aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJacob Erlbeck <jerlbeck@sysmocom.de>2016-01-20 22:02:19 +0100
committerJacob Erlbeck <jerlbeck@sysmocom.de>2016-02-01 13:56:32 +0100
commitc362df25a2eb469aa70827b469f3898447814697 (patch)
treed7d7e451c2d0a7f7e6096631ac03dfcfb446eae1
parent27dc9414757df5436f7f5a5c8708219aa7a1ee6d (diff)
pcu: Fix memory corruption bugs (ASAN)
ASAN has found improper deletion of objects. These only occur on shutdown but makes it impossible to run the test cases with full ASAN support. This commit fixes some of them and deactivates the freeing of the_pcu.bctx which may cause a corruption in BTS::~BTS() later on. Note that the latter is only a work-aound and should be fixed properly. It will leak bctx objects, but this is currently not critical, since gprs_bssgp_destroy is only called once, immediately before a call to exit(). Ticket: OW#1572 Sponsored-by: On-Waves ehf
-rw-r--r--src/bts.cpp5
-rw-r--r--src/gprs_bssgp_pcu.cpp21
-rw-r--r--src/gprs_ms_storage.cpp5
-rw-r--r--src/gprs_ms_storage.h2
4 files changed, 25 insertions, 8 deletions
diff --git a/src/bts.cpp b/src/bts.cpp
index 5e29364..d1d738c 100644
--- a/src/bts.cpp
+++ b/src/bts.cpp
@@ -150,7 +150,12 @@ BTS::BTS()
BTS::~BTS()
{
+ /* this can cause counter updates and must not be left to the
+ * m_ms_store's destructor */
+ m_ms_store.cleanup();
+
rate_ctr_group_free(m_ratectrs);
+ osmo_stat_item_group_free(m_statg);
}
diff --git a/src/gprs_bssgp_pcu.cpp b/src/gprs_bssgp_pcu.cpp
index a7391d9..838c667 100644
--- a/src/gprs_bssgp_pcu.cpp
+++ b/src/gprs_bssgp_pcu.cpp
@@ -872,28 +872,33 @@ struct gprs_bssgp_pcu *gprs_bssgp_create_and_connect(struct gprs_rlcmac_bts *bts
void gprs_bssgp_destroy(void)
{
- if (!bssgp_nsi)
+ struct gprs_ns_inst *nsi = bssgp_nsi;
+ if (!nsi)
return;
+ bssgp_nsi = NULL;
+
osmo_timer_del(&the_pcu.bvc_timer);
osmo_signal_unregister_handler(SS_L_NS, nsvc_signal_cb, NULL);
the_pcu.nsvc = NULL;
- /* FIXME: move this to libgb: btsctx_free() */
- llist_del(&the_pcu.bctx->list);
- talloc_free(the_pcu.bctx);
- the_pcu.bctx = NULL;
-
/* FIXME: blocking... */
the_pcu.nsvc_unblocked = 0;
the_pcu.bvc_sig_reset = 0;
the_pcu.bvc_reset = 0;
the_pcu.bvc_unblocked = 0;
- gprs_ns_destroy(bssgp_nsi);
- bssgp_nsi = NULL;
+ gprs_ns_destroy(nsi);
+
+ /* FIXME: move this to libgb: btsctx_free() */
+ llist_del(&the_pcu.bctx->list);
+#warning "This causes ASAN to complain. It is not critical for normal operation but should be fixed nevertheless"
+#if 0
+ talloc_free(the_pcu.bctx);
+#endif
+ the_pcu.bctx = NULL;
}
struct bssgp_bvc_ctx *gprs_bssgp_pcu_current_bctx(void)
diff --git a/src/gprs_ms_storage.cpp b/src/gprs_ms_storage.cpp
index e0aee5e..6a7f336 100644
--- a/src/gprs_ms_storage.cpp
+++ b/src/gprs_ms_storage.cpp
@@ -34,6 +34,11 @@ GprsMsStorage::GprsMsStorage(BTS *bts) :
GprsMsStorage::~GprsMsStorage()
{
+ cleanup();
+}
+
+void GprsMsStorage::cleanup()
+{
LListHead<GprsMs> *pos, *tmp;
llist_for_each_safe(pos, tmp, &m_list) {
diff --git a/src/gprs_ms_storage.h b/src/gprs_ms_storage.h
index df788bf..44ad0ed 100644
--- a/src/gprs_ms_storage.h
+++ b/src/gprs_ms_storage.h
@@ -33,6 +33,8 @@ public:
GprsMsStorage(BTS *bts);
~GprsMsStorage();
+ void cleanup();
+
virtual void ms_idle(class GprsMs *);
virtual void ms_active(class GprsMs *);