Project

General

Profile

Bug #4158

segfault when paging, in a situation with duplicate CID in hnb register requests

Added by neels 4 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
08/20/2019
Due date:
% Done:

0%

Spec Reference:

Description

20190820065223477 DLM3UA NOTICE asp-asp-clnt-OsmoHNBGW: Received NOTIFY Type State Change:AS Active () (m3ua.c:634)
20190820065223934 DLSS7 INFO asp-asp-clnt-OsmoHNBGW: xUA CLNT SCTP NOTIFICATION 32770 flags=0x0 (osmo_ss7.c:1401)
20190820065223934 DLSS7 INFO asp-asp-clnt-OsmoHNBGW: xUA CLNT PEER_ADDR_CHANGE (osmo_ss7.c:1414)
20190820065224190 DLSS7 INFO asp-asp-clnt-OsmoHNBGW: xUA CLNT SCTP NOTIFICATION 32770 flags=0x0 (osmo_ss7.c:1401)
20190820065224190 DLSS7 INFO asp-asp-clnt-OsmoHNBGW: xUA CLNT PEER_ADDR_CHANGE (osmo_ss7.c:1414)
20190820065224702 DLSS7 INFO asp-asp-clnt-OsmoHNBGW: xUA CLNT SCTP NOTIFICATION 32770 flags=0x0 (osmo_ss7.c:1401)
20190820065224702 DLSS7 INFO asp-asp-clnt-OsmoHNBGW: xUA CLNT PEER_ADDR_CHANGE (osmo_ss7.c:1414)
20190820065224939 DHNBAP NOTICE Accepting HNB-REGISTER-REQ from 000295-0000242687@ap.ipaccess.com (hnbgw_hnbap.c:122)
20190820065225982 DLSS7 INFO asp-asp-clnt-OsmoHNBGW: xUA CLNT SCTP NOTIFICATION 32770 flags=0x0 (osmo_ss7.c:1401)
20190820065225982 DLSS7 INFO asp-asp-clnt-OsmoHNBGW: xUA CLNT PEER_ADDR_CHANGE (osmo_ss7.c:1414)
20190820065238924 DHNBAP NOTICE Accepting HNB-REGISTER-REQ from 000295-0000154757@ap.ipaccess.com (hnbgw_hnbap.c:122)
20190820065246892 DHNBAP NOTICE Accepting HNB-REGISTER-REQ from 000295-0000154315@ap.ipaccess.com (hnbgw_hnbap.c:122)
20190820065246940 DHNBAP NOTICE Accepting HNB-REGISTER-REQ from 000295-0000152407@ap.ipaccess.com (hnbgw_hnbap.c:122)
20190820065252669 DHNBAP NOTICE Accepting HNB-REGISTER-REQ from 000295-0000141797@ap.ipaccess.com (hnbgw_hnbap.c:122)
20190820065255255 DHNBAP INFO created UE context: id 0x17, imsi -, tmsi 0x2e153dd4 (hnbgw.c:208)
20190820065255261 DMAIN INFO Creating new Mapping RUA CTX 0x555555878ce0/23 <-> SCU Conn ID 0x5555558788d0/1000 (context_map.c:93)
20190820065255374 DMAIN INFO Creating new Mapping RUA CTX 0x555555878ce0/23 <-> SCU Conn ID 0x5555558788d0/1001 (context_map.c:93)
20190820065256889 DLSCCP NOTICE Cannot find connection for local reference 1000 (sccp_scoc.c:1635)
20190820065300966 DHNBAP NOTICE Accepting HNB-REGISTER-REQ from 000295-0000155026@ap.ipaccess.com (hnbgw_hnbap.c:122)
20190820065303950 DHNBAP NOTICE Accepting HNB-REGISTER-REQ from 000295-0000154720@ap.ipaccess.com (hnbgw_hnbap.c:122)
20190820065306954 DHNBAP NOTICE Accepting HNB-REGISTER-REQ from 000295-0000236189@ap.ipaccess.com (hnbgw_hnbap.c:122)
20190820065306990 DHNBAP NOTICE Accepting HNB-REGISTER-REQ from 000295-0000154667@ap.ipaccess.com (hnbgw_hnbap.c:122)
20190820065309938 DHNBAP NOTICE Accepting HNB-REGISTER-REQ from 000295-0000152182@ap.ipaccess.com (hnbgw_hnbap.c:122)
20190820065313933 DHNBAP NOTICE Accepting HNB-REGISTER-REQ from 000295-0000154045@ap.ipaccess.com (hnbgw_hnbap.c:122)
20190820065319919 DHNBAP ERROR rejecting HNB-REGISTER-REQ with duplicate cell identity MCC=262,MNC=42,LAC=3,RAC=3,SAC=65535,CID=4194368 from (r=10.70.0.108:29169<->l=10.70.0.2:29169), duplicates (r=10.70.0.127:29169<->l=10.70.0.2:29169) (hnbgw_hnbap.c:445)
20190820065324176 DMAIN INFO Creating new Mapping RUA CTX 0x555555878ce0/23 <-> SCU Conn ID 0x5555558788d0/1002 (context_map.c:93)
20190820065337207 DLSCCP NOTICE Cannot find connection for local reference 1002 (sccp_scoc.c:1635)

Program received signal SIGSEGV, Segmentation fault.
__llist_add (next=0x55555587b788, prev=0x0, _new=0x555555885c00) at ../../../src/libosmocore/include/osmocom/core/linuxlist.h:81
81        prev->next = _new;
(gdb) bt
#0  __llist_add (next=0x55555587b788, prev=0x0, _new=0x555555885c00) at ../../../src/libosmocore/include/osmocom/core/linuxlist.h:81
#1  llist_add_tail (head=head@entry=0x55555587b788, _new=0x555555885c00) at ../../../src/libosmocore/include/osmocom/core/linuxlist.h:105
#2  msgb_enqueue (queue=queue@entry=0x55555587b788, msg=0x555555885c00) at ../../../src/libosmocore/src/msgb.c:135
#3  0x00007ffff6c8ea2c in osmo_stream_srv_send (conn=0x55555587b750, msg=msg@entry=0x555555885c00) at ../../../src/libosmo-netif/src/stream.c:1063
#4  0x00005555555788f3 in hnbgw_rua_tx (ctx=0x55555587b5a0, msg=0x555555885c00) at ../../../src/osmo-iuh/src/hnbgw_rua.c:60
#5  rua_tx_udt (hnb=hnb@entry=0x55555587b5a0, data=data@entry=0x55555587ef40 "", len=len@entry=34) at ../../../src/osmo-iuh/src/hnbgw_rua.c:91
#6  0x000055555557abee in cn_ranap_rx_paging_cmd (cnlink=0x5555557c7290, len=34, data=0x55555587ef40 "", imsg=0x7fffffffdc38)
    at ../../../src/osmo-iuh/src/hnbgw_cn.c:174
#7  cn_ranap_rx_initiating_msg (len=34, data=0x55555587ef40 "", imsg=0x7fffffffdc38, unitdata=0x55555587b5b8, cnlink=0x5555557c7290)
    at ../../../src/osmo-iuh/src/hnbgw_cn.c:190
#8  _cn_ranap_rx (len=34, data=0x55555587ef40 "", pdu=0x7fffffffdc30, unitdata=0x55555587b5b8, cnlink=0x5555557c7290)
    at ../../../src/osmo-iuh/src/hnbgw_cn.c:240
#9  handle_cn_ranap (len=34, data=0x55555587ef40 "", unitdata=0x55555587b5b8, cnlink=0x5555557c7290) at ../../../src/osmo-iuh/src/hnbgw_cn.c:277
#10 handle_cn_unitdata (cnlink=cnlink@entry=0x5555558788d0, param=param@entry=0x55555587ee50, oph=<optimized out>)
    at ../../../src/osmo-iuh/src/hnbgw_cn.c:321
#11 0x000055555557af3c in sccp_sap_up (oph=0x55555587ee38, ctx=<optimized out>) at ../../../src/osmo-iuh/src/hnbgw_cn.c:420
#12 0x00007ffff6ea3ca8 in sclc_rx_cldt (xua=<optimized out>, inst=0x5555558787b0) at ../../../src/libosmo-sccp/src/sccp_sclc.c:200
#13 sccp_sclc_rx_from_scrc (inst=0x5555558787b0, xua=<optimized out>) at ../../../src/libosmo-sccp/src/sccp_sclc.c:265
#14 0x00007ffff6ea2fcd in scrc_node_6 (inst=inst@entry=0x5555558787b0, xua=xua@entry=0x55555587c380, called=<optimized out>, called=<optimized out>)
    at ../../../src/libosmo-sccp/src/sccp_scrc.c:344
#15 0x00007ffff6ea369d in scrc_rx_mtp_xfer_ind_xua (inst=inst@entry=0x5555558787b0, xua=0x55555587c380)
    at ../../../src/libosmo-sccp/src/sccp_scrc.c:468
#16 0x00007ffff6ea6725 in mtp_user_prim_cb (oph=0x55555587e348, ctx=0x5555558787b0) at ../../../src/libosmo-sccp/src/sccp_user.c:176
#17 0x00007ffff6e9ea02 in m3ua_rx_xfer (xua=0x555555880ec0, asp=0x555555877080) at ../../../src/libosmo-sccp/src/m3ua.c:586
#18 m3ua_rx_msg (asp=asp@entry=0x555555877080, msg=msg@entry=0x55555587d5d0) at ../../../src/libosmo-sccp/src/m3ua.c:739
#19 0x00007ffff6eacd5b in xua_cli_read_cb (conn=0x5555558782c0) at ../../../src/libosmo-sccp/src/osmo_ss7.c:1650
#20 0x00007ffff6c8da1b in osmo_stream_cli_read (cli=0x5555558782c0) at ../../../src/libosmo-netif/src/stream.c:213
#21 osmo_stream_cli_fd_cb (ofd=<optimized out>, what=1) at ../../../src/libosmo-netif/src/stream.c:297
#22 0x00007ffff751ece1 in osmo_fd_disp_fds (_eset=0x7fffffffe1e0, _wset=0x7fffffffe160, _rset=0x7fffffffe0e0)
    at ../../../src/libosmocore/src/select.c:223
#23 osmo_select_main (polling=<optimized out>) at ../../../src/libosmocore/src/select.c:263
#24 0x000055555556e073 in main (argc=3, argv=0x7fffffffe3a8) at ../../../src/osmo-iuh/src/hnbgw.c:629
(gdb) frame 4
#4  0x00005555555788f3 in hnbgw_rua_tx (ctx=0x55555587b5a0, msg=0x555555885c00) at ../../../src/osmo-iuh/src/hnbgw_rua.c:60
60        osmo_stream_srv_send(ctx->conn, msg);
(gdb) l
55    {
56        if (!msg)
57            return -EINVAL;
58    
59        msgb_sctp_ppid(msg) = IUH_PPI_RUA;
60        osmo_stream_srv_send(ctx->conn, msg);
61    
62        return 0;
63    }
64    
(gdb) quit


Related issues

Related to OsmoHNBGW - Bug #4162: when hnb with duplicate CID show up, rejected hnbap requests build up in the hnb listNew08/21/2019

History

#1 Updated by neels 4 months ago

It seems that this only happens when hnb with duplicate CID have created unusable entries in the list of hnb, i.e. this here is a symptom of #4162.

Aim: get hnbgw to not crash even with those bogus entries,
then fix #4162 to avoid the bogus entries to begin with.

#2 Updated by neels 4 months ago

  • Related to Bug #4162: when hnb with duplicate CID show up, rejected hnbap requests build up in the hnb list added

#3 Updated by neels 4 months ago

  • Subject changed from segfault on MT call to segfault when paging, in a situation with duplicate CID in hnb register requests

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)