Summary:ASTERISK-09842: Manhattan MII-794 class 2 usb/bluetooth adapter: asterisk crashes when call is bridged.
Reporter:Steve Murphy (murf)Labels:
Date Opened:2007-07-09 17:03:22Date Closed:2007-09-28 19:42:13
Versions:Frequency of
Description:(gdb) where
#0  0x08081186 in __ast_read (chan=0x8259d30, dropaudio=0) at
#1  0x080824cd in ast_read (chan=0x8259d30) at channel.c:2457
#2  0x08086e03 in ast_generic_bridge (c0=0x82588e8, c1=0x8259d30,
config=0xb5675574, fo=0xb5674ad0, rc=0xb5674acc, bridge_end={tv_sec = 0,
tv_usec = 0}) at channel.c:3883
#3  0x080881c6 in ast_channel_bridge (c0=0x82588e8, c1=0x8259d30,
config=0xb5675574, fo=0xb5674ad0, rc=0xb5674acc) at channel.c:4195
#4  0xb771b7fe in ast_bridge_call (chan=0x82588e8, peer=0x8259d30,
config=0xb5675574) at res_features.c:1679
ASTERISK-1  0xb6c195e3 in dial_exec_full (chan=0x82588e8, data=0xb5677a28,
peerflags=0xb5675884, continue_exec=0x0) at app_dial.c:1779
ASTERISK-2  0xb6c19877 in dial_exec (chan=0x82588e8, data=0xb5677a28) at
ASTERISK-3  0x080bd13c in pbx_exec (c=0x82588e8, app=0x823f9f8, data=0xb5677a28)
at pbx.c:565
ASTERISK-4  0x080c01ce in pbx_extension_helper (c=0x82588e8, con=0x0,
context=0x8258a70 "extension", exten=0x8258ac0 "844", priority=1,
label=0x0, callerid=0x82554f8 "152", action=E_SPAWN)
   at pbx.c:1788
ASTERISK-5  0x080c1462 in ast_spawn_extension (c=0x82588e8, context=0x8258a70
"extension", exten=0x8258ac0 "844", priority=1, callerid=0x82554f8
"152") at pbx.c:2279
ASTERISK-6 0x080c194d in __ast_pbx_run (c=0x82588e8) at pbx.c:2379
ASTERISK-7 0x080c2874 in ast_pbx_run (c=0x82588e8) at pbx.c:2643
ASTERISK-8 0xb6e650df in ss_thread (data=0x82588e8) at chan_zap.c:6133
ASTERISK-9 0x080ffd02 in dummy_start (data=0x81904f0) at utils.c:546
ASTERISK-10 0xb7de3341 in start_thread ()
from /lib/tls/i686/cmov/libpthread.so.0
ASTERISK-11 0xb7c224ee in clone () from /lib/tls/i686/cmov/libc.so.6

****** STEPS TO REPRODUCE ******

Crashes for both incoming and outgoing calls. The channel frame pointer appears to be corrupted.

chan->readq looks like this:

readq = {
   first = 0x6d6f6379,
   last = 0x6d6f6379
Comments:By: Steve Murphy (murf) 2007-07-11 14:37:39

Hmmm. Tried it again, because 9694 looks very familiar. If I try to call out thru the cell phone from a SIP phone, I get a segfault:

0x08081042 in __ast_read (chan=0x825b520, dropaudio=0) at channel.c:2201
2201                    f = AST_LIST_REMOVE_HEAD(&chan->readq, frame_list);
(gdb) where
#0  0x08081042 in __ast_read (chan=0x825b520, dropaudio=0) at channel.c:2201
#1  0x08082389 in ast_read (chan=0x825b520) at channel.c:2457
#2  0x08086cbf in ast_generic_bridge (c0=0x825d118, c1=0x825b520, config=0xb5688b44, fo=0xb5688090, rc=0xb568808c, bridge_end={tv_sec = 0, tv_usec = 0}) at channel.c:3883
#3  0x08088082 in ast_channel_bridge (c0=0x825d118, c1=0x825b520, config=0xb5688b44, fo=0xb5688090, rc=0xb568808c) at channel.c:4195
#4  0xb7711811 in ast_bridge_call (chan=0x825d118, peer=0x825b520, config=0xb5688b44) at res_features.c:1673
ASTERISK-1  0xb6c59647 in dial_exec_full (chan=0x825d118, data=0xb568aff8, peerflags=0xb5688e54, continue_exec=0x0) at app_dial.c:1787
ASTERISK-2  0xb6c598e3 in dial_exec (chan=0x825d118, data=0xb568aff8) at app_dial.c:1833
ASTERISK-3  0x080bd024 in pbx_exec (c=0x825d118, app=0x82390c8, data=0xb568aff8) at pbx.c:565
ASTERISK-4  0x080c00b6 in pbx_extension_helper (c=0x825d118, con=0x0, context=0x825d2a0 "extension", exten=0x825d2f0 "844", priority=1, label=0x0, callerid=0x8257ca0 "snom360", action=E_SPAWN)
   at pbx.c:1788
ASTERISK-5  0x080c134a in ast_spawn_extension (c=0x825d118, context=0x825d2a0 "extension", exten=0x825d2f0 "844", priority=1, callerid=0x8257ca0 "snom360") at pbx.c:2279
ASTERISK-6 0x080c1835 in __ast_pbx_run (c=0x825d118) at pbx.c:2379
ASTERISK-7 0x080c262d in pbx_thread (data=0x825d118) at pbx.c:2607
ASTERISK-8 0x080ffbea in dummy_start (data=0x8257b78) at utils.c:546
ASTERISK-9 0xb7e36341 in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
ASTERISK-10 0xb7c754ee in clone () from /lib/tls/i686/cmov/libc.so.6
(gdb) p chan.readq
$1 = {first = 0x433a3127, last = 0x433a3127}
(gdb) p *chan.readq.first
Cannot access memory at address 0x433a3127

0x433a3127, BTW, equates to the ascii string C:1'

However, if I tried calling out thru the cellphone via a Zap phone line,
I had one success. It got out, and I heard the whole movie lineup spiel...
But all the zap phones are locked up after that, and I have to take down asterisk, rmmod the zaptel drivers, reload them with modprobe/ztcfg, and rerun asterisk to get them back!

By: spblinux (spblinux) 2007-07-12 06:10:03

Have seen this invalid memory address in readq.first as well.

Does anybody know if it is correct to set chan->readq.first=NULL after the channel has been allocated witch ast_channel_alloc? (in chan_cellphone/mobile line 659).

Ugly workaround for a given machine is to patch channel.c and check the absolute size of the memory address stored in readq.first (which is what I did on an embedded mipsel system, http://spblinux.de/fbox/openwrt/chan_cellphone/channel.c.bug/).


By: Steve Murphy (murf) 2007-07-23 17:34:00

AFAIK, it's standard procedure to start with NULLs in the readq.

By: Dave Bowerman (dbowerman) 2007-09-07 20:34:59

should be resolved by trunk rev 441.
needs retesting.

By: Dave Bowerman (dbowerman) 2007-09-28 19:42:03

fixed in trunk