Project

General

Profile

Bug #5134

osmo-bsc crash in osmo_sccp_user_sap_down_nofree

Added by pespin 18 days ago. Updated 17 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
04/27/2021
Due date:
% Done:

100%

Spec Reference:

Description

I have no SMLC in use AFAIK. The issue may have happened because I had an osmo-bsc (actually a whole network) running in the background while I compiled + run unit/vty/python tests osmo-bsc.git (the osmo-bsc that brashed is the one I had running in the background, not the one running the unit tests).

20210427143748859 DRESET <0014> /git/libosmocore/src/fsm.c:322 bssmap_reset(Lb)[0x612000013720]{DISC}: Timeout of T4
20210427143748859 DRESET <0014> /git/osmo-bsc/src/osmo-bsc/lb.c:63 Sending RESET to SMLC: RI=SSN_PC,PC=1.23.5,SSN=SMLC_BSSAP
/git/libosmo-sccp/src/sccp_scoc.c:1723:29: runtime error: member access within null pointer of type 'struct osmo_sccp_user'

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff71d0a43 in osmo_sccp_user_sap_down_nofree (scu=0x0,
--Type <RET> for more, q to quit, c to continue without paging--
    oph=0x61e000027f68)
    at /git/libosmo-sccp/src/sccp_scoc.c:1723
1723            struct osmo_sccp_instance *inst = scu->inst;
(gdb) bt
#0  0x00007ffff71d0a43 in osmo_sccp_user_sap_down_nofree (scu=0x0,
    oph=0x61e000027f68)
    at /git/libosmo-sccp/src/sccp_scoc.c:1723
#1  0x00007ffff71d1027 in osmo_sccp_user_sap_down (scu=0x0, oph=0x61e000027f68)
    at /git/libosmo-sccp/src/sccp_scoc.c:1781
#2  0x00007ffff71ac1ce in osmo_sccp_tx_unitdata (scu=0x0,
    calling_addr=0x612000005340, called_addr=0x612000005398,
    data=0x61a0005f9766 "", len=6)
    at /git/libosmo-sccp/src/sccp_helpers.c:78
#3  0x00007ffff71ac454 in osmo_sccp_tx_unitdata_msg (scu=0x0,
    calling_addr=0x612000005340, called_addr=0x612000005398,
    msg=0x61a0005f94e0)
    at /git/libosmo-sccp/src/sccp_helpers.c:103
#4  0x0000555555e93270 in bssmap_le_tx_reset ()
    at /git/osmo-bsc/src/osmo-bsc/lb.c:67
#5  0x0000555555e99610 in lb_reset_tx_reset (data=0x0)
    at /git/osmo-bsc/src/osmo-bsc/lb.c:374
#6  0x0000555555fa91b4 in tx_reset (bssmap_reset=0x60e000054500)
    at /git/osmo-bsc/src/osmo-bsc/bssmap_reset.c:91
#7  0x0000555555faa29f in bssmap_reset_fsm_timer_cb (fi=0x612000013720)
    at /git/osmo-bsc/src/osmo-bsc/bssmap_reset.c:180
#8  0x00007ffff6280f5e in fsm_tmr_cb (data=0x612000013720)
    at /git/libosmocore/src/fsm.c:325
--Type <RET> for more, q to quit, c to continue without paging--
#9  0x00007ffff6262b0c in osmo_timers_update ()
    at /git/libosmocore/src/timer.c:273
#10 0x00007ffff62674fb in _osmo_select_main (polling=0)
    at /git/libosmocore/src/select.c:373
#11 0x00007ffff6267689 in osmo_select_main_ctx (polling=0)
    at /git/libosmocore/src/select.c:434
#12 0x0000555555f8740e in main (argc=4, argv=0x7fffffffe1b8)
    at /git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:1037
(gdb) info args
scu = 0x0
oph = 0x61e000027f68
(gdb) info local
prim = 0x61e000027f68
inst = 0xffffffffb8e
conn = 0x61e000027ce0
rc = -9376
event = 32767
(gdb) bt full
#0  0x00007ffff71d0a43 in osmo_sccp_user_sap_down_nofree (scu=0x0,
    oph=0x61e000027f68)
    at /git/libosmo-sccp/src/sccp_scoc.c:1723
        prim = 0x61e000027f68
        inst = 0xffffffffb8e
        conn = 0x61e000027ce0
        rc = -9376
        event = 32767
#1  0x00007ffff71d1027 in osmo_sccp_user_sap_down (scu=0x0, oph=0x61e000027f68)
    at /git/libosmo-sccp/src/sccp_scoc.c:1781
        prim = 0x61e000027f68
        msg = 0x61e000027ce0
        rc = 24864
#2  0x00007ffff71ac1ce in osmo_sccp_tx_unitdata (scu=0x0,
    calling_addr=0x612000005340, called_addr=0x612000005398,
    data=0x61a0005f9766 "", len=6)
    at /git/libosmo-sccp/src/sccp_helpers.c:78
        msg = 0x61e000027ce0
        __func__ = "osmo_sccp_tx_unitdata" 
        prim = 0x61e000027f68
        param = 0x61e000027f80
#3  0x00007ffff71ac454 in osmo_sccp_tx_unitdata_msg (scu=0x0,
    calling_addr=0x612000005340, called_addr=0x612000005398,
--Type <RET> for more, q to quit, c to continue without paging--
    msg=0x61a0005f94e0)
    at /git/libosmo-sccp/src/sccp_helpers.c:103
        rc = 21845
#4  0x0000555555e93270 in bssmap_le_tx_reset ()
    at /git/osmo-bsc/src/osmo-bsc/lb.c:67
        ss7 = 0x614000001ea0
        msg = 0x61a0005f94e0
        reset = {discr = BSSAP_LE_MSG_DISCR_BSSMAP_LE, {bssmap_le = {
              msg_type = 0, {
                reset = GSM0808_CAUSE_RADIO_INTERFACE_MESSAGE_FAILURE,
                perform_loc_req = {location_type = {
                    location_information = BSSMAP_LE_LOC_INFO_CURRENT_GEOGRAPHIC, positioning_method = BSSMAP_LE_POS_METHOD_OMITTED}, cell_id = {
                    id_discr = CELL_IDENT_WHOLE_GLOBAL, id = {global = {lai = {
                          plmn = {mcc = 0, mnc = 0, mnc_3_digits = false},
                          lac = 0}, cell_identity = 0}, lac_and_ci = {lac = 0,
                        ci = 0}, ci = 0, lai_and_lac = {plmn = {mcc = 0,
                          mnc = 0, mnc_3_digits = false}, lac = 0}, lac = 0,
                      global_ps = {rai = {lac = {plmn = {mcc = 0, mnc = 0,
                              mnc_3_digits = false}, lac = 0},
                          rac = 0 '\000'}, cell_identity = 0}}},
                  lcs_client_type_present = 185,
                  lcs_client_type = BSSMAP_LE_LCS_CTYPE_VALUE_ADDED_UNSPECIFIED,--Type <RET> for more, q to quit, c to continue without paging--
 imsi = {type = 176 '\260', {imsi = " a", '\000' <repeats 13 times>,
                      imei = " a", '\000' <repeats 13 times>,
                      imeisv = " a", '\000' <repeats 14 times>,
                      tmsi = 24864}}, imei = {type = 0 '\000', {
                      imsi = '\000' <repeats 12 times>, "\002\000\000",
                      imei = '\000' <repeats 12 times>, "\002\000\000",
                      imeisv = '\000' <repeats 12 times>, "\002\000\000\000\377", tmsi = 0}}, apdu_present = 64, apdu = {msg_type = 645922818, {ta_response = {
                        cell_id = 50752, ta = 246 '\366', more_items = 6},
                      reject = 116835904, reset = {cell_id = 50752,
                        ta = 246 '\366', chan_desc = {chan_nr = 6 '\006', {
                            h1 = {maio_high = 14 '\016', h = 1 '\001',
                              tsc = 5 '\005', hsn = 62 '>',
                              maio_low = 2 '\002'}, h0 = {
                              arfcn_high = 2 '\002', spare = 3 '\003',
                              h = 1 '\001', tsc = 5 '\005',
                              arfcn_low = 190 '\276'}}}, cause = 896,
                        more_items = 96}, abort = 116835904, ta_layer3 = {
                        ta = 64 '@', more_items = 198}}}, more_items = 128},
                perform_loc_resp = {location_estimate_present = false,
                  location_estimate = {h = {spare = 0 '\000',
                      type = 0 '\000'}, ell_point = {h = {spare = 0 '\000',
                        type = 0 '\000'}, lat = "\000\000", lon = "\000\000"},
--Type <RET> for more, q to quit, c to continue without paging--
                    ell_point_unc_circle = {h = {spare = 0 '\000',
                        type = 0 '\000'}, lat = "\000\000", lon = "\000\000",
                      unc = 0 '\000', spare2 = 0 '\000'},
                    ell_point_unc_ellipse = {h = {spare = 0 '\000',
                        type = 0 '\000'}, lat = "\000\000", lon = "\000\000",
                      unc_semi_major = 0 '\000', spare1 = 0 '\000',
                      unc_semi_minor = 0 '\000', spare2 = 0 '\000',
                      major_ori = 0 '\000', confidence = 0 '\000',
                      spare3 = 0 '\000'}, polygon = {h = {
                        num_points = 0 '\000', type = 0 '\000'}, point = {{
                          lat = "\000\000", lon = "\000\000"}, {
                          lat = "\000\000", lon = "\000\000"}, {
                          lat = "\000\000", lon = "\000\000"}, {
                          lat = "\000\000", lon = "\000\271\226"}, {
                          lat = <incomplete sequence \314>, lon = "\000\000"},
                        {lat = "\260R", lon = "\000 a"}, {lat = "\000\000",
                          lon = "\000\000"}, {lat = "\000\000",
                          lon = "\000\000"}, {lat = "\000\000",
                          lon = "\000\000"}, {lat = "\000\000",
                          lon = "\000\000"}, {lat = "\000\000",
                          lon = "\000\000"}, {lat = "\000\000",
                          lon = "\000\002"}, {lat = "\000\000\377",
                          lon = "\377\377\022"}, {lat = "@\001",
--Type <RET> for more, q to quit, c to continue without paging--
                          lon = " \002"}, {lat = "\200&@",
                          lon = "\306\366\006"}}}, ell_point_alt = {h = {
                        spare = 0 '\000', type = 0 '\000'}, lat = "\000\000",
                      lon = "\000\000", alt = "\000"},
                    ell_point_alt_unc_ell = {h = {spare = 0 '\000',
                        type = 0 '\000'}, lat = "\000\000", lon = "\000\000",
                      alt = "\000", unc_semi_major = 0 '\000',
                      spare1 = 0 '\000', unc_semi_minor = 0 '\000',
                      spare2 = 0 '\000', major_ori = 0 '\000',
                      unc_alt = 0 '\000', spare3 = 0 '\000',
                      confidence = 0 '\000', spare4 = 0 '\000'}, ell_arc = {
                      h = {spare = 0 '\000', type = 0 '\000'},
                      lat = "\000\000", lon = "\000\000", inner_r = "\000",
                      unc_r = 0 '\000', spare1 = 0 '\000',
                      ofs_angle = 0 '\000', incl_angle = 0 '\000',
                      confidence = 0 '\000', spare2 = 0 '\000'},
                    ha_ell_point_unc_ell = {h = {spare = 0 '\000',
                        type = 0 '\000'}, lat = "\000\000\000",
                      lon = "\000\000\000", alt = "\000\000",
                      unc_semi_major = 0 '\000', unc_semi_minor = 0 '\000',
                      major_ori = 0 '\000', confidence = 0 '\000',
                      spare1 = 0 '\000'}, ha_ell_point_alt_unc_ell = {h = {
                        spare = 0 '\000', type = 0 '\000'},
--Type <RET> for more, q to quit, c to continue without paging--
                      lat = "\000\000\000", lon = "\000\000\000",
                      alt = "\000\000", unc_semi_major = 0 '\000',
                      unc_semi_minor = 0 '\000', major_ori = 0 '\000',
                      h_confidence = 0 '\000', spare1 = 0 '\000',
                      unc_alt = 0 '\000', v_confidence = 0 '\000',
                      spare2 = 0 '\000'}}, lcs_cause = {present = 190,
                    cause_val = 896, diag_val_present = 96,
                    diag_val = 97 'a'}, more_items = 128},
                perform_loc_abort = {present = false,
                  cause_val = LCS_CAUSE_UNSPECIFIED, diag_val_present = false,
                  diag_val = 0 '\000'}, conn_oriented_info = {apdu = {
                    msg_type = 0, {ta_response = {cell_id = 0, ta = 0 '\000',
                        more_items = false}, reject = BSSLAP_CAUSE_CONGESTION,
                      reset = {cell_id = 0, ta = 0 '\000', chan_desc = {
                          chan_nr = 0 '\000', {h1 = {maio_high = 0 '\000',
                              h = 0 '\000', tsc = 0 '\000', hsn = 0 '\000',
                              maio_low = 0 '\000'}, h0 = {
                              arfcn_high = 0 '\000', spare = 0 '\000',
                              h = 0 '\000', tsc = 0 '\000',
                              arfcn_low = 0 '\000'}}},
                        cause = BSSLAP_CAUSE_CONGESTION, more_items = false},
                      abort = BSSLAP_CAUSE_CONGESTION, ta_layer3 = {
                        ta = 0 '\000', more_items = false}}},
--Type <RET> for more, q to quit, c to continue without paging--
                  more_items = false}}}}}
#5  0x0000555555e99610 in lb_reset_tx_reset (data=0x0)
    at /git/osmo-bsc/src/osmo-bsc/lb.c:374
No locals.
#6  0x0000555555fa91b4 in tx_reset (bssmap_reset=0x60e000054500)
    at /git/osmo-bsc/src/osmo-bsc/bssmap_reset.c:91
No locals.
#7  0x0000555555faa29f in bssmap_reset_fsm_timer_cb (fi=0x612000013720)
    at /git/osmo-bsc/src/osmo-bsc/bssmap_reset.c:180
        bssmap_reset = 0x60e000054500
#8  0x00007ffff6280f5e in fsm_tmr_cb (data=0x612000013720)
    at /git/libosmocore/src/fsm.c:325
        rc = 32767
        fi = 0x612000013720
        fsm = 0x55555691ee20 <bssmap_reset_fsm>
        T = 4
#9  0x00007ffff6262b0c in osmo_timers_update ()
    at /git/libosmocore/src/timer.c:273
        current_time = {tv_sec = 1619527068, tv_usec = 859514}
        node = 0x616000000260
        timer_eviction_list = {next = 0x7fffffffdf80, prev = 0x7fffffffdf80}
        this = 0x612000013760
        work = 0
--Type <RET> for more, q to quit, c to continue without paging--
        __mptr = <optimized out>
#10 0x00007ffff62674fb in _osmo_select_main (polling=0)
    at /git/libosmocore/src/select.c:373
        n_poll = 10
        rc = 0
#11 0x00007ffff6267689 in osmo_select_main_ctx (polling=0)
    at /git/libosmocore/src/select.c:434
        rc = 0
#12 0x0000555555f8740e in main (argc=4, argv=0x7fffffffe1b8)
    at /git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:1037
        msc = 0x6160000001f0
        rc = 0

The crash is trying to dereference scu here:

/*! Main entrance function for primitives from SCCP User.
 * The caller is required to free oph->msg, otherwise the same as osmo_sccp_user_sap_down().
 *  \param[in] scu SCCP User sending us the primitive
 *  \param[in] oph Osmocom primitive sent by the user
 *  \returns 0 on success; negative on error */
int osmo_sccp_user_sap_down_nofree(struct osmo_sccp_user *scu, struct osmo_prim_hdr *oph)
{
    struct osmo_scu_prim *prim = (struct osmo_scu_prim *) oph;
    struct osmo_sccp_instance *inst = scu->inst;   <----- HERE!!!! scu is NULL

Associated revisions

Revision 18abd1a8 (diff)
Added by Neels Hofmeyr 18 days ago

Lb: stop RESET FSM when sccp_user is unbound

A crash was reported in bssmap_le_tx_reset() sending a RESET with
sccp_user == NULL. Looking at the issue I noticed that when the
sccp_user is torn down, the RESET FSM should also be terminated.

Add bssmap_reset_term_and_free() to the generic RESET FSM implementation
and call from lb_stop() before sccp_user is set to NULL.

Related: OS#5134
Change-Id: If412ef990fcdde8ff88098a5169e86f05cd1c7f0

Revision d8e55223 (diff)
Added by Neels Hofmeyr 18 days ago

Lb: RESET FSM: never send sccp_user NULL

A crash was reported in bssmap_le_tx_reset() sending a RESET with
sccp_user NULL. A previous patch fixes what I infer as the root
cause, but I thought let's also have this additional safeguard.

Related: OS#5134
Change-Id: I13834c4e576e8d33e67cb63e222b41255cd94875

History

#1 Updated by pespin 18 days ago

  • Subject changed from osmo-bsc crash to osmo-bsc crash in osmo_sccp_user_sap_down_nofree

#2 Updated by neels 18 days ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 90

#3 Updated by neels 17 days ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)