Preview Tool

Cisco Bug: CSCuq36537 - [16.1] Fatal Signal 11: Segmentation fault / sn_slist_remove_by_key()

Last Modified

Feb 04, 2017

Products (1)

  • Cisco ASR 5000 Series

Known Affected Releases


Description (partial)

********************* CRASH #01 ***********************
SW Version          : 16.1(55634)
Similar Crash Count : 1
Time of First Crash : 2014-Aug-11+03:54:26

Fatal Signal 11: Segmentation fault
  PC: [0abaed59/X] sn_slist_remove_by_key()
  Faulty address: 0x8
  Signal from: kernel
  Signal detail: address not mapped to object
  Process: card=14 cpu=0 arch=X pid=5170 cpu=~1% argv0=sessmgr
  Crash time: 2014-Aug-11+07:54:26 UTC
  Recent errno: 11 Resource temporarily unavailable
  Stack (51128@0xffff1000):
    [0abaed59/X] sn_slist_remove_by_key() sp=0xffff1c98
    [07caea11/X] mme_destroy_old_ue_ctxt() sp=0xffff1ce8
    [07caee5f/X] mme_set_imsi_validated() sp=0xffff1d38
    [07ce4b90/X] mme_tau_attach_cr_awt_ctxt_resp() sp=0xffff2088
    [07c6de52/X] mme_fsm_event_handler() sp=0xffff2538
    [07c99e0f/X] mme_event_handler_tau_attach_procedure() sp=0xffff2568
    [07b7cc90/X] mme_procedure_handle_event() sp=0xffff25e8
    [07c9d499/X] mme_disp_handle_emm_evt() sp=0xffff26e8
    [07c9ffeb/X] mme_disp_ncall_answered_handle_gngp_msg() sp=0xffff2738
    [07c6de52/X] mme_fsm_event_handler() sp=0xffff2be8
    [07ca937f/X] mme_app_gngp_event_dispatch() sp=0xffff2e88
    [069d6741/X] sn_gt_dispatch_mm_msg_to_service_user() sp=0xffff2ed8
    [06a32cd3/X] sn_gt_process_sgsn_ctx_rsp_peer() sp=0xffff3408
    [069d58ea/X] sn_gt_handle_pmm_cfm() sp=0xffff3948
    [06a472dc/X] gtapp_process_gtp_response_msg() sp=0xffff39f8
    [06a47cda/X] sn_gt_gtp_app_recv_msg() sp=0xffffcaa8
    [03f4427f/X] sessmgr_sgtp_handle_gtpc_message() sp=0xffffd018
    [03f4554f/X] sessmgr_sgtp_dmed_rx_cb() sp=0xffffd068
    [05e475a4/X] sessmgr_receive_ipv4udp_packets.isra.65() sp=0xffffd098
    [060089e1/X] sessmgr_med_data_receive() sp=0xffffd238
    [0ac562ac/X] sn_epoll_run_events() sp=0xffffd288
    [0ac5a9a8/X] sn_loop_run() sp=0xffffd738
    [0a9fd66d/X] main() sp=0xffffd7a8

A UE relocates from 4G to the 3G via a RAU Request.  The context for the call is freed, but the freed context is not removed from the MME service's list of calls sorted by IMSI.  Later, when the UE moves back to 4G via a TAU Request, and a Gn/Gp Context Request results in a response indicating the same IMSI, the MME finds the existing context from the previous call and tries to clean it up, but a crash occurs because the previous call's context was in fact already freed.  The exact scenario leading to the crash was not found, but it is clear from the code that there are conditions under which a context being freed might not be removed from the list if the context state is not entirely correct.
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.