aboutsummaryrefslogtreecommitdiffstats
path: root/src/common
diff options
context:
space:
mode:
authorPau Espin Pedrol <pespin@sysmocom.de>2021-10-14 17:02:17 +0200
committerPau Espin Pedrol <pespin@sysmocom.de>2021-10-14 17:59:28 +0200
commit3cd4745efe3efe5620d82f5d67dcd141cabe9549 (patch)
tree618aad0fc01376018bd32cdf44067e1d9515459e /src/common
parentd3e730c61d57395550452f18428b06b56a316d02 (diff)
lchan: Call lapdm_channel_exit() when state changes to NONE
Fixes crash when TTCN3 BTS_Tests_LAPDm TC_rr_response_frame_loss runs run after TC_t200_n200. The BTS was shutdown after TC_t200_n200 failed (drop oml link), and lchan was moved ACTIVE->NONE without lapdm_channel_exit() being called on it. Hence, on next test (TC_rr_response_frame_loss), when lchan_init_lapdm() was called again, some memory corruption was caused. The lapdm_channel_exit can be dropped from gsm_lchan_release() and rsl_tx_rf_rel_ack() since it's already called in the same path: """ rsl_rx_rf_chan_rel gsm_lchan_release(lchan, LCHAN_REL_ACT_RSL); l1sap_chan_rel(lchan->ts->trx, gsm_lchan2chan_nr(lchan)); l1sap_chan_act_dact_modify(trx, chan_nr, PRIM_INFO_DEACTIVATE) bts_model_l1sap_down bts_model_lchan_deactivate_sacch(lchan); - lchan_deactivate(lchan); bts_model_lchan_deactivate lchan_set_state(lchan, LCHAN_S_NONE); <--------- mph_info_chan_confirm(trx, chan_nr, PRIM_INFO_DEACTIVATE, 0); l1sap_info_rel_cnf rsl_tx_rf_rel_ack(lchan); lapdm_channel_exit(&lchan->lapdm_ch); lapdm_channel_exit(&lchan->lapdm_ch); """ Related: SYS#5262 Change-Id: If0ec5f0c7be4d15c8d684d33e15e24d68bd5192e
Diffstat (limited to 'src/common')
-rw-r--r--src/common/lchan.c13
-rw-r--r--src/common/rsl.c15
2 files changed, 11 insertions, 17 deletions
diff --git a/src/common/lchan.c b/src/common/lchan.c
index 28ea943a..a3be4ee0 100644
--- a/src/common/lchan.c
+++ b/src/common/lchan.c
@@ -231,8 +231,6 @@ void gsm_lchan_release(struct gsm_lchan *lchan, enum lchan_rel_act_kind rel_kind
}
l1sap_chan_rel(lchan->ts->trx, gsm_lchan2chan_nr(lchan));
-
- lapdm_channel_exit(&lchan->lapdm_ch);
}
int lchan_deactivate(struct gsm_lchan *lchan)
@@ -290,6 +288,17 @@ void lchan_set_state(struct gsm_lchan *lchan, enum gsm_lchan_state state)
osmo_tdef_get(abis_T_defs, -15, OSMO_TDEF_US, -1));
}
break;
+ case LCHAN_S_NONE:
+ lapdm_channel_exit(&lchan->lapdm_ch);
+ /* Also ensure that there are no leftovers from repeated FACCH or
+ * repeated SACCH that might cause memory leakage. */
+ msgb_free(lchan->tch.rep_facch[0].msg);
+ msgb_free(lchan->tch.rep_facch[1].msg);
+ lchan->tch.rep_facch[0].msg = NULL;
+ lchan->tch.rep_facch[1].msg = NULL;
+ msgb_free(lchan->rep_sacch);
+ lchan->rep_sacch = NULL;
+ /* fall through */
default:
if (lchan->early_rr_ia) {
/* Early Immediate Assignment: Transition to any other
diff --git a/src/common/rsl.c b/src/common/rsl.c
index 99e81952..145cc8a9 100644
--- a/src/common/rsl.c
+++ b/src/common/rsl.c
@@ -1296,21 +1296,6 @@ int rsl_tx_rf_rel_ack(struct gsm_lchan *lchan)
gsm_ts_and_pchan_name(lchan->ts), lchan->nr,
gsm_lchant_name(lchan->type));
- /*
- * Free the LAPDm resources now that the BTS
- * has released all the resources.
- */
- lapdm_channel_exit(&lchan->lapdm_ch);
-
- /* Also ensure that there are no leftovers from repeated FACCH or
- * repeated SACCH that might cause memory leakage. */
- msgb_free(lchan->tch.rep_facch[0].msg);
- msgb_free(lchan->tch.rep_facch[1].msg);
- lchan->tch.rep_facch[0].msg = NULL;
- lchan->tch.rep_facch[1].msg = NULL;
- msgb_free(lchan->rep_sacch);
- lchan->rep_sacch = NULL;
-
return tx_rf_rel_ack(lchan, chan_nr);
}