Cisco Bug: CSCuq36537 - [16.1] Fatal Signal 11: Segmentation fault / sn_slist_remove_by_key()
Feb 04, 2017
- Cisco ASR 5000 Series
Known Affected Releases
Symptom: ********************* CRASH #01 *********************** SW Version : 16.1(55634) Similar Crash Count : 1 Time of First Crash : 2014-Aug-11+03:54:26 Fatal Signal 11: Segmentation fault PC: [0abaed59/X] sn_slist_remove_by_key() Faulty address: 0x8 Signal from: kernel Signal detail: address not mapped to object Process: card=14 cpu=0 arch=X pid=5170 cpu=~1% argv0=sessmgr Crash time: 2014-Aug-11+07:54:26 UTC Recent errno: 11 Resource temporarily unavailable Stack (51128@0xffff1000): [0abaed59/X] sn_slist_remove_by_key() sp=0xffff1c98 [07caea11/X] mme_destroy_old_ue_ctxt() sp=0xffff1ce8 [07caee5f/X] mme_set_imsi_validated() sp=0xffff1d38 [07ce4b90/X] mme_tau_attach_cr_awt_ctxt_resp() sp=0xffff2088 [07c6de52/X] mme_fsm_event_handler() sp=0xffff2538 [07c99e0f/X] mme_event_handler_tau_attach_procedure() sp=0xffff2568 [07b7cc90/X] mme_procedure_handle_event() sp=0xffff25e8 [07c9d499/X] mme_disp_handle_emm_evt() sp=0xffff26e8 [07c9ffeb/X] mme_disp_ncall_answered_handle_gngp_msg() sp=0xffff2738 [07c6de52/X] mme_fsm_event_handler() sp=0xffff2be8 [07ca937f/X] mme_app_gngp_event_dispatch() sp=0xffff2e88 [069d6741/X] sn_gt_dispatch_mm_msg_to_service_user() sp=0xffff2ed8 [06a32cd3/X] sn_gt_process_sgsn_ctx_rsp_peer() sp=0xffff3408 [069d58ea/X] sn_gt_handle_pmm_cfm() sp=0xffff3948 [06a472dc/X] gtapp_process_gtp_response_msg() sp=0xffff39f8 [06a47cda/X] sn_gt_gtp_app_recv_msg() sp=0xffffcaa8 [03f4427f/X] sessmgr_sgtp_handle_gtpc_message() sp=0xffffd018 [03f4554f/X] sessmgr_sgtp_dmed_rx_cb() sp=0xffffd068 [05e475a4/X] sessmgr_receive_ipv4udp_packets.isra.65() sp=0xffffd098 [060089e1/X] sessmgr_med_data_receive() sp=0xffffd238 [0ac562ac/X] sn_epoll_run_events() sp=0xffffd288 [0ac5a9a8/X] sn_loop_run() sp=0xffffd738 [0a9fd66d/X] main() sp=0xffffd7a8 Conditions: A UE relocates from 4G to the 3G via a RAU Request. The context for the call is freed, but the freed context is not removed from the MME service's list of calls sorted by IMSI. Later, when the UE moves back to 4G via a TAU Request, and a Gn/Gp Context Request results in a response indicating the same IMSI, the MME finds the existing context from the previous call and tries to clean it up, but a crash occurs because the previous call's context was in fact already freed. The exact scenario leading to the crash was not found, but it is clear from the code that there are conditions under which a context being freed might not be removed from the list if the context state is not entirely correct.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases