diff options
author | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2013-11-01 18:22:43 +0100 |
---|---|---|
committer | Holger Hans Peter Freyther <holger@moiji-mobile.com> | 2013-11-27 14:29:50 +0100 |
commit | 2800b347e9f08f77cfd69f81fc24e0141c21598a (patch) | |
tree | 5064742f35599006160356a07f20d81fcfb20dfb /src/common | |
parent | f56d56c439034c8b8bc7eb0843ba5ee1cf2400e5 (diff) |
bts: Fix crash of receiving data during the release process
Release/Free the lapdm resources _after_ the channel has
been fully released. Do not forward data unless the lchan
is in the active state.
Reading this code again, there is probably a memory leak for
everytime the PCU will re-connect to the BTS.
(gdb) p lchan->state
$4 = LCHAN_S_REL_REQ
(gdb) bt
#0 lapd_dl_flush_hist (dl=0x40454894) at lapd_core.c:164
#1 0x44873b54 in lapd_rx_u (lctx=0xbe9bd5a8, msg=0x92f90) at lapd_core.c:1040
#2 lapd_ph_data_ind (msg=0x92f90, lctx=0xbe9bd5a8) at lapd_core.c:1644
#3 0x44876d50 in l2_ph_data_ind (link_id=<optimized out>, chan_nr=<optimized out>,
le=<optimized out>, msg=0x92f90) at lapdm.c:637
#4 lapdm_phsap_up (oph=<optimized out>, le=<optimized out>) at lapdm.c:707
#5 0x0000c504 in handle_ph_data_ind (l1p_msg=0x97358, data_ind=0x97420, fl1=<optimized out>)
at l1_if.c:774
#6 l1if_handle_ind (fl1=<optimized out>, msg=0x97358) at l1_if.c:892
Diffstat (limited to 'src/common')
-rw-r--r-- | src/common/rsl.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/src/common/rsl.c b/src/common/rsl.c index 26c32026..b8e4c23c 100644 --- a/src/common/rsl.c +++ b/src/common/rsl.c @@ -497,6 +497,12 @@ int rsl_tx_rf_rel_ack(struct gsm_lchan *lchan) LOGP(DRSL, LOGL_NOTICE, "%s Tx RF CHAN REL ACK\n", gsm_lchan_name(lchan)); + /* + * Free the LAPDm resources now that the BTS + * has released all the resources. + */ + lapdm_channel_exit(&lchan->lapdm_ch); + msg = rsl_msgb_alloc(sizeof(struct abis_rsl_dchan_hdr)); if (!msg) return -ENOMEM; @@ -800,8 +806,6 @@ static int rsl_rx_rf_chan_rel(struct gsm_lchan *lchan) lchan->rel_act_kind = LCHAN_REL_ACT_RSL; rc = bts_model_rsl_chan_rel(lchan); - lapdm_channel_exit(&lchan->lapdm_ch); - return rc; } @@ -1570,6 +1574,13 @@ int lapdm_rll_tx_cb(struct msgb *msg, struct lapdm_entity *le, void *ctx) struct gsm_lchan *lchan = ctx; struct abis_rsl_common_hdr *rh = msgb_l2(msg); + if (lchan->state != LCHAN_S_ACTIVE) { + LOGP(DRSL, LOGL_INFO, "%s(%s) is not active . Dropping message.\n", + gsm_lchan_name(lchan), gsm_lchans_name(lchan->state)); + msgb_free(msg); + return 0; + } + msg->trx = lchan->ts->trx; /* check if this is a measurement report from SACCH which needs special |