Actions
Bug #3495
closedosmo-bsc: heap-use-after-free in ipaccess handle_ts1_write() with multitrx (setup failing previously)
Start date:
08/22/2018
Due date:
% Done:
100%
Spec Reference:
Description
Caught by osmo-gsm-tester when testing new setup of 2 nanoBTS attached forming a multiTRX setup (-s voice:nanobts+band-900+mod-bts0-numtrx2+mod-bts0-chanallocdescend -T -l dbg).
[0;m[1;36m20180822124927912 [1;34mDNM[0;m[1;36m <0004> abis_nm.c:702 OC=CHANNEL(03) INST=(00,00,07): bts=0 trx=0 Opstart ACK [0;m[1;31m20180822124927913 [1;34mDTS[0;m[1;31m <0011> bts_ipaccess_nanobts.c:308 timeslot(0-0-7-NONE)[0x61200000a5a0]{NOT_INITIALIZED}: Received Event TS_EV_OML_READY [0;m[1;31m20180822124927913 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:196 timeslot(0-0-7-PDCH)[0x61200000a5a0]{NOT_INITIALIZED}: (pchan_is=NONE) max lchans: 0 [0;m[1;31m20180822124927913 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:217 timeslot(0-0-7-PDCH)[0x61200000a5a0]{NOT_INITIALIZED}: lchans initialized: 0 [0;m[1;31m20180822124927913 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:230 timeslot(0-0-7-PDCH)[0x61200000a5a0]{NOT_INITIALIZED}: No RSL link yet [0;m[1;36m20180822124927913 [1;33mDNM[0;m[1;36m <0004> abis_nm.c:787 OC=RADIO-CARRIER(02) INST=(00,00,ff): CHANGE ADMINISTRATIVE STATE NACK [0;m[1;36mCAUSE=Message cannot be performed [0;m[1;36m20180822124927913 [1;31mDNM[0;m[1;36m <0004> osmo_bsc_main.c:186 Got CHANGE ADMINISTRATIVE STATE NACK going to drop the OML links. [0;m20180822124927913 [1;33mDLINP[0;m <0015> bts_ipaccess_nanobts.c:406 (bts=0) Dropping OML link. [0;m[1;31m20180822124927913 [1;34mDTS[0;m[1;31m <0011> osmo_bsc_main.c:318 timeslot(0-0-0-CCCH_SDCCH4)[0x61200000b020]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;32m20180822124927913 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-0)[0x6120000033a0]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927913 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-0)[0x6120000033a0]{UNUSED}: Removing from parent timeslot(0-0-0-CCCH_SDCCH4)[0x61200000b020] [0;m[1;32m20180822124927913 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-0-CCCH_SDCCH4-0)[0x6120000033a0]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927913 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-0)[0x6120000033a0]{UNUSED}: Freeing instance [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-0-CCCH_SDCCH4-0)[0x6120000033a0]{UNUSED}: Deallocated [0;m[1;31m20180822124927914 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-0-CCCH_SDCCH4)[0x61200000b020]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-1)[0x612000003220]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-1)[0x612000003220]{UNUSED}: Removing from parent timeslot(0-0-0-CCCH_SDCCH4)[0x61200000b020] [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-0-CCCH_SDCCH4-1)[0x612000003220]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-1)[0x612000003220]{UNUSED}: Freeing instance [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-0-CCCH_SDCCH4-1)[0x612000003220]{UNUSED}: Deallocated [0;m[1;31m20180822124927914 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-0-CCCH_SDCCH4)[0x61200000b020]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-2)[0x6120000030a0]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-2)[0x6120000030a0]{UNUSED}: Removing from parent timeslot(0-0-0-CCCH_SDCCH4)[0x61200000b020] [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-0-CCCH_SDCCH4-2)[0x6120000030a0]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-2)[0x6120000030a0]{UNUSED}: Freeing instance [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-0-CCCH_SDCCH4-2)[0x6120000030a0]{UNUSED}: Deallocated [0;m[1;31m20180822124927914 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-0-CCCH_SDCCH4)[0x61200000b020]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-3)[0x612000002f20]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-3)[0x612000002f20]{UNUSED}: Removing from parent timeslot(0-0-0-CCCH_SDCCH4)[0x61200000b020] [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-0-CCCH_SDCCH4-3)[0x612000002f20]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-0-CCCH_SDCCH4-3)[0x612000002f20]{UNUSED}: Freeing instance [0;m[1;32m20180822124927914 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-0-CCCH_SDCCH4-3)[0x612000002f20]{UNUSED}: Deallocated [0;m[1;31m20180822124927914 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-0-CCCH_SDCCH4)[0x61200000b020]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;31m20180822124927915 [1;34mDTS[0;m[1;31m <0011> osmo_bsc_main.c:318 timeslot(0-0-1-SDCCH8)[0x61200000aea0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-0)[0x612000002da0]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-0)[0x612000002da0]{UNUSED}: Removing from parent timeslot(0-0-1-SDCCH8)[0x61200000aea0] [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-1-SDCCH8-0)[0x612000002da0]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-0)[0x612000002da0]{UNUSED}: Freeing instance [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-1-SDCCH8-0)[0x612000002da0]{UNUSED}: Deallocated [0;m[1;31m20180822124927915 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-1-SDCCH8)[0x61200000aea0]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-1)[0x612000002c20]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-1)[0x612000002c20]{UNUSED}: Removing from parent timeslot(0-0-1-SDCCH8)[0x61200000aea0] [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-1-SDCCH8-1)[0x612000002c20]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-1)[0x612000002c20]{UNUSED}: Freeing instance [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-1-SDCCH8-1)[0x612000002c20]{UNUSED}: Deallocated [0;m[1;31m20180822124927915 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-1-SDCCH8)[0x61200000aea0]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-2)[0x612000002aa0]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-2)[0x612000002aa0]{UNUSED}: Removing from parent timeslot(0-0-1-SDCCH8)[0x61200000aea0] [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-1-SDCCH8-2)[0x612000002aa0]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927915 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-2)[0x612000002aa0]{UNUSED}: Freeing instance [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-1-SDCCH8-2)[0x612000002aa0]{UNUSED}: Deallocated [0;m[1;31m20180822124927916 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-1-SDCCH8)[0x61200000aea0]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-3)[0x612000002920]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-3)[0x612000002920]{UNUSED}: Removing from parent timeslot(0-0-1-SDCCH8)[0x61200000aea0] [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-1-SDCCH8-3)[0x612000002920]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-3)[0x612000002920]{UNUSED}: Freeing instance [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-1-SDCCH8-3)[0x612000002920]{UNUSED}: Deallocated [0;m[1;31m20180822124927916 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-1-SDCCH8)[0x61200000aea0]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-4)[0x6120000027a0]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-4)[0x6120000027a0]{UNUSED}: Removing from parent timeslot(0-0-1-SDCCH8)[0x61200000aea0] [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-1-SDCCH8-4)[0x6120000027a0]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-4)[0x6120000027a0]{UNUSED}: Freeing instance [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-1-SDCCH8-4)[0x6120000027a0]{UNUSED}: Deallocated [0;m[1;31m20180822124927916 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-1-SDCCH8)[0x61200000aea0]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-5)[0x612000002620]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-5)[0x612000002620]{UNUSED}: Removing from parent timeslot(0-0-1-SDCCH8)[0x61200000aea0] [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-1-SDCCH8-5)[0x612000002620]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-5)[0x612000002620]{UNUSED}: Freeing instance [0;m[1;32m20180822124927916 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-1-SDCCH8-5)[0x612000002620]{UNUSED}: Deallocated [0;m[1;31m20180822124927916 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-1-SDCCH8)[0x61200000aea0]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-6)[0x6120000024a0]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-6)[0x6120000024a0]{UNUSED}: Removing from parent timeslot(0-0-1-SDCCH8)[0x61200000aea0] [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-1-SDCCH8-6)[0x6120000024a0]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-6)[0x6120000024a0]{UNUSED}: Freeing instance [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-1-SDCCH8-6)[0x6120000024a0]{UNUSED}: Deallocated [0;m[1;31m20180822124927917 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-1-SDCCH8)[0x61200000aea0]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-7)[0x612000002320]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-7)[0x612000002320]{UNUSED}: Removing from parent timeslot(0-0-1-SDCCH8)[0x61200000aea0] [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-1-SDCCH8-7)[0x612000002320]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-1-SDCCH8-7)[0x612000002320]{UNUSED}: Freeing instance [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-1-SDCCH8-7)[0x612000002320]{UNUSED}: Deallocated [0;m[1;31m20180822124927917 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-1-SDCCH8)[0x61200000aea0]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;31m20180822124927917 [1;34mDTS[0;m[1;31m <0011> osmo_bsc_main.c:318 timeslot(0-0-2-TCH_F)[0x61200000ad20]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-2-TCH_F-0)[0x6120000021a0]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-2-TCH_F-0)[0x6120000021a0]{UNUSED}: Removing from parent timeslot(0-0-2-TCH_F)[0x61200000ad20] [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-2-TCH_F-0)[0x6120000021a0]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-2-TCH_F-0)[0x6120000021a0]{UNUSED}: Freeing instance [0;m[1;32m20180822124927917 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-2-TCH_F-0)[0x6120000021a0]{UNUSED}: Deallocated [0;m[1;31m20180822124927917 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-2-TCH_F)[0x61200000ad20]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;31m20180822124927918 [1;34mDTS[0;m[1;31m <0011> osmo_bsc_main.c:318 timeslot(0-0-3-TCH_F)[0x61200000aba0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-3-TCH_F-0)[0x612000002020]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-3-TCH_F-0)[0x612000002020]{UNUSED}: Removing from parent timeslot(0-0-3-TCH_F)[0x61200000aba0] [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-3-TCH_F-0)[0x612000002020]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-3-TCH_F-0)[0x612000002020]{UNUSED}: Freeing instance [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-3-TCH_F-0)[0x612000002020]{UNUSED}: Deallocated [0;m[1;31m20180822124927918 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-3-TCH_F)[0x61200000aba0]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;31m20180822124927918 [1;34mDTS[0;m[1;31m <0011> osmo_bsc_main.c:318 timeslot(0-0-4-TCH_F)[0x61200000aa20]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-4-TCH_F-0)[0x612000001ea0]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-4-TCH_F-0)[0x612000001ea0]{UNUSED}: Removing from parent timeslot(0-0-4-TCH_F)[0x61200000aa20] [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-4-TCH_F-0)[0x612000001ea0]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-4-TCH_F-0)[0x612000001ea0]{UNUSED}: Freeing instance [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-4-TCH_F-0)[0x612000001ea0]{UNUSED}: Deallocated [0;m[1;31m20180822124927918 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-4-TCH_F)[0x61200000aa20]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;31m20180822124927918 [1;34mDTS[0;m[1;31m <0011> osmo_bsc_main.c:318 timeslot(0-0-5-TCH_F)[0x61200000a8a0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-5-TCH_F-0)[0x612000001d20]{UNUSED}: Terminating (cause = OSMO_FSM_TERM_REQUEST) [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-5-TCH_F-0)[0x612000001d20]{UNUSED}: Removing from parent timeslot(0-0-5-TCH_F)[0x61200000a8a0] [0;m[1;32m20180822124927918 [1;34mDCHAN[0;m[1;32m <0010> lchan_fsm.c:354 lchan(0-0-5-TCH_F-0)[0x612000001d20]{UNUSED}: (type=NONE) Clearing lchan state [0;m[1;32m20180822124927919 [1;34mDCHAN[0;m[1;32m <0010> timeslot_fsm.c:139 lchan(0-0-5-TCH_F-0)[0x612000001d20]{UNUSED}: Freeing instance [0;m[1;32m20180822124927919 [1;34mDCHAN[0;m[1;32m <0010> fsm.c:381 lchan(0-0-5-TCH_F-0)[0x612000001d20]{UNUSED}: Deallocated [0;m[1;31m20180822124927919 [1;34mDTS[0;m[1;31m <0011> timeslot_fsm.c:139 timeslot(0-0-5-TCH_F)[0x61200000a8a0]{NOT_INITIALIZED}: Received Event TS_EV_LCHAN_UNUSED [0;m[1;31m20180822124927919 [1;34mDTS[0;m[1;31m <0011> osmo_bsc_main.c:318 timeslot(0-0-6-PDCH)[0x61200000a720]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927919 [1;34mDTS[0;m[1;31m <0011> osmo_bsc_main.c:318 timeslot(0-0-7-PDCH)[0x61200000a5a0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927919 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-0-0-NONE)[0x61200000b020]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927919 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-0-1-NONE)[0x61200000aea0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927919 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-0-2-NONE)[0x61200000ad20]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927919 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-0-3-NONE)[0x61200000aba0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927919 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-0-4-NONE)[0x61200000aa20]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927920 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-0-5-NONE)[0x61200000a8a0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927920 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-0-6-NONE)[0x61200000a720]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927920 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-0-7-NONE)[0x61200000a5a0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927920 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-1-0-NONE)[0x61200000a2a0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927920 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-1-1-NONE)[0x61200000a120]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927920 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-1-2-NONE)[0x612000009fa0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927920 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-1-3-NONE)[0x612000009e20]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927920 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-1-4-NONE)[0x612000009ca0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927920 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-1-5-NONE)[0x612000009b20]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927920 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-1-6-NONE)[0x6120000099a0]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m[1;31m20180822124927920 [1;34mDTS[0;m[1;31m <0011> gsm_data.c:1321 timeslot(0-1-7-NONE)[0x612000009820]{NOT_INITIALIZED}: Received Event TS_EV_OML_DOWN [0;m================================================================= ==17607==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000060a68 at pc 0x7f5ea8e27086 bp 0x7ffde92b6d80 sp 0x7ffde92b6d78 READ of size 8 at 0x62e000060a68 thread T0 #0 0x7f5ea8e27085 in handle_ts1_write input/ipaccess.c:371 #1 0x7f5ea8e27085 in ipaccess_fd_cb input/ipaccess.c:391 #2 0x7f5ea9147ca8 in osmo_fd_disp_fds /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:217 #3 0x7f5ea9147ca8 in osmo_select_main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:257 #4 0x555813ab79d6 in main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:922 #5 0x7f5ea76d02e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #6 0x555813ab84e9 in _start (/home/jenkins/workspace/osmo-gsm-tester_manual-run/trial-130/inst/osmo-bsc/bin/osmo-bsc+0x34d4e9) 0x62e000060a68 is located 1640 bytes inside of 48072-byte region [0x62e000060400,0x62e00006bfc8) freed by thread T0 here: #0 0x7f5eaa1eea10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) #1 0x7f5ea9c1b86a in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x486a) previously allocated by thread T0 here: #0 0x7f5eaa1eed28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x7f5ea9c1dacd in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6acd) SUMMARY: AddressSanitizer: heap-use-after-free input/ipaccess.c:371 in handle_ts1_write Shadow bytes around the buggy address: 0x0c5c800040f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80004100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80004110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80004120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80004130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c5c80004140: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd 0x0c5c80004150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80004160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80004170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80004180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80004190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==17607==ABORTING
The issue is in handle_ts1_write:
static int handle_ts1_write(struct osmo_fd *bfd) { struct e1inp_line *line = bfd->data; <--- HERE, line 371 return __handle_ts1_write(bfd, line); }
Which is called from:
/* callback from select.c in case one of the fd's can be read/written */ int ipaccess_fd_cb(struct osmo_fd *bfd, unsigned int what) { int rc = 0; if (what & BSC_FD_READ) rc = handle_ts1_read(bfd); if (rc != -EBADF && (what & BSC_FD_WRITE)) rc = handle_ts1_write(bfd); return rc; }
THat means some path in handle_ts1_read() freed the connection (and thus bfd) but didn't return -EBADF correctly. It must be there because otherwise the report would appear somewhere in osmo_fd_disp_fds() (in case conn was somehow freed without disarming the timer).
Files
Actions