Actions
Bug #5134
closedosmo-bsc crash in osmo_sccp_user_sap_down_nofree
Start date:
04/27/2021
Due date:
% Done:
100%
Spec Reference:
Description
I have no SMLC in use AFAIK. The issue may have happened because I had an osmo-bsc (actually a whole network) running in the background while I compiled + run unit/vty/python tests osmo-bsc.git (the osmo-bsc that brashed is the one I had running in the background, not the one running the unit tests).
20210427143748859 DRESET <0014> /git/libosmocore/src/fsm.c:322 bssmap_reset(Lb)[0x612000013720]{DISC}: Timeout of T4 20210427143748859 DRESET <0014> /git/osmo-bsc/src/osmo-bsc/lb.c:63 Sending RESET to SMLC: RI=SSN_PC,PC=1.23.5,SSN=SMLC_BSSAP /git/libosmo-sccp/src/sccp_scoc.c:1723:29: runtime error: member access within null pointer of type 'struct osmo_sccp_user' Program received signal SIGSEGV, Segmentation fault. 0x00007ffff71d0a43 in osmo_sccp_user_sap_down_nofree (scu=0x0, --Type <RET> for more, q to quit, c to continue without paging-- oph=0x61e000027f68) at /git/libosmo-sccp/src/sccp_scoc.c:1723 1723 struct osmo_sccp_instance *inst = scu->inst; (gdb) bt #0 0x00007ffff71d0a43 in osmo_sccp_user_sap_down_nofree (scu=0x0, oph=0x61e000027f68) at /git/libosmo-sccp/src/sccp_scoc.c:1723 #1 0x00007ffff71d1027 in osmo_sccp_user_sap_down (scu=0x0, oph=0x61e000027f68) at /git/libosmo-sccp/src/sccp_scoc.c:1781 #2 0x00007ffff71ac1ce in osmo_sccp_tx_unitdata (scu=0x0, calling_addr=0x612000005340, called_addr=0x612000005398, data=0x61a0005f9766 "", len=6) at /git/libosmo-sccp/src/sccp_helpers.c:78 #3 0x00007ffff71ac454 in osmo_sccp_tx_unitdata_msg (scu=0x0, calling_addr=0x612000005340, called_addr=0x612000005398, msg=0x61a0005f94e0) at /git/libosmo-sccp/src/sccp_helpers.c:103 #4 0x0000555555e93270 in bssmap_le_tx_reset () at /git/osmo-bsc/src/osmo-bsc/lb.c:67 #5 0x0000555555e99610 in lb_reset_tx_reset (data=0x0) at /git/osmo-bsc/src/osmo-bsc/lb.c:374 #6 0x0000555555fa91b4 in tx_reset (bssmap_reset=0x60e000054500) at /git/osmo-bsc/src/osmo-bsc/bssmap_reset.c:91 #7 0x0000555555faa29f in bssmap_reset_fsm_timer_cb (fi=0x612000013720) at /git/osmo-bsc/src/osmo-bsc/bssmap_reset.c:180 #8 0x00007ffff6280f5e in fsm_tmr_cb (data=0x612000013720) at /git/libosmocore/src/fsm.c:325 --Type <RET> for more, q to quit, c to continue without paging-- #9 0x00007ffff6262b0c in osmo_timers_update () at /git/libosmocore/src/timer.c:273 #10 0x00007ffff62674fb in _osmo_select_main (polling=0) at /git/libosmocore/src/select.c:373 #11 0x00007ffff6267689 in osmo_select_main_ctx (polling=0) at /git/libosmocore/src/select.c:434 #12 0x0000555555f8740e in main (argc=4, argv=0x7fffffffe1b8) at /git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:1037 (gdb) info args scu = 0x0 oph = 0x61e000027f68 (gdb) info local prim = 0x61e000027f68 inst = 0xffffffffb8e conn = 0x61e000027ce0 rc = -9376 event = 32767
(gdb) bt full #0 0x00007ffff71d0a43 in osmo_sccp_user_sap_down_nofree (scu=0x0, oph=0x61e000027f68) at /git/libosmo-sccp/src/sccp_scoc.c:1723 prim = 0x61e000027f68 inst = 0xffffffffb8e conn = 0x61e000027ce0 rc = -9376 event = 32767 #1 0x00007ffff71d1027 in osmo_sccp_user_sap_down (scu=0x0, oph=0x61e000027f68) at /git/libosmo-sccp/src/sccp_scoc.c:1781 prim = 0x61e000027f68 msg = 0x61e000027ce0 rc = 24864 #2 0x00007ffff71ac1ce in osmo_sccp_tx_unitdata (scu=0x0, calling_addr=0x612000005340, called_addr=0x612000005398, data=0x61a0005f9766 "", len=6) at /git/libosmo-sccp/src/sccp_helpers.c:78 msg = 0x61e000027ce0 __func__ = "osmo_sccp_tx_unitdata" prim = 0x61e000027f68 param = 0x61e000027f80 #3 0x00007ffff71ac454 in osmo_sccp_tx_unitdata_msg (scu=0x0, calling_addr=0x612000005340, called_addr=0x612000005398, --Type <RET> for more, q to quit, c to continue without paging-- msg=0x61a0005f94e0) at /git/libosmo-sccp/src/sccp_helpers.c:103 rc = 21845 #4 0x0000555555e93270 in bssmap_le_tx_reset () at /git/osmo-bsc/src/osmo-bsc/lb.c:67 ss7 = 0x614000001ea0 msg = 0x61a0005f94e0 reset = {discr = BSSAP_LE_MSG_DISCR_BSSMAP_LE, {bssmap_le = { msg_type = 0, { reset = GSM0808_CAUSE_RADIO_INTERFACE_MESSAGE_FAILURE, perform_loc_req = {location_type = { location_information = BSSMAP_LE_LOC_INFO_CURRENT_GEOGRAPHIC, positioning_method = BSSMAP_LE_POS_METHOD_OMITTED}, cell_id = { id_discr = CELL_IDENT_WHOLE_GLOBAL, id = {global = {lai = { plmn = {mcc = 0, mnc = 0, mnc_3_digits = false}, lac = 0}, cell_identity = 0}, lac_and_ci = {lac = 0, ci = 0}, ci = 0, lai_and_lac = {plmn = {mcc = 0, mnc = 0, mnc_3_digits = false}, lac = 0}, lac = 0, global_ps = {rai = {lac = {plmn = {mcc = 0, mnc = 0, mnc_3_digits = false}, lac = 0}, rac = 0 '\000'}, cell_identity = 0}}}, lcs_client_type_present = 185, lcs_client_type = BSSMAP_LE_LCS_CTYPE_VALUE_ADDED_UNSPECIFIED,--Type <RET> for more, q to quit, c to continue without paging-- imsi = {type = 176 '\260', {imsi = " a", '\000' <repeats 13 times>, imei = " a", '\000' <repeats 13 times>, imeisv = " a", '\000' <repeats 14 times>, tmsi = 24864}}, imei = {type = 0 '\000', { imsi = '\000' <repeats 12 times>, "\002\000\000", imei = '\000' <repeats 12 times>, "\002\000\000", imeisv = '\000' <repeats 12 times>, "\002\000\000\000\377", tmsi = 0}}, apdu_present = 64, apdu = {msg_type = 645922818, {ta_response = { cell_id = 50752, ta = 246 '\366', more_items = 6}, reject = 116835904, reset = {cell_id = 50752, ta = 246 '\366', chan_desc = {chan_nr = 6 '\006', { h1 = {maio_high = 14 '\016', h = 1 '\001', tsc = 5 '\005', hsn = 62 '>', maio_low = 2 '\002'}, h0 = { arfcn_high = 2 '\002', spare = 3 '\003', h = 1 '\001', tsc = 5 '\005', arfcn_low = 190 '\276'}}}, cause = 896, more_items = 96}, abort = 116835904, ta_layer3 = { ta = 64 '@', more_items = 198}}}, more_items = 128}, perform_loc_resp = {location_estimate_present = false, location_estimate = {h = {spare = 0 '\000', type = 0 '\000'}, ell_point = {h = {spare = 0 '\000', type = 0 '\000'}, lat = "\000\000", lon = "\000\000"}, --Type <RET> for more, q to quit, c to continue without paging-- ell_point_unc_circle = {h = {spare = 0 '\000', type = 0 '\000'}, lat = "\000\000", lon = "\000\000", unc = 0 '\000', spare2 = 0 '\000'}, ell_point_unc_ellipse = {h = {spare = 0 '\000', type = 0 '\000'}, lat = "\000\000", lon = "\000\000", unc_semi_major = 0 '\000', spare1 = 0 '\000', unc_semi_minor = 0 '\000', spare2 = 0 '\000', major_ori = 0 '\000', confidence = 0 '\000', spare3 = 0 '\000'}, polygon = {h = { num_points = 0 '\000', type = 0 '\000'}, point = {{ lat = "\000\000", lon = "\000\000"}, { lat = "\000\000", lon = "\000\000"}, { lat = "\000\000", lon = "\000\000"}, { lat = "\000\000", lon = "\000\271\226"}, { lat = <incomplete sequence \314>, lon = "\000\000"}, {lat = "\260R", lon = "\000 a"}, {lat = "\000\000", lon = "\000\000"}, {lat = "\000\000", lon = "\000\000"}, {lat = "\000\000", lon = "\000\000"}, {lat = "\000\000", lon = "\000\000"}, {lat = "\000\000", lon = "\000\000"}, {lat = "\000\000", lon = "\000\002"}, {lat = "\000\000\377", lon = "\377\377\022"}, {lat = "@\001", --Type <RET> for more, q to quit, c to continue without paging-- lon = " \002"}, {lat = "\200&@", lon = "\306\366\006"}}}, ell_point_alt = {h = { spare = 0 '\000', type = 0 '\000'}, lat = "\000\000", lon = "\000\000", alt = "\000"}, ell_point_alt_unc_ell = {h = {spare = 0 '\000', type = 0 '\000'}, lat = "\000\000", lon = "\000\000", alt = "\000", unc_semi_major = 0 '\000', spare1 = 0 '\000', unc_semi_minor = 0 '\000', spare2 = 0 '\000', major_ori = 0 '\000', unc_alt = 0 '\000', spare3 = 0 '\000', confidence = 0 '\000', spare4 = 0 '\000'}, ell_arc = { h = {spare = 0 '\000', type = 0 '\000'}, lat = "\000\000", lon = "\000\000", inner_r = "\000", unc_r = 0 '\000', spare1 = 0 '\000', ofs_angle = 0 '\000', incl_angle = 0 '\000', confidence = 0 '\000', spare2 = 0 '\000'}, ha_ell_point_unc_ell = {h = {spare = 0 '\000', type = 0 '\000'}, lat = "\000\000\000", lon = "\000\000\000", alt = "\000\000", unc_semi_major = 0 '\000', unc_semi_minor = 0 '\000', major_ori = 0 '\000', confidence = 0 '\000', spare1 = 0 '\000'}, ha_ell_point_alt_unc_ell = {h = { spare = 0 '\000', type = 0 '\000'}, --Type <RET> for more, q to quit, c to continue without paging-- lat = "\000\000\000", lon = "\000\000\000", alt = "\000\000", unc_semi_major = 0 '\000', unc_semi_minor = 0 '\000', major_ori = 0 '\000', h_confidence = 0 '\000', spare1 = 0 '\000', unc_alt = 0 '\000', v_confidence = 0 '\000', spare2 = 0 '\000'}}, lcs_cause = {present = 190, cause_val = 896, diag_val_present = 96, diag_val = 97 'a'}, more_items = 128}, perform_loc_abort = {present = false, cause_val = LCS_CAUSE_UNSPECIFIED, diag_val_present = false, diag_val = 0 '\000'}, conn_oriented_info = {apdu = { msg_type = 0, {ta_response = {cell_id = 0, ta = 0 '\000', more_items = false}, reject = BSSLAP_CAUSE_CONGESTION, reset = {cell_id = 0, ta = 0 '\000', chan_desc = { chan_nr = 0 '\000', {h1 = {maio_high = 0 '\000', h = 0 '\000', tsc = 0 '\000', hsn = 0 '\000', maio_low = 0 '\000'}, h0 = { arfcn_high = 0 '\000', spare = 0 '\000', h = 0 '\000', tsc = 0 '\000', arfcn_low = 0 '\000'}}}, cause = BSSLAP_CAUSE_CONGESTION, more_items = false}, abort = BSSLAP_CAUSE_CONGESTION, ta_layer3 = { ta = 0 '\000', more_items = false}}}, --Type <RET> for more, q to quit, c to continue without paging-- more_items = false}}}}} #5 0x0000555555e99610 in lb_reset_tx_reset (data=0x0) at /git/osmo-bsc/src/osmo-bsc/lb.c:374 No locals. #6 0x0000555555fa91b4 in tx_reset (bssmap_reset=0x60e000054500) at /git/osmo-bsc/src/osmo-bsc/bssmap_reset.c:91 No locals. #7 0x0000555555faa29f in bssmap_reset_fsm_timer_cb (fi=0x612000013720) at /git/osmo-bsc/src/osmo-bsc/bssmap_reset.c:180 bssmap_reset = 0x60e000054500 #8 0x00007ffff6280f5e in fsm_tmr_cb (data=0x612000013720) at /git/libosmocore/src/fsm.c:325 rc = 32767 fi = 0x612000013720 fsm = 0x55555691ee20 <bssmap_reset_fsm> T = 4 #9 0x00007ffff6262b0c in osmo_timers_update () at /git/libosmocore/src/timer.c:273 current_time = {tv_sec = 1619527068, tv_usec = 859514} node = 0x616000000260 timer_eviction_list = {next = 0x7fffffffdf80, prev = 0x7fffffffdf80} this = 0x612000013760 work = 0 --Type <RET> for more, q to quit, c to continue without paging-- __mptr = <optimized out> #10 0x00007ffff62674fb in _osmo_select_main (polling=0) at /git/libosmocore/src/select.c:373 n_poll = 10 rc = 0 #11 0x00007ffff6267689 in osmo_select_main_ctx (polling=0) at /git/libosmocore/src/select.c:434 rc = 0 #12 0x0000555555f8740e in main (argc=4, argv=0x7fffffffe1b8) at /git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:1037 msc = 0x6160000001f0 rc = 0
The crash is trying to dereference scu here:
/*! Main entrance function for primitives from SCCP User. * The caller is required to free oph->msg, otherwise the same as osmo_sccp_user_sap_down(). * \param[in] scu SCCP User sending us the primitive * \param[in] oph Osmocom primitive sent by the user * \returns 0 on success; negative on error */ int osmo_sccp_user_sap_down_nofree(struct osmo_sccp_user *scu, struct osmo_prim_hdr *oph) { struct osmo_scu_prim *prim = (struct osmo_scu_prim *) oph; struct osmo_sccp_instance *inst = scu->inst; <----- HERE!!!! scu is NULL
Actions