SGSN Crash

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Seungju Kim admin at manateeshome.com
Thu Jun 9 22:38:54 UTC 2011 

I got the log with the proper debug symbols

<0016> gprs_bssgp.c:346 BSSGP TLLI=0x7df722cb UPLINK-UNITDATA
<0017> gprs_llc.c:428 LLC SAPI=1 C   FCS=0xc64079CMD=UI DATA 
<0017> gprs_llc.c:700 LLC RX: unknown TLLI 0x08x, creating LLME on the fly
msgb(0x8094da0): Not enough headroom msgb_push (237 < 245)
backtrace() returned 14 addresses
/usr/local/lib/libosmocore.so.2(osmo_panic+0x4e) [0xb7fc69de]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x80556aa]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x805117d]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x8049fea]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x804c991]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x80508ef]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x80561c8]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x8053210]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x80537cf]
/usr/local/lib/libosmocore.so.2(osmo_select_main+0x1a5) [0xb7fc3675]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x804e4dc]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe6) [0xb7a66c76]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x8049dc1]

Program received signal SIGABRT, Aborted.
0xb7fe2424 in __kernel_vsyscall ()
(gdb) backtrace
#0  0xb7fe2424 in __kernel_vsyscall ()
#1  0xb7a7a751 in raise () from /lib/i686/cmov/libc.so.6
#2  0xb7a7db82 in abort () from /lib/i686/cmov/libc.so.6
#3  0xb7fc69e3 in osmo_panic_default (
    fmt=0x805a6b8 "msgb(%p): Not enough headroom msgb_push (%u < %u)\n") at
panic.c:42
#4  osmo_panic (fmt=0x805a6b8 "msgb(%p): Not enough headroom msgb_push (%u <
%u)\n")
    at panic.c:64
#5  0x080556aa in msgb_push (msg=0x8094da0, mmctx=0x8093be8)
    at /usr/local/include/osmocom/core/msgb.h:162
#6  msgb_tvlv_push (msg=0x8094da0, mmctx=0x8093be8)
    at /usr/local/include/osmocom/gsm/tlv.h:211
#7  gprs_bssgp_tx_dl_ud (msg=0x8094da0, mmctx=0x8093be8) at gprs_bssgp.c:772
#8  0x0805117d in gprs_llc_tx_ui (msg=0x8094da0, sapi=1 '\001', command=1, 
    mmctx=0x8093be8) at gprs_llc.c:421
#9  0x08049fea in gsm48_gmm_sendmsg (msg=0x8094da0, command=1, mm=0x8093be8)
    at gprs_gmm.c:240
#10 0x0804c991 in gsm48_rx_gmm_att_req (msg=0x80928c8, llme=0x8093390)
    at gprs_gmm.c:748
#11 gsm0408_rcv_gmm (msg=0x80928c8, llme=0x8093390) at gprs_gmm.c:1003
#12 gsm0408_gprs_rcvmsg (msg=0x80928c8, llme=0x8093390) at gprs_gmm.c:1527
#13 0x080508ef in gprs_llc_rcvmsg (msg=0x80928c8, tv=0xbfffd75c) at
gprs_llc.c:767
#14 0x080561c8 in bssgp_rx_ul_ud (msg=0x80928c8) at gprs_bssgp.c:360
#15 gprs_bssgp_rx_ptp (msg=0x80928c8) at gprs_bssgp.c:501
---Type <return> to continue, or q <return> to quit---
#16 gprs_bssgp_rcvmsg (msg=0x80928c8) at gprs_bssgp.c:698
#17 0x08053210 in gprs_ns_rx_unitdata (nsi=0x8081eb8, msg=0x80928c8,
saddr=0xbffff01c, 
    ll=GPRS_NS_LL_UDP) at gprs_ns.c:557
#18 gprs_ns_rcvmsg (nsi=0x8081eb8, msg=0x80928c8, saddr=0xbffff01c,
ll=GPRS_NS_LL_UDP)
    at gprs_ns.c:773
#19 0x080537cf in handle_nsip_read (bfd=0x8081ed8, what=1) at gprs_ns.c:903
#20 nsip_fd_cb (bfd=0x8081ed8, what=1) at gprs_ns.c:936
#21 0xb7fc3675 in osmo_select_main (polling=0) at select.c:132
#22 0x0804e4dc in main (argc=1, argv=0xbffff4a4) at sgsn_main.c:279




By the way, when I changed GSM48_ALLOC_HEADROOM from 256 to 512, I could
bypsss the error but I got a new error when a packet is sent to the mobile
phone





<0016> gprs_bssgp.c:346 BSSGP TLLI=0xed91af48 UPLINK-UNITDATA
<0017> gprs_llc.c:428 LLC SAPI=3 C   FCS=0x7e7a46CMD=UI DATA 
<0014> sgsn_libgtp.c:421 GTP DATA IND from GGSN, length=249
msgb(0x8094300): Not enough headroom msgb_push (104 < 245)
backtrace() returned 12 addresses
/usr/local/lib/libosmocore.so.2(osmo_panic+0x4e) [0xb7fc69de]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x80556aa]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x805117d]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x804e024]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x804f4cb]
/usr/local/lib/libgtp.so.0(gtp_gpdu_ind+0x9c) [0xb7bcd5ec]
/usr/local/lib/libgtp.so.0(gtp_decaps1u+0x50c) [0xb7bd062c]
/usr/local/lib/libosmocore.so.2(osmo_select_main+0x1a5) [0xb7fc3675]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x804e4dc]
/lib/i686/cmov/libc.so.6(__libc_start_main+0xe6) [0xb7a66c76]
/home/manatails/gsm/openbsc/openbsc/src/gprs/osmo-sgsn() [0x8049dc1]

Program received signal SIGABRT, Aborted.
0xb7fe2424 in __kernel_vsyscall ()
(gdb) backtrace
#0  0xb7fe2424 in __kernel_vsyscall ()
#1  0xb7a7a751 in raise () from /lib/i686/cmov/libc.so.6
#2  0xb7a7db82 in abort () from /lib/i686/cmov/libc.so.6
#3  0xb7fc69e3 in osmo_panic_default (
    fmt=0x805a6b8 "msgb(%p): Not enough headroom msgb_push (%u < %u)\n") at
panic.c:42
#4  osmo_panic (fmt=0x805a6b8 "msgb(%p): Not enough headroom msgb_push (%u <
%u)\n")
    at panic.c:64
#5  0x080556aa in msgb_push (msg=0x8094300, mmctx=0x8093be8)
    at /usr/local/include/osmocom/core/msgb.h:162
#6  msgb_tvlv_push (msg=0x8094300, mmctx=0x8093be8)
    at /usr/local/include/osmocom/gsm/tlv.h:211
#7  gprs_bssgp_tx_dl_ud (msg=0x8094300, mmctx=0x8093be8) at gprs_bssgp.c:772
#8  0x0805117d in gprs_llc_tx_ui (msg=0x8094300, sapi=3 '\003', command=0, 
    mmctx=0x8093be8) at gprs_llc.c:421
#9  0x0804e024 in sndcp_unitdata_req (msg=0x8094300, lle=0x8093534, nsapi=5
'\005', 
    mmcontext=0x8093be8) at gprs_sndcp.c:500
#10 0x0804f4cb in cb_data_ind (lib=0xb7bd72a0, packet=0xbfffd024, len=249)
    at sgsn_libgtp.c:467
#11 0xb7bcd5ec in gtp_gpdu_ind (gsn=0x80921b8, version=1, peer=0xbffff01c,
fd=9, 
    pack=0xbfffd018, len=261) at gtp.c:2558
#12 0xb7bd062c in gtp_decaps1u (gsn=0x80921b8) at gtp.c:2971
#13 0xb7fc3675 in osmo_select_main (polling=0) at select.c:132
#14 0x0804e4dc in main (argc=1, argv=0xbffff4a4) at sgsn_main.c:279


-----Original Message-----
From: openbsc-bounces at lists.osmocom.org
[mailto:openbsc-bounces at lists.osmocom.org] On Behalf Of Harald Welte
Sent: Monday, May 30, 2011 3:08 AM
To: Holger Hans Peter Freyther
Cc: openbsc at lists.osmocom.org
Subject: Re: SGSN Crash

Hi all,

On Mon, May 30, 2011 at 08:52:13AM +0200, Holger Hans Peter Freyther wrote:

> please make yourself gdb and git and create a patch. The struct msgb 
> has detected a mis-use and forced a crash. What is going wrong is in 
> the log, you will need to identify where this msgb got allocated (or 
> change the panic message to print the name of the msgb) and see why it 
> is using the amount of headroom it wants to use.

I am quite certain it is the "MS Radio Access Capabilities IE" which for
some reason seems to be _very_ large in this case.  I've seen this before,
but never was able to hunt it down.  Everything seemed like it was _really_
that long.  But it's more likely that we do something wrong while parsing it
in GMM when the phone sends it.  The SGSN saves this IE in its MM contaxt
for the phone, and it will transmit it to the BTS in every BSSGP message.

-- 
- Harald Welte <laforge at gnumonks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

More information about the OpenBSC mailing list