Hi,
I pulled a newer openbsc version today for the first time in several months.
Now, when a phone sends an IMSI Detach, osmo-nitb segfaults.
The reason seems to be:
osmo_msc.c:msc_compl_l3 gets called from gsm0408_rcvmsg, which in turn calls gsm0408_dispatch which at some point ends up in gsm48_rx_mm_imsi_detach_ind, which calls msc_release_connection, which calls gsm0808_clear, which sets conn->bts = NULL.
Now, back in msc_compl_l3, trans_has_conn is called, which tries to dereference conn->bts->network, which causes the segfault.
It might have been introduced with Holger's patch "msc: Attempt to release the lchan immediately on IMSI Detach" (153b13b0), but that was already in July...
-Tobias
On Thu, Dec 13, 2012 at 03:39:38PM +0100, Tobias Engel wrote:
Now, back in msc_compl_l3, trans_has_conn is called, which tries to dereference conn->bts->network, which causes the segfault.
trans_has_conn is recent (and introduced by me). It was introduced here[1] but the code was accessing conn->bts before as well.
I will check with the FakeBTS but I am somehow stuck in paperwork right now. :}
holger
[1] 70ae5d3000edd12aee38497a6f541595a8c7dee8
On 13.12.12 17:37, Holger Hans Peter Freyther wrote:
On Thu, Dec 13, 2012 at 03:39:38PM +0100, Tobias Engel wrote:
Now, back in msc_compl_l3, trans_has_conn is called, which tries to dereference conn->bts->network, which causes the segfault.
trans_has_conn is recent (and introduced by me). It was introduced here[1] but the code was accessing conn->bts before as well.
It was, but not in msc_compl_l3. It was/is also accessed in msc_release_connection, but before calling gsm0808_clear, so that is not a problem.
-Tobias
On Thu, Dec 13, 2012 at 10:14:27PM +0100, Tobias Engel wrote:
It was, but not in msc_compl_l3. It was/is also accessed in msc_release_connection, but before calling gsm0808_clear, so that is not a problem.
Sorry, I didn't read it carefully enough. I prepared a very simple testcase and it is crashing the the NITB. I will apply a patch like the one below and the rule would be that msc_release_connection may only be called from a timer or from the trans_free command.
The test case is attached to this email.
diff --git a/openbsc/src/libmsc/gsm_04_08.c b/openbsc/src/libmsc/gsm_04_08.c index 9816174..fd482e0 100644 --- a/openbsc/src/libmsc/gsm_04_08.c +++ b/openbsc/src/libmsc/gsm_04_08.c @@ -965,7 +965,6 @@ static int gsm48_rx_mm_imsi_detach_ind(struct gsm_subscriber_connection *co * imagine an IMSI DETACH happening during an active call! */
release_anchor(conn); - msc_release_connection(conn); return 0; }
-
Holger Hans Peter Freyther -
Tobias Engel