_rtp_fsm.c:520 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{ROLLBACK}: Removing from parent lchan(0-0-1-TCH_F-0)[0x612000004d20] 20190506125306205 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:576 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: DLCX: notify=NULL 20190506125306205 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:623 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: DLCX: Scheduling 20190506125306205 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:626 mgw-endpoint(conn2)[0x6120000060a0]{IN_USE}: state_chg to WAIT_MGW_RESPONSE 20190506125306205 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:673 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI[0] to-BTS CI=8894D491: Sending MGCP: DLCX 8894D491 20190506125306205 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:711 MGCP_CONN(to-BTS)[0x612000006220]{ST_READY}: Received Event EV_DLCX 20190506125306206 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:960 Queued 52 bytes for MGCP GW 20190506125306207 DRLL <0000> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:372 MGCP_CONN(to-BTS)[0x612000006220]{ST_READY}: state_chg to ST_DLCX_RESP 20190506125306207 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:798 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw Sent messages: 1 20190506125306207 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:742 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: rtpbridge/2@mgw CI in use: 0, waiting for response: 0 20190506125306207 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:747 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: Terminating (cause = OSMO_FSM_TERM_REGULAR) 20190506125306207 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:747 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: Removing from parent SUBSCR_CONN(conn2)[0x612000005920] 20190506125306207 DLMGCP <0023> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:747 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: Freeing instance 20190506125306207 DLMGCP <0023> /git/libosmocore/src/fsm.c:535 mgw-endpoint(conn2)[0x6120000060a0]{WAIT_MGW_RESPONSE}: Deallocated 20190506125306207 DMSC <0007> /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:747 SUBSCR_CONN(conn2)[0x612000005920]{ASSIGNMENT}: Received Event FORGET_MGW_ENDPOINT 20190506125306207 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_rtp_fsm.c:520 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{ROLLBACK}: Freeing instance 20190506125306207 DCHAN <0010> /git/libosmocore/src/fsm.c:535 lchan_rtp(0-0-1-TCH_F-0)[0x612000005f20]{ROLLBACK}: Deallocated 20190506125306207 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_rtp_fsm.c:520 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: Received Event LCHAN_EV_RTP_RELEASED 20190506125306207 DRSL <0003> /git/osmo-bsc/src/osmo-bsc/abis_rsl.c:633 (bts=0,trx=0,ts=1,ss=0) DEACTivate SACCH CMD 20190506125306207 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:1361 lchan(0-0-1-TCH_F-0)[0x612000004d20]{ESTABLISHED}: state_chg to WAIT_RF_RELEASE_ACK 20190506125306207 DCHAN <0010> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:1406 lchan(0-0-1-TCH_F-0)[0x612000004d20]{WAIT_RF_RELEASE_ACK}: lchan detaches from conn SUBSCR_CONN(conn2)[0x612000005920] 20190506125306207 DMSC <0007> /git/osmo-bsc/src/osmo-bsc/lchan_fsm.c:1409 SUBSCR_CONN(conn2)[0x612000005920]{ASSIGNMENT}: lchan lchan(0-0-1-TCH_F-0)[0x612000004d20] detaches from conn ================================================================= ==24184==ERROR: AddressSanitizer: heap-use-after-free on address 0x62b000000a80 at pc 0x7ffff661b850 bp 0x7fffffffce40 sp 0x7fffffffce30 READ of size 8 at 0x62b000000a80 thread T0 #0 0x7ffff661b84f in osmo_mgcpc_ep_check_ci /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:139 #1 0x7ffff662264a in osmo_mgcpc_ep_ci_request /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:536 #2 0x555555b33bdb in osmo_mgcpc_ep_ci_dlcx /build/new/out/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h:37 #3 0x555555b34484 in assignment_reset /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:107 #4 0x555555b6dc42 in assignment_fsm_cleanup /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:761 #5 0x7ffff62619cd in _osmo_fsm_inst_term /git/libosmocore/src/fsm.c:890 #6 0x555555b35b44 in on_assignment_failure /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:127 #7 0x555555b66838 in assignment_fsm_wait_mgw_endpoint_to_msc /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:657 #8 0x7ffff625f2d2 in _osmo_fsm_inst_dispatch /git/libosmocore/src/fsm.c:818 #9 0x7ffff661e85d in on_failure /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:374 #10 0x7ffff663e5a1 in osmo_mgcpc_ep_fsm_handle_ci_events /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:813 #11 0x7ffff625f2d2 in _osmo_fsm_inst_dispatch /git/libosmocore/src/fsm.c:818 #12 0x7ffff626221c in _osmo_fsm_inst_term /git/libosmocore/src/fsm.c:905 #13 0x7ffff6614545 in mgw_crcx_resp_cb /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264 #14 0x7ffff66058e5 in mgcp_client_handle_response /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:206 #15 0x7ffff6608d74 in mgcp_client_rx /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:680 #16 0x7ffff66092e8 in mgcp_do_read /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:714 #17 0x7ffff6262b10 in osmo_wqueue_bfd_cb /git/libosmocore/src/write_queue.c:51 #18 0x7ffff623b883 in osmo_fd_disp_fds /git/libosmocore/src/select.c:223 #19 0x7ffff623bba9 in osmo_select_main /git/libosmocore/src/select.c:263 #20 0x555555d4e622 in main /git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932 #21 0x7ffff546ace2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2) #22 0x555555ab590d in _start (/build/new/out/bin/osmo-bsc+0x56190d) 0x62b000000a80 is located 2176 bytes inside of 25216-byte region [0x62b000000200,0x62b000006480) freed by thread T0 here: #0 0x7ffff72ebf89 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:66 #1 0x7ffff6142323 (/usr/lib/libtalloc.so.2+0xb323) previously allocated by thread T0 here: #0 0x7ffff72ec389 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:86 #1 0x7ffff613fe11 in _talloc_zero (/usr/lib/libtalloc.so.2+0x8e11) SUMMARY: AddressSanitizer: heap-use-after-free /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:139 in osmo_mgcpc_ep_check_ci Shadow bytes around the buggy address: 0x0c567fff8100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c567fff8150:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff8190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c567fff81a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==24184==ABORTING Program received signal SIGABRT, Aborted. 0x00007ffff547e82f in raise () from /usr/lib/libc.so.6 (gdb) bt full #0 0x00007ffff547e82f in raise () from /usr/lib/libc.so.6 No symbol table info available. #1 0x00007ffff5469672 in abort () from /usr/lib/libc.so.6 No symbol table info available. #2 0x00007ffff730cd64 in __sanitizer::Abort () at /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_posix_libcdep.cc:145 No locals. #3 0x00007ffff73159dd in __sanitizer::Die () at /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_termination.cc:57 No locals. #4 0x00007ffff72f78fe in __asan::ScopedInErrorReport::~ScopedInErrorReport (this=<optimized out>, __in_chrg=<optimized out>) at /build/gcc/src/gcc/libsanitizer/asan/asan_report.cc:181 buffer_copy = <optimized out> #5 __asan::ReportGenericError (pc=<optimized out>, bp=bp@entry=140737488342592, sp=sp@entry=140737488342576, addr=108508053768832, is_write=is_write@entry=false, access_size=access_size@entry=8, exp=0, fatal=true) at /build/gcc/src/gcc/libsanitizer/asan/asan_report.cc:397 in_report = {error_report_lock_ = {<No data fields>}, static current_error_ = {kind = __asan::kErrorKindGeneric, {Base = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, DeadlySignal = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, signal = {siginfo = 0x2, context = 0x62b000000a80, addr = 0, pc = 0, sp = 3098476548018143233, bp = 108508053768832, is_memory_access = 128, write_flag = __sanitizer::SignalContext::UNKNOWN}}, DoubleFree = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, second_free_stack = 0x2, addr_description = {addr = 108508053768832, alloc_tid = 0, free_tid = 0, alloc_stack_id = 92274689, free_stack_id = 721420289, chunk_access = {bad_addr = 108508053768832, offset = 2176, chunk_begin = 108508053766656, chunk_size = 25216, access_type = 2, alloc_type = 1}}}, NewDeleteSizeMismatch = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, free_stack = 0x2, addr_description = {addr = 108508053768832, alloc_tid = 0, free_tid = 0, alloc_stack_id = 92274689, free_stack_id = 721420289, chunk_access = {bad_addr = 108508053768832, offset = 2176, chunk_begin = 108508053766656, chunk_size = 25216, access_type = 2, alloc_type = 1}}, delete_size = 106790066870560}, FreeNotMalloced = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, free_stack = 0x2, addr_description = {data = {kind = 2688, {shadow = {addr = 0, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'}, heap = {addr = 0, alloc_tid = 0, free_tid = 3098476548018143233, alloc_stack_id = 2688, free_stack_id = 25264, chunk_access = {bad_addr = 2176, offset = 108508053766656, chunk_begin = 25216, chunk_size = 73014429286, access_type = 0, alloc_type = 0}}, stack = {addr = 0, tid = 0, offset = 3098476548018143233, frame_pc = 108508053768832, access_size = 2176, frame_descr = 0x62b000000200 "\001"}, global = {addr = 0, static kMaxGlobals = 4, globals = {{beg = 0, size = 3098476548018143233, size_with_redzone = 108508053768832, name = 0x880 <error: Cannot access memory at address 0x880>, module_name = 0x62b000000200 "\001", has_dynamic_init = 25216, location = 0x10ffffc666, odr_indicator = 106790066870560}, {beg = 93825001346016, size = 107889578482016, size_with_redzone = 140737488340688, name = 0x10000 <error: Cannot access memory at address 0x10000>, module_name = 0x555555e053e0 "ASSIGNMENT", has_dynamic_init = 1, location = 0x7fffffffc6d0, odr_indicator = 140737323068233}, {beg = 140737327176224, size = 8927766694574236160, size_with_redzone = 68719477483, name = 0x7ffff630aee0 "\003", module_name = 0x7ffff48f3978 "", has_dynamic_init = 140737327185120, location = 0x1, odr_indicator = 106446469593184}, {beg = 106446469588608, size = 140737339683169, --Type <RET> for more, q to quit, c to continue without paging-- size_with_redzone = 106446469593184, name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177", module_name = 0x7fffffffc750 "te-read-heap-use-after-free", has_dynamic_init = 140737323082285, location = 0x2300000001, odr_indicator = 106790066847904}}, reg_sites = {4133788192, 32767, 0, 0}, access_size = 8589935339, size = 80 'P'}, addr = 0}}}}, AllocTypeMismatch = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, dealloc_stack = 0x2, addr_description = {addr = 108508053768832, alloc_tid = 0, free_tid = 0, alloc_stack_id = 92274689, free_stack_id = 721420289, chunk_access = {bad_addr = 108508053768832, offset = 2176, chunk_begin = 108508053766656, chunk_size = 25216, access_type = 2, alloc_type = 1}}, alloc_type = 22816, dealloc_type = 24864}, MallocUsableSizeNotOwned = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, stack = 0x2, addr_description = {data = {kind = 2688, {shadow = {addr = 0, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'}, heap = {addr = 0, alloc_tid = 0, free_tid = 3098476548018143233, alloc_stack_id = 2688, free_stack_id = 25264, chunk_access = {bad_addr = 2176, offset = 108508053766656, chunk_begin = 25216, chunk_size = 73014429286, access_type = 0, alloc_type = 0}}, stack = {addr = 0, tid = 0, offset = 3098476548018143233, frame_pc = 108508053768832, access_size = 2176, frame_descr = 0x62b000000200 "\001"}, global = {addr = 0, static kMaxGlobals = 4, globals = {{beg = 0, size = 3098476548018143233, size_with_redzone = 108508053768832, name = 0x880 <error: Cannot access memory at address 0x880>, module_name = 0x62b000000200 "\001", has_dynamic_init = 25216, location = 0x10ffffc666, odr_indicator = 106790066870560}, {beg = 93825001346016, size = 107889578482016, size_with_redzone = 140737488340688, name = 0x10000 <error: Cannot access memory at address 0x10000>, module_name = 0x555555e053e0 "ASSIGNMENT", has_dynamic_init = 1, location = 0x7fffffffc6d0, odr_indicator = 140737323068233}, {beg = 140737327176224, size = 8927766694574236160, size_with_redzone = 68719477483, name = 0x7ffff630aee0 "\003", module_name = 0x7ffff48f3978 "", has_dynamic_init = 140737327185120, location = 0x1, odr_indicator = 106446469593184}, {beg = 106446469588608, size = 140737339683169, size_with_redzone = 106446469593184, name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177", module_name = 0x7fffffffc750 "te-read-heap-use-after-free", has_dynamic_init = 140737323082285, location = 0x2300000001, odr_indicator = 106790066847904}}, reg_sites = {4133788192, 32767, 0, 0}, access_size = 8589935339, size = 80 'P'}, addr = 0}}}}, SanitizerGetAllocatedSizeNotOwned = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, stack = 0x2, addr_description = {data = {kind = 2688, {shadow = {addr = 0, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'}, heap = {addr = 0, alloc_tid = 0, free_tid = 3098476548018143233, alloc_stack_id = 2688, free_stack_id = 25264, chunk_access = {bad_addr = 2176, offset = 108508053766656, chunk_begin = 25216, chunk_size = 73014429286, access_type = 0, alloc_type = 0}}, stack = {addr = 0, tid = 0, offset = 3098476548018143233, frame_pc = 108508053768832, access_size = 2176, frame_descr = 0x62b000000200 "\001"}, global = {addr = 0, static kMaxGlobals = 4, globals = {{beg = 0, size = 3098476548018143233, size_with_redzone = 108508053768832, name = 0x880 <error: Cannot access memory at address 0x880>, module_name = 0x62b000000200 "\001", has_dynamic_init = 25216, location = 0x10ffffc666, odr_indicator = 106790066870560}, {beg = 93825001346016, size = 107889578482016, size_with_redzone = 140737488340688, name = 0x10000 <error: Cannot access memory at address 0x10000>, module_name = 0x555555e053e0 "ASSIGNMENT", has_dynamic_init = 1, location = 0x7fffffffc6d0, odr_indicator = 140737323068233}, {beg = 140737327176224, size = 8927766694574236160, size_with_redzone = 68719477483, name = 0x7ffff630aee0 "\003", module_name = 0x7ffff48f3978 "", has_dynamic_init = 140737327185120, location = 0x1, odr_indicator = 106446469593184}, {beg = 106446469588608, size = 140737339683169, size_with_redzone = 106446469593184, name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177", module_name = 0x7fffffffc750 "te-read-heap-use-after-free", has_dynamic_init = 140737323082285, location = 0x2300000001, odr_indicator = 106790066847904}}, reg_sites = {4133788192, 32767, 0, 0}, access_size = 8589935339, size = 80 'P'}, addr = 0}}}}, StringFunctionMemoryRangesOverlap = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, stack = 0x2, length1 = 108508053768832, length2 = 0, addr1_description = {data = {kind = __asan::kAddressKindWild, {shadow = {addr = 3098476548018143233, kind = (unknown: -128), shadow_byte = 10 '\n'}, heap = {addr = 3098476548018143233, alloc_tid = 108508053768832, free_tid = 2176, alloc_stack_id = 512, free_stack_id = 25264, chunk_access = {bad_addr = 25216, offset = 73014429286, chunk_begin = 106790066870560, chunk_size = 93825001346016, access_type = 0, alloc_type = 0}}, stack = { addr = 3098476548018143233, tid = 108508053768832, offset = 2176, frame_pc = 108508053766656, access_size = 25216, frame_descr = 0x10ffffc666 ""}, global = { --Type <RET> for more, q to quit, c to continue without paging-- addr = 3098476548018143233, static kMaxGlobals = 4, globals = {{beg = 108508053768832, size = 2176, size_with_redzone = 108508053766656, name = 0x6280 <error: Cannot access memory at address 0x6280>, module_name = 0x10ffffc666 "", has_dynamic_init = 106790066870560, location = 0x555555e053e0, odr_indicator = 107889578482016}, {beg = 140737488340688, size = 65536, size_with_redzone = 93825001346016, name = 0x1 <error: Cannot access memory at address 0x1>, module_name = 0x7fffffffc6d0 "P\307\377\377\377\177", has_dynamic_init = 140737323068233, location = 0x7ffff6649a20, odr_indicator = 8927766694574236160}, {beg = 68719477483, size = 140737323773664, size_with_redzone = 140737296415096, name = 0x7ffff664bce0 "WAIT_MGW_RESPONSE", module_name = 0x1 <error: Cannot access memory at address 0x1>, has_dynamic_init = 106446469593184, location = 0x60d00001e680, odr_indicator = 140737339683169}, {beg = 106446469593184, size = 140737327413984, size_with_redzone = 140737488340816, name = 0x7ffff626222d <_osmo_fsm_inst_term+12102> "\213@\b\205\300t8fH\215=\244\214\n", module_name = 0x2300000001 "", has_dynamic_init = 106790066847904, location = 0x7ffff6649a20, odr_indicator = 0}}, reg_sites = {747, 2, 4133599312, 32767}, access_size = 140737488342592, size = 48 '0'}, addr = 3098476548018143233}}}, addr2_description = {data = {kind = 8, {shadow = {addr = 140737340699588, kind = __asan::kShadowKindLow, shadow_byte = 253 '\375'}, heap = { addr = 140737340699588, alloc_tid = 140737488354560, free_tid = 0, alloc_stack_id = 0, free_stack_id = 0, chunk_access = {bad_addr = 0, offset = 0, chunk_begin = 0, chunk_size = 0, access_type = 0, alloc_type = 0}}, stack = {addr = 140737340699588, tid = 140737488354560, offset = 0, frame_pc = 0, access_size = 0, frame_descr = 0x0}, global = { addr = 140737340699588, static kMaxGlobals = 4, globals = {{beg = 140737488354560, size = 0, size_with_redzone = 0, name = 0x0, module_name = 0x0, has_dynamic_init = 0, location = 0x0, odr_indicator = 0}, {beg = 0, size = 0, size_with_redzone = 0, name = 0x0, module_name = 0x0, has_dynamic_init = 0, location = 0x0, odr_indicator = 0}, { beg = 140737340571560, size = 3621364556, size_with_redzone = 140737350584160, name = 0x7fffffffce90 "\340d\002", module_name = 0x0, has_dynamic_init = 0, location = 0x0, odr_indicator = 0}, {beg = 1384, size = 1256, size_with_redzone = 1256, name = 0x568 <error: Cannot access memory at address 0x568>, module_name = 0x1a <error: Cannot access memory at address 0x1a>, has_dynamic_init = 1256, location = 0x4e8, odr_indicator = 140737340922304}}, reg_sites = {4146210054, 32767, 156800, 24992}, access_size = 107339822818416, size = 128 '\200'}, addr = 140737340699588}}}, function = 0x7 <error: Cannot access memory at address 0x7>}, StringFunctionSizeOverflow = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, stack = 0x2, addr_description = {data = {kind = 2688, {shadow = {addr = 0, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'}, heap = {addr = 0, alloc_tid = 0, free_tid = 3098476548018143233, alloc_stack_id = 2688, free_stack_id = 25264, chunk_access = {bad_addr = 2176, offset = 108508053766656, chunk_begin = 25216, chunk_size = 73014429286, access_type = 0, alloc_type = 0}}, stack = {addr = 0, tid = 0, offset = 3098476548018143233, frame_pc = 108508053768832, access_size = 2176, frame_descr = 0x62b000000200 "\001"}, global = {addr = 0, static kMaxGlobals = 4, globals = {{beg = 0, size = 3098476548018143233, size_with_redzone = 108508053768832, name = 0x880 <error: Cannot access memory at address 0x880>, module_name = 0x62b000000200 "\001", has_dynamic_init = 25216, location = 0x10ffffc666, odr_indicator = 106790066870560}, {beg = 93825001346016, size = 107889578482016, size_with_redzone = 140737488340688, name = 0x10000 <error: Cannot access memory at address 0x10000>, module_name = 0x555555e053e0 "ASSIGNMENT", has_dynamic_init = 1, location = 0x7fffffffc6d0, odr_indicator = 140737323068233}, {beg = 140737327176224, size = 8927766694574236160, size_with_redzone = 68719477483, name = 0x7ffff630aee0 "\003", module_name = 0x7ffff48f3978 "", has_dynamic_init = 140737327185120, location = 0x1, odr_indicator = 106446469593184}, {beg = 106446469588608, size = 140737339683169, size_with_redzone = 106446469593184, name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177", module_name = 0x7fffffffc750 "te-read-heap-use-after-free", has_dynamic_init = 140737323082285, location = 0x2300000001, odr_indicator = 106790066847904}}, reg_sites = {4133788192, 32767, 0, 0}, access_size = 8589935339, size = 80 'P'}, addr = 0}}}, size = 140737488342592}, BadParamsToAnnotateContiguousContainer = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, stack = 0x2, beg = 108508053768832, end = 0, old_mid = 0, new_mid = 3098476548018143233}, ODRViolation = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, global1 = {beg = 2, size = 108508053768832, size_with_redzone = 0, name = 0x0, module_name = 0x2b00000105800001 <error: Cannot access memory at address 0x2b00000105800001>, has_dynamic_init = 108508053768832, location = 0x880, odr_indicator = 108508053766656}, global2 = {beg = 25216, size = 73014429286, size_with_redzone = 106790066870560, name = 0x555555e053e0 "ASSIGNMENT", module_name = 0x622000001960 "\360\001", has_dynamic_init = 140737488340688, location = 0x10000, odr_indicator = 93825001346016}, stack_id1 = 1, stack_id2 = 0}, InvalidPointerPair = {<__asan::ErrorBase> = {scariness = { score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005--Type <RET> for more, q to quit, c to continue without paging-- \000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, pc = 2, bp = 108508053768832, sp = 0, addr1_description = {data = {kind = __asan::kAddressKindWild, {shadow = {addr = 3098476548018143233, kind = (unknown: -128), shadow_byte = 10 '\n'}, heap = {addr = 3098476548018143233, alloc_tid = 108508053768832, free_tid = 2176, alloc_stack_id = 512, free_stack_id = 25264, chunk_access = {bad_addr = 25216, offset = 73014429286, chunk_begin = 106790066870560, chunk_size = 93825001346016, access_type = 0, alloc_type = 0}}, stack = { addr = 3098476548018143233, tid = 108508053768832, offset = 2176, frame_pc = 108508053766656, access_size = 25216, frame_descr = 0x10ffffc666 ""}, global = { addr = 3098476548018143233, static kMaxGlobals = 4, globals = {{beg = 108508053768832, size = 2176, size_with_redzone = 108508053766656, name = 0x6280 <error: Cannot access memory at address 0x6280>, module_name = 0x10ffffc666 "", has_dynamic_init = 106790066870560, location = 0x555555e053e0, odr_indicator = 107889578482016}, {beg = 140737488340688, size = 65536, size_with_redzone = 93825001346016, name = 0x1 <error: Cannot access memory at address 0x1>, module_name = 0x7fffffffc6d0 "P\307\377\377\377\177", has_dynamic_init = 140737323068233, location = 0x7ffff6649a20, odr_indicator = 8927766694574236160}, {beg = 68719477483, size = 140737323773664, size_with_redzone = 140737296415096, name = 0x7ffff664bce0 "WAIT_MGW_RESPONSE", module_name = 0x1 <error: Cannot access memory at address 0x1>, has_dynamic_init = 106446469593184, location = 0x60d00001e680, odr_indicator = 140737339683169}, {beg = 106446469593184, size = 140737327413984, size_with_redzone = 140737488340816, name = 0x7ffff626222d <_osmo_fsm_inst_term+12102> "\213@\b\205\300t8fH\215=\244\214\n", module_name = 0x2300000001 "", has_dynamic_init = 106790066847904, location = 0x7ffff6649a20, odr_indicator = 0}}, reg_sites = {747, 2, 4133599312, 32767}, access_size = 140737488342592, size = 48 '0'}, addr = 3098476548018143233}}}, addr2_description = {data = {kind = 8, {shadow = {addr = 140737340699588, kind = __asan::kShadowKindLow, shadow_byte = 253 '\375'}, heap = { addr = 140737340699588, alloc_tid = 140737488354560, free_tid = 0, alloc_stack_id = 0, free_stack_id = 0, chunk_access = {bad_addr = 0, offset = 0, chunk_begin = 0, chunk_size = 0, access_type = 0, alloc_type = 0}}, stack = {addr = 140737340699588, tid = 140737488354560, offset = 0, frame_pc = 0, access_size = 0, frame_descr = 0x0}, global = { addr = 140737340699588, static kMaxGlobals = 4, globals = {{beg = 140737488354560, size = 0, size_with_redzone = 0, name = 0x0, module_name = 0x0, has_dynamic_init = 0, location = 0x0, odr_indicator = 0}, {beg = 0, size = 0, size_with_redzone = 0, name = 0x0, module_name = 0x0, has_dynamic_init = 0, location = 0x0, odr_indicator = 0}, { beg = 140737340571560, size = 3621364556, size_with_redzone = 140737350584160, name = 0x7fffffffce90 "\340d\002", module_name = 0x0, has_dynamic_init = 0, location = 0x0, odr_indicator = 0}, {beg = 1384, size = 1256, size_with_redzone = 1256, name = 0x568 <error: Cannot access memory at address 0x568>, module_name = 0x1a <error: Cannot access memory at address 0x1a>, has_dynamic_init = 1256, location = 0x4e8, odr_indicator = 140737340922304}}, reg_sites = {4146210054, 32767, 156800, 24992}, access_size = 107339822818416, size = 128 '\200'}, addr = 140737340699588}}}}, Generic = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, addr_description = {data = {kind = __asan::kAddressKindHeap, {shadow = {addr = 108508053768832, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'}, heap = {addr = 108508053768832, alloc_tid = 0, free_tid = 0, alloc_stack_id = 92274689, free_stack_id = 721420289, chunk_access = {bad_addr = 108508053768832, offset = 2176, chunk_begin = 108508053766656, chunk_size = 25216, access_type = 2, alloc_type = 1}}, stack = {addr = 108508053768832, tid = 0, offset = 0, frame_pc = 3098476548018143233, access_size = 108508053768832, frame_descr = 0x880 <error: Cannot access memory at address 0x880>}, global = {addr = 108508053768832, static kMaxGlobals = 4, globals = {{beg = 0, size = 0, size_with_redzone = 3098476548018143233, name = 0x62b000000a80 "`\002", module_name = 0x880 <error: Cannot access memory at address 0x880>, has_dynamic_init = 108508053766656, location = 0x6280, odr_indicator = 73014429286}, {beg = 106790066870560, size = 93825001346016, size_with_redzone = 107889578482016, name = 0x7fffffffc6d0 "P\307\377\377\377\177", module_name = 0x10000 <error: Cannot access memory at address 0x10000>, has_dynamic_init = 93825001346016, location = 0x1, odr_indicator = 140737488340688}, {beg = 140737323068233, size = 140737327176224, size_with_redzone = 8927766694574236160, name = 0x10000002eb "", module_name = 0x7ffff630aee0 "\003", has_dynamic_init = 140737296415096, location = 0x7ffff664bce0, odr_indicator = 1}, {beg = 106446469593184, size = 106446469588608, size_with_redzone = 140737339683169, name = 0x60d00001f860 "mgw-endpoint(conn2)[0x6120000060a0]", module_name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177", has_dynamic_init = 140737488340816, location = 0x7ffff626222d <_osmo_fsm_inst_term+12102>, odr_indicator = 150323855361}}, reg_sites = {160, 24864, 4133788192, 32767}, access_size = 0, size = 235 '\353'}, addr = 108508053768832}}}, pc = 140737326987344, bp = 140737488342592, sp = 140737488342576, access_size = 8, bug_descr = 0x7ffff732f3c4 "heap-use-after-free", is_write = false, shadow_val = 253 '\375'}}}, halt_on_error_ = true} error = {<__asan::ErrorBase> = {scariness = {score = 51, descr = "8-byte-read-heap-use-after-free\000\377\177\000\000\366!'\366\377\177\000\000espin/deR\370\377\377\377\017\000\000\220\302\377\377\377\177\000\000\000\"\251\343\343\a\000\000\005\000\000\000\006\000\000\000\300\304\357UUU\000\000\240p.\366\377\177\000\000\220\302\377\377\377\177\000\000\022\022\320\\\000\000\000\000\345*\003\000\000\000\000\000\000\000\000\000Q\005\000\000\340\267\352UUU\000\000\001\000\000\000\020\000\000\000\240\000\000\000 a\000\000\005\000\000\000\327\000\000\000\327\000\000\000)\017\000\000\006\000\000\000\065\000\000\000\f\000\000\000\006\000\000\000\004\000\000\000w\000\000\000\001\000\000\000"...}, tid = 0}, addr_description = {data = {kind = __asan::kAddressKindHeap, {shadow = {addr = 108508053768832, kind = __asan::kShadowKindLow, shadow_byte = 0 '\000'}, heap = { addr = 108508053768832, alloc_tid = 0, free_tid = 0, alloc_stack_id = 92274689, free_stack_id = 721420289, chunk_access = {bad_addr = 108508053768832, offset = 2176, chunk_begin = 108508053766656, chunk_size = 25216, access_type = 2, alloc_type = 1}}, stack = {addr = 108508053768832, tid = 0, offset = 0, frame_pc = 3098476548018143233, --Type <RET> for more, q to quit, c to continue without paging-- access_size = 108508053768832, frame_descr = 0x880 <error: Cannot access memory at address 0x880>}, global = {addr = 108508053768832, static kMaxGlobals = 4, globals = {{beg = 0, size = 0, size_with_redzone = 3098476548018143233, name = 0x62b000000a80 "`\002", module_name = 0x880 <error: Cannot access memory at address 0x880>, has_dynamic_init = 108508053766656, location = 0x6280, odr_indicator = 73014429286}, {beg = 106790066870560, size = 93825001346016, size_with_redzone = 107889578482016, name = 0x7fffffffc6d0 "P\307\377\377\377\177", module_name = 0x10000 <error: Cannot access memory at address 0x10000>, has_dynamic_init = 93825001346016, location = 0x1, odr_indicator = 140737488340688}, {beg = 140737323068233, size = 140737327176224, size_with_redzone = 8927766694574236160, name = 0x10000002eb "", module_name = 0x7ffff630aee0 "\003", has_dynamic_init = 140737296415096, location = 0x7ffff664bce0, odr_indicator = 1}, {beg = 106446469593184, size = 106446469588608, size_with_redzone = 140737339683169, name = 0x60d00001f860 "mgw-endpoint(conn2)[0x6120000060a0]", module_name = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> "\200\223\024\367\377\177", has_dynamic_init = 140737488340816, location = 0x7ffff626222d <_osmo_fsm_inst_term+12102>, odr_indicator = 150323855361}}, reg_sites = {160, 24864, 4133788192, 32767}, access_size = 0, size = 235 '\353'}, addr = 108508053768832}}}, pc = 140737326987344, bp = 140737488342592, sp = 140737488342576, access_size = 8, bug_descr = 0x7ffff732f3c4 "heap-use-after-free", is_write = false, shadow_val = 253 '\375'} #6 0x00007ffff72f841c in __asan::__asan_report_load8 (addr=<optimized out>) at /build/gcc/src/gcc/libsanitizer/asan/asan_rtl.cc:112 bp = 140737488342592 pc = <optimized out> local_stack = 140737488345168 sp = 140737488342576 #7 0x00007ffff661b850 in osmo_mgcpc_ep_check_ci (ci=0x62b000000a80) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:139 No locals. #8 0x00007ffff662264b in osmo_mgcpc_ep_ci_request (ci=0x62b000000a80, verb=MGCP_VERB_DLCX, verb_info=0x0, notify=0x0, event_success=0, event_failure=0, notify_data=0x0) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:536 ep = 0x0 fi = 0x0 cleared_ci = {ep = 0x7fffffffd300, occupied = 84, label = "\372\377\377\377\017\000\000\240\322\377\377\377\177\000\000 \360\352UUU\000\000 \323\377\377\377\177\000\000\240\000\000\000 a\000\000 \323\377\377\377\177\000\000_-'\366\377\177\000\000\320\322\377\377\377\177\000\000\200", mgcp_client_fi = 0x7ffff62df2e0, pending = false, sent = false, verb = 520, verb_info = {addr = " \036\354UUU\000\000\001\000\000\000\020\000\000", port = 0, endpoint = "\000\000\000\000\000\000\300\373\066\366\377\177\000\000\240\000\000\000 a\000\000\300\373\066\366\377\177\000\000\263\212\265A\000\000\000\000\200t.\366\377\177\000\000:)'\366\377\177\000\000\300\373\066\366\377\177\000\000\060\000\000\000\060\000\000\000\270\324\377\377\377\177\000\000\300\323\377\377\377\177\000\000\200t.\366\377\177\000\000:)'\366\377\177\000\000\000\000\000\000\b\002\000\000\060\000\000\000\060\000\000\000\000\"\251\343\201\314\345{`\323\377\377\377\177\000\000l\372\377\377\377\017\000\000`\323\377\377\377\177\000\000\000\"\251\343\201\314\345{\220\324\377\377\377\177\000\000\300\323\377\377\377\177\000\000 \324\377\377\377\177\000\000x\372\377\377\377\017\000\000\300\323\377\377\377\177\000\000\340\365"..., call_id = 32767, ptime = 3819512320, codecs = {2078657665, 4129763189, 32767, 1, CODEC_PCMU_8000_1, 128, 24704, 32, 24704, CODEC_PCMU_8000_1}, codecs_len = 0, ptmap = {{codec = 787758704, pt = 0}, {codec = 1256, pt = 0}, {codec = 4128504658, pt = 32767}, {codec = 1160, pt = 0}, {codec = 3819512320, pt = 2078657665}, {codec = 4294956336, pt = 32767}, {codec = 1160, pt = 0}, {codec = CODEC_PCMU_8000_1, pt = 0}, {codec = 1, pt = 0}, {codec = CODEC_PCMU_8000_1, pt = 0}}, ptmap_len = 194016, x_osmo_ign = 24784, x_osmo_osmux_use = 96, x_osmo_osmux_cid = 32767, conn_mode = 281992, param_present = 224, param = { amr_octet_aligned_present = 96, amr_octet_aligned = false}}, notify = 0x61a0000264e0, notify_success = 158432, notify_failure = 24992, notify_data = 0x7fffffffd550, got_port_info = 38, rtp_info = {addr = "\377\177\000\000\210M\004\000\340`\000\000\000\"\251", <incomplete sequence \343>, port = 52353, endpoint = "\345{\000\000\000\000\000\000\000\000@\001\000\000\000\000\000\000\001\000\000\000\000\000\000\000\020\327\377\377\377\177\000\000\300\325\377\377\377\177\000\000\364x\t\367\377\177\000\000\320\325\377\377\377\177\000\000\340j\002\000\240a\000\000\002\000\000\000\000\000\000\000`M\004\000\340`\000\000\200\312\000\000\340b\000\000\340\357\024\367\377\177\000\000\340\325\377\377\377\177\000\000`M\004\000\340`\000\000\340\325\377\377\377\177\000\000\027y\t\367\377\177\000\000@\001\000\000\000\000\000\000\340j\002\000\240a\000\000 \326\377\377\377\177\000\000G\341\257UUU\000\000\263\212\265A\000\000\000\000x\236\t\362\377\177\000\000\340j\002\000\240a\000\000\350k\002\000\240a\000\000\001\000\000\000\000\000\000\000"..., call_id = 4294956960, ptime = 32767, codecs = {4130024341, 32767, CODEC_PCMU_8000_1, CODEC_PCMU_8000_1, 3819512320, 2078657665, 1, CODEC_PCMU_8000_1, CODEC_PCMU_8000_1, CODEC_PCMU_8000_1}, codecs_len = 1440616128, ptmap = {{codec = 21845, pt = 1}, { codec = CODEC_PCMU_8000_1, pt = 129952}, {codec = 24784, pt = 124544}, {codec = 24784, pt = 4294957040}, {codec = 32767, pt = 4129676564}, {codec = 32767, pt = 1361}, { codec = CODEC_PCMU_8000_1, pt = 5}, {codec = CODEC_PCMU_8000_1, pt = 0}, {codec = 3111, pt = 1447134624}, {codec = 1361, pt = 1441445856}}, ptmap_len = 21845, x_osmo_ign = 2, x_osmo_osmux_use = false, x_osmo_osmux_cid = 3111, conn_mode = 8, param_present = 32, param = {amr_octet_aligned_present = 77, amr_octet_aligned = false}}, mgcp_ci_str = " a\000\000P\330\377\377\377\177\000\000}7+\366\377\177\000\000\340\267\352UUU\000\000\005\000\000\000"} #9 0x0000555555b33bdc in osmo_mgcpc_ep_ci_dlcx (ci=0x62b000000a80) at /build/new/out/include/osmocom/mgcp_client/mgcp_client_endpoint_fsm.h:37 No locals. #10 0x0000555555b34485 in assignment_reset (conn=0x622000001960) at /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:107 No locals. --Type <RET> for more, q to quit, c to continue without paging-- #11 0x0000555555b6dc43 in assignment_fsm_cleanup (fi=0x612000005da0, cause=OSMO_FSM_TERM_ERROR) at /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:761 conn = 0x622000001960 #12 0x00007ffff62619ce in _osmo_fsm_inst_term (fi=0x612000005da0, cause=OSMO_FSM_TERM_ERROR, data=0x0, file=0x555555ddeba0 "/git/osmo-bsc/src/osmo-bsc/assignment_fsm.c", line=127) at /git/libosmocore/src/fsm.c:890 parent = 0x612000005920 parent_term_event = 6 #13 0x0000555555b35b45 in on_assignment_failure (conn=0x622000001960) at /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:127 resp = 0x61a000025ee0 #14 0x0000555555b66839 in assignment_fsm_wait_mgw_endpoint_to_msc (fi=0x612000005da0, event=4, data=0x0) at /git/osmo-bsc/src/osmo-bsc/assignment_fsm.c:657 _conn = 0x622000001960 conn = 0x622000001960 #15 0x00007ffff625f2d3 in _osmo_fsm_inst_dispatch (fi=0x612000005da0, event=4, data=0x0, file=0x7ffff6649a20 "/git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c", line=374) at /git/libosmocore/src/fsm.c:818 fsm = 0x555556059460 <assignment_fsm> fs = 0x555555f4fe98 <assignment_fsm_states+120> #16 0x00007ffff661e85e in on_failure (ci=0x62b000000a80) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:374 notify = 0x612000005da0 notify_failure = 4 notify_data = 0x0 #17 0x00007ffff663e5a2 in osmo_mgcpc_ep_fsm_handle_ci_events (fi=0x6120000060a0, event=3, data=0x0) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_endpoint_fsm.c:813 ci = 0x62b000000a80 ep = 0x62b000000260 #18 0x00007ffff625f2d3 in _osmo_fsm_inst_dispatch (fi=0x6120000060a0, event=3, data=0x0, file=0x7ffff66462c0 "/git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c", line=264) at /git/libosmocore/src/fsm.c:818 fsm = 0x7ffff6683ae0 <osmo_mgcpc_ep_fsm> fs = 0x7ffff6657ce8 <osmo_mgcpc_ep_fsm_states+40> #19 0x00007ffff626221d in _osmo_fsm_inst_term (fi=0x6120000063a0, cause=OSMO_FSM_TERM_ERROR, data=0x0, file=0x7ffff66462c0 "/git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c", line=264) at /git/libosmocore/src/fsm.c:905 parent = 0x6120000060a0 parent_term_event = 3 #20 0x00007ffff6614546 in mgw_crcx_resp_cb (r=0x619000006ee0, priv=0x6120000063a0) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client_fsm.c:264 fi = 0x6120000063a0 mgcp_ctx = 0x61b00005b0e0 rc = 24960 #21 0x00007ffff66058e6 in mgcp_client_handle_response (mgcp=0x618000002ce0, pending=0x60d00001fe10, response=0x619000006ee0) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:206 No locals. #22 0x00007ffff6608d75 in mgcp_client_rx (mgcp=0x618000002ce0, msg=0x62100000a160) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:680 r = 0x619000006ee0 pending = 0x60d00001fe10 rc = 0 #23 0x00007ffff66092e9 in mgcp_do_read (fd=0x618000002f08) at /git/osmo-mgw/src/libosmo-mgcp-client/mgcp_client.c:714 mgcp = 0x618000002ce0 msg = 0x62100000a160 ret = 12 #24 0x00007ffff6262b11 in osmo_wqueue_bfd_cb (fd=0x618000002f08, what=1) at /git/libosmocore/src/write_queue.c:51 --Type <RET> for more, q to quit, c to continue without paging-- queue = 0x618000002f08 rc = 0 #25 0x00007ffff623b884 in osmo_fd_disp_fds (_rset=0x7fffffffdf50, _wset=0x7fffffffdff0, _eset=0x7fffffffe090) at /git/libosmocore/src/select.c:223 flags = 1 ufd = 0x618000002f08 tmp = 0x613000008060 work = 1 readset = 0x7fffffffdf50 writeset = 0x7fffffffdff0 exceptset = 0x7fffffffe090 #26 0x00007ffff623bbaa in osmo_select_main (polling=0) at /git/libosmocore/src/select.c:263 readset = {__fds_bits = {0 <repeats 16 times>}} writeset = {__fds_bits = {0 <repeats 16 times>}} exceptset = {__fds_bits = {0 <repeats 16 times>}} rc = 1 no_time = {tv_sec = 0, tv_usec = 0} #27 0x0000555555d4e623 in main (argc=4, argv=0x7fffffffe2c8) at /git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:932 msc = 0x60f000000198 data = 0x60f000000190 rc = 0 (gdb)
Updated by neels over 3 years ago
- Status changed from New to Feedback
pespin sorry for never looking into this, do you have an easy way to tell whether this problem is fixed now?
Updated by pespin over 3 years ago
No idea sorry, I don't even remember what I was doing exactly at that time after 1 year. The issue may be solved as of now. Feel free to give a quick look at the code around the stack trace in case you find something suspicious, and close otherwise.
Updated by neels over 3 years ago
- Status changed from Feedback to Resolved
we solved some use after free in the mgcp client: https://gerrit.osmocom.org/c/osmo-mgw/+/15839 (and more)
lacking reproducability I am closing this issue.