Project

General

Profile

Bug #3635

Updated by neels over 5 years ago

was trying to call between 2G and 3G, there was some error, and then osmo-msc crashed. crashed 

 due <pre> 
 20181007140223737 DREF DEBUG MSISDN:1012: MSC conn use - release == 0 (0x0: ) (subscr_conn.c:697) 
 20181007140223737 DMM DEBUG Subscr_Conn(PAGING_RESP:1309326330)[0x612000036820]{SUBSCR_CONN_S_RELEASING}: Received Event SUBSCR_CONN_E_UNUSED (osmo_msc.c:326) 
 20181007140223737 DMM DEBUG Subscr_Conn(PAGING_RESP:1309326330)[0x612000036820]{SUBSCR_CONN_S_RELEASING}: state_chg to my ongoing tests, the MGW SUBSCR_CONN_S_RELEASED (subscr_conn.c:395) 
 20181007140223737 DMM DEBUG Subscr_Conn(PAGING_RESP:1309326330)[0x612000036820]{SUBSCR_CONN_S_RELEASED}: Terminating (cause = OSMO_FSM_TERM_REGULAR) (subscr_conn.c:402) 
 20181007140223737 DVLR DEBUG Process_Access_Request_VLR(PAGING_RESP:1309326330)[0x6120000369a0]{PR_ARQ_S_DONE}: Terminating (cause = OSMO_FSM_TERM_PARENT) (subscr_conn.c:402) 
 20181007140223737 DVLR DEBUG Process_Access_Request_VLR(PAGING_RESP:1309326330)[0x6120000369a0]{PR_ARQ_S_DONE}: Removing from parent Subscr_Conn(PAGING_RESP:1309326330)[0x612000036820] (subscr_conn.c:402) 
 20181007140223738 DVLR DEBUG Process_Access_Request_VLR(PAGING_RESP:1309326330)[0x6120000369a0]{PR_ARQ_S_DONE}: Freeing instance (subscr_conn.c:402) 
 20181007140223738 DVLR DEBUG Process_Access_Request_VLR(PAGING_RESP:1309326330)[0x6120000369a0]{PR_ARQ_S_DONE}: Deallocated (fsm.c:381) 
 20181007140223738 DRLL DEBUG MSISDN:1012: Freeing subscriber connection (subscr_conn.c:528) 
 20181007140223738 DREF DEBUG VLR subscr MSISDN:1012 usage decreases to: 1 (subscr_conn.c:531) 
 20181007140223738 DMM DEBUG Subscr_Conn(PAGING_RESP:1309326330)[0x612000036820]{SUBSCR_CONN_S_RELEASED}: Freeing instance (subscr_conn.c:402) 
 20181007140223738 DMM DEBUG Subscr_Conn(PAGING_RESP:1309326330)[0x612000036820]{SUBSCR_CONN_S_RELEASED}: Deallocated (fsm.c:381) 
 20181007140223738 DLSS7 DEBUG sccp_scrc_rx_scoc_conn_msg:    HDR=(CO:RELCO,V=0,LEN=0), 
	 PART(T=Routing Context,L=4,D=00000000), 
	 PART(T=Destination Reference,L=4,D=000003f8), 
	 PART(T=Source Reference,L=4,D=00000015) (sccp_scrc.c:398) 
 20181007140223738 DLSS7 DEBUG m3ua_hmdc_rx_from_l2(): dpc=189=0.23.5 not local, message is for MSC crashes, then the MSC also goes down because of that. routing (osmo_ss7_hmrt.c:278) 
 This here 20181007140223738 DLSS7 DEBUG Found route for dpc=189=0.23.5: pc=0=0.0.0 mask=0x0=0.0.0 via AS as-clnt-OsmoMSC-A-Iu proto=m3ua (osmo_ss7_hmrt.c:227) 
 20181007140223739 DLSS7 DEBUG rt->dest.as proto is not about the MGW crash, it's about the MSC that should continue M3UA for dpc=189=0.23.5 (osmo_ss7_hmrt.c:233) 
 20181007140223739 DLSS7 DEBUG XUA_AS(as-clnt-OsmoMSC-A-Iu)[0x6120000096a0]{AS_ACTIVE}: Received Event AS-TRANSFER.req (m3ua.c:507) 
 20181007140223739 DLSCCP DEBUG SCCP-SCOC(21)[0x6120000366a0]{ACTIVE}: state_chg to be stable despite MGW problems. 

 <pre> IDLE (sccp_scoc.c:1061) 
 20181007140223739 DLSCCP DEBUG SCCP-SCOC(21)[0x6120000366a0]{IDLE}: Terminating (cause = OSMO_FSM_TERM_REQUEST) (sccp_scoc.c:509) 
 20181007140223739 DLSCCP DEBUG SCCP-SCOC(21)[0x6120000366a0]{IDLE}: Freeing instance (sccp_scoc.c:509) 
 20181007140223739 DLSCCP DEBUG SCCP-SCOC(21)[0x6120000366a0]{IDLE}: Deallocated (fsm.c:381) 
 20181007140223739 DLINP DEBUG connected write (stream.c:279) 
 20181007140223739 DLINP DEBUG sending data (stream.c:204) 
 20181007140223739 DLINP DEBUG connected write (stream.c:279) 
 20181007140223740 DLINP DEBUG sending data (stream.c:204) 
 20181007140227444 DMGCP DEBUG MGW(MGW_8)[0x612000036520]{ST_HALT}: Timeout of T1 (fsm.c:189) 
 20181007140227444 DLMGCP INFO Canceled transaction 5 (mgcp_client.c:979) 
 ================================================================= 
 ==8329==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000034910 at pc 0x555555713b4d bp 0x7fffffffdb30 sp 0x7fffffffdb28 
 READ of size 4 at 0x61a000034910 thread T0 
     #0 0x555555713b4c in _handle_error ../../../../src/osmo-msc/src/libmsc/msc_mgcp.c:163 
     #1 0x55555571e4d2 in fsm_timeout_cb ../../../../src/osmo-msc/src/libmsc/msc_mgcp.c:239 
     #2 0x7ffff6aacf7e in fsm_tmr_cb ../../../src/libosmocore/src/fsm.c:192 
     #3 0x7ffff6a8db9b in osmo_timers_update ../../../src/libosmocore/src/timer.c:257 
     #4 0x7ffff6a912e1 in osmo_select_main ../../../src/libosmocore/src/select.c:254 
     #5 0x5555556a4b3a in main ../../../../src/osmo-msc/src/osmo-msc/msc_main.c:702 
     #6 0x7ffff4785b16 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x22b16) 
     #7 0x5555556a5b39 in _start (/usr/local/bin/osmo-msc+0x151b39) 

 0x61a000034910 is located 144 bytes inside of 1208-byte region [0x61a000034880,0x61a000034d38) 
 freed by thread T0 here: 
     #0 0x7ffff72c6b50 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8b50) 
     #1 0x7ffff707fa92 in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x4a92) 

 previously allocated by thread T0 here: 
     #0 0x7ffff72c6ed0 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe8ed0) 
     #1 0x7ffff7081ae0 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6ae0) 

 SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/osmo-msc/src/libmsc/msc_mgcp.c:163 in _handle_error 

 
 Shadow bytes around the buggy address: 
   0x0c347fffe8d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
   0x0c347fffe8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa 
   0x0c347fffe8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
   0x0c347fffe900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
   0x0c347fffe910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
 =>0x0c347fffe920: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd 
   0x0c347fffe930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
   0x0c347fffe940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
   0x0c347fffe950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
   0x0c347fffe960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
   0x0c347fffe970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 
 Shadow byte legend (one shadow byte represents 8 application bytes): 
   Addressable:             00 
   Partially addressable: 01 02 03 04 05 06 07  
   Heap left redzone:         fa 
   Freed heap region:         fd 
   Stack left redzone:        f1 
   Stack mid redzone:         f2 
   Stack right redzone:       f3 
   Stack after return:        f5 
   Stack use after scope:     f8 
   Global redzone:            f9 
   Global init order:         f6 
   Poisoned by user:          f7 
   Container overflow:        fc 
   Array cookie:              ac 
   Intra object redzone:      bb 
   ASan internal:             fe 
   Left alloca redzone:       ca 
   Right alloca redzone:      cb 
 ==8329==ABORTING 
 </pre>

Back

Add picture from clipboard (Maximum size: 48.8 MB)