https://projects.osmocom.org/https://projects.osmocom.org/favicon.ico?16647414092021-11-24T12:06:39ZOpen Source Mobile CommunicationsOsmoBTS - Bug #5325: ttcn3-bts-test[-latest] provokes a segfaulthttps://projects.osmocom.org/issues/5325?journal_id=230872021-11-24T12:06:39Zfixeria
<ul></ul><p>Here is a more detailed backtrace (with libosmocore-dbg installed):</p>
<pre>
(gdb) frame bt
No symbol "bt" in current context.
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007f60624f642a in __GI_abort () at abort.c:89
#2 0x00007f606334bd7c in ?? () from /usr/lib/x86_64-linux-gnu/libtalloc.so.2
#3 0x00007f606334b949 in _talloc_free () from /usr/lib/x86_64-linux-gnu/libtalloc.so.2
#4 0x0000557d09d77752 in bts_smscb_state_reset (bts_ss=bts_ss@entry=0x557d0c068ef8) at cbch.c:336
#5 0x0000557d09d77d90 in bts_cbch_reset (bts=bts@entry=0x557d0c065bc0) at cbch.c:341
#6 0x0000557d09d7acfa in st_op_disabled_notinstalled_on_enter (fi=<optimized out>, prev_state=<optimized out>) at nm_bts_fsm.c:64
#7 0x00007f6062c9491f in state_chg (fi=0x557d0c069480, new_state=<optimized out>, keep_timer=keep_timer@entry=false, timeout_ms=0, T=<optimized out>,
file=<optimized out>, line=159) at fsm.c:699
#8 0x00007f6062c94c3d in _osmo_fsm_inst_state_chg (fi=<optimized out>, new_state=<optimized out>, timeout_secs=<optimized out>, T=<optimized out>,
file=<optimized out>, line=<optimized out>) at fsm.c:748
#9 0x00007f6062c94e14 in _osmo_fsm_inst_dispatch (fi=0x557d0c069480, event=event@entry=6, data=data@entry=0x0, file=file@entry=0x557d09d968e0 "nm_bts_sm_fsm.c",
line=line@entry=48) at fsm.c:865
#10 0x0000557d09d7aa54 in ev_dispatch_children (event=6, site_mgr=0x557d0c065d30) at nm_bts_sm_fsm.c:48
#11 nm_bts_sm_allstate (fi=0x557d0c069250, event=<optimized out>, data=<optimized out>) at nm_bts_sm_fsm.c:135
#12 0x00007f6062c94e14 in _osmo_fsm_inst_dispatch (fi=0x557d0c069250, event=event@entry=6, data=data@entry=0x0, file=file@entry=0x557d09d8d48f "bts_shutdown_fsm.c",
line=line@entry=164) at fsm.c:865
#13 0x0000557d09d72f1d in st_exit_on_enter (fi=0x557d0c069020, prev_state=<optimized out>) at bts_shutdown_fsm.c:164
#14 0x00007f6062c9491f in state_chg (fi=fi@entry=0x557d0c069020, new_state=new_state@entry=3, keep_timer=keep_timer@entry=false, timeout_ms=0, T=<optimized out>,
file=<optimized out>, line=155) at fsm.c:699
#15 0x00007f6062c94c3d in _osmo_fsm_inst_state_chg (fi=fi@entry=0x557d0c069020, new_state=new_state@entry=3, timeout_secs=<optimized out>, T=<optimized out>,
file=<optimized out>, line=<optimized out>) at fsm.c:748
#16 0x00007f6062ca5a32 in _osmo_tdef_fsm_inst_state_chg (fi=fi@entry=0x557d0c069020, state=state@entry=3,
timeouts_array=timeouts_array@entry=0x557d09d8d520 <bts_shutdown_fsm_timeouts>, tdefs=<optimized out>, default_timeout=93995561029664, default_timeout@entry=-1,
file=file@entry=0x557d09d8d48f "bts_shutdown_fsm.c", line=155) at tdef.c:357
#17 0x0000557d09d72b57 in st_wait_trx_closed (fi=0x557d0c069020, event=<optimized out>, data=<optimized out>) at bts_shutdown_fsm.c:155
#18 0x00007f6062c94de4 in _osmo_fsm_inst_dispatch (fi=0x557d0c069020, event=event@entry=2, data=0x7f6064067070, file=file@entry=0x557d09d8d48f "bts_shutdown_fsm.c",
line=line@entry=277) at fsm.c:877
#19 0x0000557d09d7318c in bts_model_trx_close_cb (trx=<optimized out>, rc=rc@entry=0) at bts_shutdown_fsm.c:277
#20 0x0000557d09d546cb in trx_prov_fsm_apply_close (plink=0x557d0c06fec0, rc=0) at trx_provision_fsm.c:316
#21 0x00007f6062c94de4 in _osmo_fsm_inst_dispatch (fi=0x557d0c07d930, event=16, data=0x0, file=0x557d09d84d37 "trx_provision_fsm.c", line=59) at fsm.c:877
#22 0x0000557d09d49fc2 in trx_ctrl_rx_rsp_poweroff (rsp=0x7ffdbf202540, rsp=0x7ffdbf202540, l1h=0x557d0c07d790) at trx_if.c:518
#23 trx_ctrl_rx_rsp (tcm=0x557d0c404bc0, rsp=0x7ffdbf202540, l1h=0x557d0c07d790) at trx_if.c:637
#24 trx_ctrl_read_cb (ofd=<optimized out>, what=<optimized out>) at trx_if.c:733
#25 0x00007f6062c906fc in poll_disp_fds (n_fd=<optimized out>) at select.c:361
#26 _osmo_select_main (polling=polling@entry=0) at select.c:393
#27 0x00007f6062c907a6 in osmo_select_main (polling=polling@entry=0) at select.c:432
#28 0x0000557d09d79284 in bts_main (argc=3, argv=0x7ffdbf202db8) at main.c:437
#29 0x00007f60624e22e1 in __libc_start_main (main=0x557d09d48aa0 <main>, argc=3, argv=0x7ffdbf202db8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7ffdbf202da8) at ../csu/libc-start.c:291
#30 0x0000557d09d48d0a in _start ()
</pre> OsmoBTS - Bug #5325: ttcn3-bts-test[-latest] provokes a segfaulthttps://projects.osmocom.org/issues/5325?journal_id=230882021-11-24T13:31:42Zlaforge
<ul></ul><p>I think the problem is that the list head of bts->smscb_basic.queue and bts->smscb_extended.queue are not initialized anywhere?</p> OsmoBTS - Bug #5325: ttcn3-bts-test[-latest] provokes a segfaulthttps://projects.osmocom.org/issues/5325?journal_id=230892021-11-24T13:35:03Zlaforge
<ul></ul><p>laforge wrote in <a href="#note-2">#note-2</a>:</p>
<blockquote>
<p>I think the problem is that the list head of bts->smscb_basic.queue and bts->smscb_extended.queue are not initialized anywhere?</p>
</blockquote>
<p>nevermind, typo in my grep. bts_main9) calls bts_init() which initializes those fields.</p>
<p>I think the problem is likely related to</p>
<pre>
commit ae606d69a46a59cab1415502ffee24020bce515b
Author: Pau Espin Pedrol <pespin@sysmocom.de>
Date: Wed Oct 20 16:11:54 2021 +0200
Reset CBCH state after BTS shutdown
Related: OS#5273
Change-Id: Ib01d38c59ba9fa083fcc0682009c13d2db3664fe
</pre> OsmoBTS - Bug #5325: ttcn3-bts-test[-latest] provokes a segfaulthttps://projects.osmocom.org/issues/5325?journal_id=230902021-11-24T13:57:23Zlaforge
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>Assignee</strong> set to <i>fixeria</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>60</i></li></ul><p>Expected to be fixed by <a class="external" href="https://gerrit.osmocom.org/c/osmo-bts/+/26351">https://gerrit.osmocom.org/c/osmo-bts/+/26351</a></p>
<pre>
commit 7ea684723ca9ac8acf47302921e1af988c567322
Author: Harald Welte <laforge@osmocom.org>
Date: Wed Nov 24 14:47:23 2021 +0100
cbch: Fix dangling cur_msg leading to double-free in bts_cbch_reset()
If a new default message is installed via RSL, and the old default
message is currently being transmitted, we must set cur_msg to NULL.
The old default message must be talloc_free()d unconditionally whenever
a new default message is being set.
We can do that by using the TALLOC_FREE macro.
Change-Id: Id32c2074b61cd1f09957b9d1558ffb3a7691a8e0
Closes: OS#5325
diff --git a/src/common/cbch.c b/src/common/cbch.c
index addd68c9..46774803 100644
--- a/src/common/cbch.c
+++ b/src/common/cbch.c
@@ -233,10 +233,10 @@ int bts_process_smscb_cmd(struct gsm_bts *bts, struct rsl_ie_cb_cmd_type cmd_typ
rate_ctr_inc2(bts_ss->ctrs, CBCH_CTR_RCVD_QUEUED);
break;
case RSL_CB_CMD_TYPE_DEFAULT:
- /* old default msg will be free'd in get_smscb_block() if it is currently in transit
- * and we set a new default_msg here */
+ /* clear the cur_msg pointer if it is the old default message */
if (bts_ss->cur_msg && bts_ss->cur_msg == bts_ss->default_msg)
- talloc_free(bts_ss->cur_msg);
+ bts_ss->cur_msg = NULL;
+ talloc_free(bts_ss->default_msg);
if (cmd_type.def_bcast == RSL_CB_CMD_DEFBCAST_NORMAL)
/* def_bcast == 0: normal message */
bts_ss->default_msg = scm;
</pre> OsmoBTS - Bug #5325: ttcn3-bts-test[-latest] provokes a segfaulthttps://projects.osmocom.org/issues/5325?journal_id=230932021-11-24T18:39:27Zlaforge
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>In Progress</i></li><li><strong>Assignee</strong> changed from <i>fixeria</i> to <i>laforge</i></li></ul><p>problem still persists even with patch:<br /><pre>
(gdb) frame 7
#7 0x000055555589e445 in bts_smscb_state_reset (bts_ss=0x627000003498) at cbch.c:336
336 TALLOC_FREE(bts_ss->default_msg);
(gdb) p bts_ss->default_msg
$3 = (struct smscb_msg *) 0x6110000092e0
(gdb) p *bts_ss->default_msg
$4 = {list = {next = 0x0, prev = 0x0}, is_schedule = false, msg = "\001\002\003\004\005\006\a\a\b\t\n\v\f\r\016\017\020\021\022\023\024\025", '+' <repeats 66 times>, num_segs = 1 '\001'}
(gdb) p *bts_ss
$5 = {queue = {next = 0x627000003498, prev = 0x627000003498}, queue_len = 0, ctrs = 0x6160000051e0, cur_msg = 0x0, default_msg = 0x6110000092e0}
</pre></p> OsmoBTS - Bug #5325: ttcn3-bts-test[-latest] provokes a segfaulthttps://projects.osmocom.org/issues/5325?journal_id=230942021-11-24T19:04:32Zlaforge
<ul></ul><p>There was another problem with the cbch-state-clearing code introduced recently, it's now fixed in <a class="external" href="https://gerrit.osmocom.org/c/osmo-bts/+/26355">https://gerrit.osmocom.org/c/osmo-bts/+/26355</a></p>
<pre>
commit 79f21c4ed172eadf1e3b046446cdec48ccce6a99
Author: Harald Welte <laforge@osmocom.org>
Date: Wed Nov 24 20:00:29 2021 +0100
cbch: Fix bts_smscb_state_reset() to avoid double-free
If the currently transmitted message is the default message,
bts_ss->cur_msg == bts_ss->derfault_msg. In this case we cannot
simply talloc_free() both of them, as it would result in a boudle-free.
Change-Id: I2d3645e34d31507b012a53ffe12d14223682f808
Closes: OS#5325
Fixes: Ib01d38c59ba9fa083fcc0682009c13d2db3664fe
diff --git a/src/common/cbch.c b/src/common/cbch.c
index addd68c9..a3e12961 100644
--- a/src/common/cbch.c
+++ b/src/common/cbch.c
@@ -332,7 +332,10 @@ static void bts_smscb_state_reset(struct bts_smscb_state *bts_ss)
}
bts_ss->queue_len = 0;
rate_ctr_group_reset(bts_ss->ctrs);
- TALLOC_FREE(bts_ss->cur_msg);
+ /* avoid double-free of default_msg in case cur_msg == default_msg */
+ if (bts_ss->cur_msg && bts_ss->cur_msg != bts_ss->default_msg)
+ talloc_free(bts_ss->cur_msg);
+ bts_ss->cur_msg = NULL;
TALLOC_FREE(bts_ss->default_msg);
}
</pre> OsmoBTS - Bug #5325: ttcn3-bts-test[-latest] provokes a segfaulthttps://projects.osmocom.org/issues/5325?journal_id=231092021-11-25T16:09:07Zlaforge
<ul><li><strong>Status</strong> changed from <i>In Progress</i> to <i>Resolved</i></li><li><strong>% Done</strong> changed from <i>60</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="cbch: Fix bts_smscb_state_reset() to avoid double-free If the currently transmitted message is t..." href="https://projects.osmocom.org/projects/osmobts/repository/osmo-bts/revisions/79f21c4ed172eadf1e3b046446cdec48ccce6a99">osmo-bts|79f21c4ed172eadf1e3b046446cdec48ccce6a99</a>.</p>