From 19cefb009773f7cf5cf98997c53094dd684bcf38 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Wed, 1 May 2013 13:01:26 +0200 Subject: sysmobts: Fix a crash when the DSP2ARM queue runs full When not reading quick enough from the queue we will get a bogus response which will lead to marking the lchan as broken and to clear the sapi queue. The sapi_queue_dispatch was checking if the queue was empty before calling the callback but not taking into account that it might have been flushed. Stop processing if the queue was empty before calling the callback or if it is empty after the callback. Backtrace: #0 0x4eb1f1cc in raise () from /lib/libc.so.6 #1 0x4eb22f48 in abort () from /lib/libc.so.6 #2 0x4ecc2cb8 in talloc_abort (reason=) at talloc.c:167 #3 0x4ecbc854 in talloc_abort_unknown_value () at talloc.c:180 #4 0x4ecc6bc8 in talloc_chunk_from_ptr (ptr=0x4ec2d494) at talloc.c:192 #5 _talloc_free (ptr=0x4ec2d494) at talloc.c:517 #6 talloc_free (ptr=0x4ec2d494) at talloc.c:990 #7 0x0000f294 in sapi_queue_exeute (lchan=0x402414a0) at oml.c:528 #8 0x0000f2d4 in sapi_queue_send (lchan=0x402414a0) at oml.c:542 #9 0x0000f3e0 in sapi_queue_dispatch (lchan=0x402414a0, status=-4) at oml.c:565 #10 0x000114d0 in lchan_deact_compl_cb (trx=0x4021e038, l1_msg=0x7e690) at oml.c:1269 #11 0x0000d70c in l1if_handle_l1prim (wq=1, fl1h=0x607c8, msg=0x7e690) at l1_if.c:938 --- src/osmo-bts-sysmo/oml.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/osmo-bts-sysmo/oml.c b/src/osmo-bts-sysmo/oml.c index 452cfe3f..2145f2f3 100644 --- a/src/osmo-bts-sysmo/oml.c +++ b/src/osmo-bts-sysmo/oml.c @@ -554,7 +554,7 @@ static void sapi_queue_dispatch(struct gsm_lchan *lchan, int status) cmd->callback(lchan, status); talloc_free(cmd); - if (end) { + if (end || llist_empty(&lchan->sapi_cmds)) { LOGP(DL1C, LOGL_NOTICE, "%s End of queue encountered. Now empty? %d\n", gsm_lchan_name(lchan), llist_empty(&lchan->sapi_cmds)); -- cgit v1.2.3