Skip to content

nrUE: stops radio without stopping reading samples leads to segfault

What's the problem?

At the end of main() in nr-uesoftmodem.c, the radio is stopped through a call to trx_end_func(). However, we don't stop the actual "consumer" of the radio, UE_thread(). This can lead to segfault when stopping the executable, because UE_thread() might attempt to read samples after the radio has terminated (and the driver cleaned up).

What should happen?

The UE should stop without a segfault

What happens instead?

The UE does segfault.

How to reproduce?

The bug is non-deterministic and depends on the machine; simply starting the UE and connecting to the gNB followed by disconnecting should show it. In address sanitizer, this can be observed:

5108178.887706 [NAS] I received deregistration accept
5108178.890847 [NR_PHY] I ============================================
5108178.890855 [NR_PHY] I [UE 0] Harq round stats for Downlink: 15193/1170/39
5108178.890858 [NR_PHY] I ============================================
5108179.092847 [NR_RRC] I [UE 0] Received RRC Release (gNB 0)
5108179.199184 [NR_RRC] E deprioritisationReq in RRCRelease not handled
5108179.199197 [PDCP] I release DRB 1 of UE 0
5108179.199265 [NR_MAC] A Received detach indication
5108179.205456 [NR_RRC] I RRC moved into IDLE state
5108179.205467 [NAS] I [UE 0] Received NR_NAS_CONN_RELEASE_IND: cause 2
=================================================================
==7==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f957a8781b4 at pc 0x7f957aa00435 bp 0x7f957cb02b10 sp 0x7f957cb02b00
READ of size 2 at 0x7f957a8781b4 thread T14
    #0 0x7f957aa00434 in rxAddInput /oai-ran/radio/rfsimulator/apply_channelmod.c:91
    #1 0x7f957a9f3e37 in rfsimulator_read /oai-ran/radio/rfsimulator/simulator.c:896
    #2 0x55fdff6e7357 in UE_thread /oai-ran/executables/nr-ue.c:927
    #3 0x7f958c006ac2 in start_thread nptl/pthread_create.c:442
    #4 0x7f958c097a03 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x125a03)

0x7f957a8781b4 is located 784820 bytes inside of 1843200-byte region [0x7f957a7b8800,0x7f957a97a800)
freed by thread T0 here:
    #0 0x7f958d0cd470 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f957a9e3c63 in removeCirBuf /oai-ran/radio/rfsimulator/simulator.c:245
    #2 0x7f957a9e44fc in rfsimulator_end /oai-ran/radio/rfsimulator/simulator.c:958
    #3 0x55fdff6ad3eb in main /oai-ran/executables/nr-uesoftmodem.c:642
    #4 0x7f958bf9bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Full log: rfsim5g-oai-nr-ue.log observed in this pipeline run