Actions
Bug #4463
closedosmo-pcu crash after re-enabling MS RA capabilities parsing from SGSN messages
Start date:
03/20/2020
Due date:
% Done:
100%
Spec Reference:
Description
Today I was running a network setup with osmo-pcu on my laptop with 2 mobiles phones registering, and osmo-pcu crashed.
It seems related to the RA Cap messages we enabled recently comin from osmo-sgsn in osmo-pcu.
<000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:321 NSVCI=65534 Creating NS-VC with Signal weight 1, Data weight 1 20200320204116517 DLGLOBAL <000e> /home/pespin/dev/sysmocom/git/libosmocore/src/vty/telnet_interface.c:104 Available via telnet 127.0.0.1 4240 20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/osmobts_sock.cpp:211 Opening OsmoPCU L1 interface to OsmoBTS 20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/osmobts_sock.cpp:229 osmo-bts PCU socket /tmp/pcu_bts has been connected 20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:136 Sending 0.8.0.81-570f TXT as PCU_VERSION to BTS 20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:501 BTS available 20200320204116517 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:2070 Listening for nsip packets from 192.168.30.1:23000 on 0.0.0.0:23020 20200320204116517 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:2094 NS UDP socket at 0.0.0.0:23020 20200320204116517 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:321 NSVCI=1800 Creating NS-VC with Signal weight 1, Data weight 1 20200320204116517 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:2113 NSEI=1800 RESET procedure based on API request 20200320204116517 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:559 NSEI=1800 Tx NS RESET (NSVCI=1800, cause=O&M intervention) 20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:148 Sending activate request: trx=0 ts=6 20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:627 PDCH: trx=0 ts=6 20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:148 Sending activate request: trx=0 ts=7 20200320204116517 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:627 PDCH: trx=0 ts=7 20200320204116518 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:1354 NSVCI=1800 Rx NS RESET ACK (NSEI=1800, NSVCI=1800) 20200320204116518 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:704 NSEI=1800 Tx NS UNBLOCK (NSVCI=1800) 20200320204116518 DNS <000b> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_ns.c:1806 NSEI=1800 Rx NS UNBLOCK ACK 20200320204116518 DPCU <000d> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:576 NS-VC 1800 is unblocked. 20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:857 Sending reset on BVCI 0 20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_bssgp_bss.c:300 BSSGP (BVCI=0) Tx BVC-RESET CAUSE=O&M intervention 20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:323 Rx BSSGP BVCI=0 (SIGN) BVC_RESET_ACK 20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:865 Sending reset on BVCI 1800 20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_bssgp_bss.c:300 BSSGP (BVCI=1800) Tx BVC-RESET CAUSE=O&M intervention 20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:323 Rx BSSGP BVCI=0 (SIGN) BVC_RESET_ACK 20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:874 Sending unblock on BVCI 1800 20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/libosmocore/src/gb/gprs_bssgp_bss.c:281 BSSGP (BVCI=1800) Tx BVC-UNBLOCK 20200320204116518 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:337 Rx BSSGP BVCI=0 (SIGN) BVC_UNBLOCK_ACK 20200320204531628 DL1IF <0001> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pcu_l1_if.cpp:442 RACH request received: sapi=1 qta=-1, ra=118, fn=1307419, cur_fn=1307423, is_11bit=0 20200320204532025 DCSN1 <0000> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gsm_rlcmac.cpp:5026 csnStreamDecoder (type=5): 20200320204532025 DRLCMAC <0002> /home/pespin/dev/sysmocom/git/osmo-pcu/src/pdch.cpp:609 MS supports EGPRS multislot class 12. 20200320204532025 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:992 Allocating UL TBF: MS_CLASS=12/12 20200320204532026 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:541 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=NULL) Setting Control TS 6 20200320204532026 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:948 TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=NULL) Allocated: trx = 0, ul_slots = 40, dl_slots = 00 20200320204532048 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:1374 TBF(TFI=0 TLLI=0x8faaadbd DIR=UL STATE=ASSIGN) start Packet Uplink Assignment (PACCH) 20200320204532048 DCSN1 <0000> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gsm_rlcmac.cpp:5185 csnStreamDecoder (type=10): 20200320204532048 DTBFDL <0009> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:782 TBF(TFI=0 TLLI=0x8faaadbd DIR=UL STATE=ASSIGN) Scheduled UL Assignment polling on PACCH (FN=1307553, TS=7) 20200320204532264 DCSN1 <0000> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gsm_rlcmac.cpp:5026 csnStreamDecoder (type=1): 20200320204532264 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:544 TBF(TFI=0 TLLI=0x8faaadbd DIR=UL STATE=FLOW) Changing Control TS 6 20200320204532481 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf_ul.cpp:404 LLC [PCU -> SGSN] TBF(TFI=0 TLLI=0x8faaadbd DIR=UL STATE=FLOW) len=52 20200320204532482 DCSN1 <0000> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gsm_rlcmac.cpp:5792 csnStreamDecoder (RAcap): 20200320204532482 DRLCMACDATA <0003> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gsm_rlcmac.cpp:5800 Got 7 remaining bits unhandled by decoder at the end of bitvec 20200320204532482 DBSSGP <000c> /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:163 LLC [SGSN -> PCU] = TLLI: 0x8faaadbd IMSI: 000 len: 9 20200320204532482 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:1071 Allocating DL TBF: MS_CLASS=12/12 20200320204532482 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:541 TBF(TFI=0 TLLI=0x00000000 DIR=DL STATE=NULL) Setting Control TS 6 20200320204532482 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/tbf.cpp:948 TBF(TFI=0 TLLI=0x8faaadbd DIR=DL STATE=NULL) Allocated: trx = 0, ul_slots = 40, dl_slots = 40 20200320204532482 DTBF <0008> /home/pespin/dev/sysmocom/git/osmo-pcu/src/bts.cpp:898 TBF(TFI=0 TLLI=0x8faaadbd DIR=DL STATE=ASSIGN) TX: START Immediate Assignment Downlink (PCH) *** stack smashing detected ***: terminated Program received signal SIGABRT, Aborted. 0x00007ffff77b7ce5 in raise () from /usr/lib/libc.so.6
(gdb) bt #0 0x00007ffff77b7ce5 in raise () from /usr/lib/libc.so.6 #1 0x00007ffff77a1857 in abort () from /usr/lib/libc.so.6 #2 0x00007ffff77fb2b0 in __libc_message () from /usr/lib/libc.so.6 #3 0x00007ffff788b06a in __fortify_fail () from /usr/lib/libc.so.6 #4 0x00007ffff788b034 in __stack_chk_fail () from /usr/lib/libc.so.6 #5 0x0000555555581e4f in gprs_bssgp_pcu_rx_dl_ud (msg=0x55555572fce0, tp=0x7fffffffbc80) at /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:167 #6 0x0000555500000000 in ?? () #7 0x00007ffff7f6cf40 in ?? () from /home/pespin/dev/sysmocom/build/new/out/lib/libosmogsm.so.13 #8 0x000055555572e6d0 in ?? () #9 0x00007fffffffbc80 in ?? () #10 0x000055555572fce0 in ?? () #11 0x00000000ffffbc30 in ?? () #12 0x0000070800000000 in ?? () #13 0x000055555572fd80 in ?? () #14 0x460dab82121f6200 in ?? () #15 0x000055555565d380 in ?? () #16 0x00005555556aced0 in ?? () #17 0x00007fffffffcca0 in ?? () #18 0x000055555558303c in gprs_bssgp_pcu_rcvmsg ( msg=<error reading variable: Cannot access memory at address 0xabd8>) --Type <RET> for more, q to quit, c to continue without paging-- at /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:465 Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) l 173 quit = 1; 174 break; 175 case SIGABRT: 176 /* in case of abort, we want to obtain a talloc report 177 * and then return to the caller, who will abort the process 178 */ 179 case SIGUSR1: 180 case SIGUSR2: 181 talloc_report_full(tall_pcu_ctx, stderr); 182 break; (gdb) frame 5 #5 0x0000555555581e4f in gprs_bssgp_pcu_rx_dl_ud (msg=0x55555572fce0, tp=0x7fffffffbc80) at /home/pespin/dev/sysmocom/git/osmo-pcu/src/gprs_bssgp_pcu.cpp:167 167 } (gdb) l 162 163 LOGP(DBSSGP, LOGL_INFO, "LLC [SGSN -> PCU] = TLLI: 0x%08x IMSI: %s len: %d\n", tlli, imsi, len); 164 165 return gprs_rlcmac_dl_tbf::handle(the_pcu.bts, tlli, tlli_old, imsi, 166 ms_class, egprs_ms_class, delay_csec, data, len); 167 } 168 169 static int gprs_bssgp_pcu_rx_paging_cs(struct msgb *msg, struct tlv_parsed *tp) 170 { 171 const uint8_t *mi;
Files
Actions