This is merely a historical archive of years 2008-2021, before the migration to mailman3.
A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.
Pau Espin Pedrol gerrit-no-reply at lists.osmocom.orgHello Neels Hofmeyr, Jenkins Builder, I'd like you to reexamine a change. Please visit https://gerrit.osmocom.org/4278 to look at the new patch set (#2). bsc_api: Fix NULL secondary_lchan access in handle_ass_fail Related: OW#3893 Program terminated with signal SIGSEGV, Segmentation fault. 0 gsm_lchan_name (lchan=lchan at entry=0x0) at gsm_data_shared.c:342 (gdb) bt 0 gsm_lchan_name (lchan=lchan at entry=0x0) at gsm_data_shared.c:342 1 0x0805ab80 in lchan_release (lchan=0x0, sacch_deact=sacch_deact at entry=0, mode=mode at entry=RSL_REL_LOCAL_END) at chan_alloc.c:410 2 0x0805c1dd in handle_ass_fail (msg=0x94142b8, conn=0x9251048) at bsc_api.c:459 3 dispatch_dtap (msg=0x94142b8, link_id=0 '\000', conn=0x9251048) at bsc_api.c:598 4 gsm0408_rcvmsg (msg=msg at entry=0x94142b8, link_id=0 '\000') at bsc_api.c:658 5 0x08058ca2 in abis_rsl_rx_rll (msg=0x94142b8) at abis_rsl.c:1686 6 abis_rsl_rcvmsg (msg=0x94142b8) at abis_rsl.c:2097 7 0xb7e8cf9a in handle_ts1_read (bfd=0x94e8e08) at input/ipaccess.c:271 8 ipaccess_fd_cb (bfd=0x94e8e08, what=1) at input/ipaccess.c:386 9 0xb7ee8434 in osmo_select_main (polling=polling at entry=0) at select.c:158 10 0x0804bd7c in main (argc=6, argv=0xbfc27144) at osmo_bsc_main.c:272 (gdb) print lchan $2 = (const struct gsm_lchan *) 0x0 Possible scenario in which this crash can appear: 1- gsm0808_assign_req() calls handle_new_assignment() which sends an CHAN ACTIVATE msg and arms T10 timer. 2- ACTIVATE ACK is received (handle_chan_ack), which calls gsm48_send_rr_ass_cmd() which sends an ASSIGNMENT CMD, and doesn't disable/modify T10 timer. 3- T10 timeout is triggered (assignment_t10_timeout()), which sets conn->secondary_lchan = NULL 4- Immediately after, the ASSIGNMENT FAILURE message (which might have been already queued) is processed in handle_ass_fail, and then the crash occurs. This race condition is not an issue for handle_ass_compl() path because there's this check there which would trigger most probably if secondary_lchan is NULL: "if (conn->secondary_lchan != msg->lchan)" Change-Id: I3798b36c628f75d4e8bc7b0996c27d695d53fbb1 --- M src/libbsc/bsc_api.c 1 file changed, 4 insertions(+), 2 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-bsc refs/changes/78/4278/2 diff --git a/src/libbsc/bsc_api.c b/src/libbsc/bsc_api.c index b42c382..44c50c1 100644 --- a/src/libbsc/bsc_api.c +++ b/src/libbsc/bsc_api.c @@ -487,8 +487,10 @@ /* stop the timer and release it */ osmo_timer_del(&conn->T10); - lchan_release(conn->secondary_lchan, 0, RSL_REL_LOCAL_END); - conn->secondary_lchan = NULL; + if (conn->secondary_lchan) { + lchan_release(conn->secondary_lchan, 0, RSL_REL_LOCAL_END); + conn->secondary_lchan = NULL; + } gh = msgb_l3(msg); if (msgb_l3len(msg) - sizeof(*gh) != 1) { -- To view, visit https://gerrit.osmocom.org/4278 To unsubscribe, visit https://gerrit.osmocom.org/settings Gerrit-MessageType: newpatchset Gerrit-Change-Id: I3798b36c628f75d4e8bc7b0996c27d695d53fbb1 Gerrit-PatchSet: 2 Gerrit-Project: osmo-bsc Gerrit-Branch: master Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: Neels Hofmeyr <nhofmeyr at sysmocom.de> Gerrit-Reviewer: Pau Espin Pedrol <pespin at sysmocom.de>