diff options
author | Pau Espin Pedrol <pespin@sysmocom.de> | 2021-10-14 17:02:17 +0200 |
---|---|---|
committer | Pau Espin Pedrol <pespin@sysmocom.de> | 2021-10-14 17:59:28 +0200 |
commit | 3cd4745efe3efe5620d82f5d67dcd141cabe9549 (patch) | |
tree | 618aad0fc01376018bd32cdf44067e1d9515459e /src/common | |
parent | d3e730c61d57395550452f18428b06b56a316d02 (diff) |
lchan: Call lapdm_channel_exit() when state changes to NONE
Fixes crash when TTCN3 BTS_Tests_LAPDm TC_rr_response_frame_loss
runs run after TC_t200_n200.
The BTS was shutdown after TC_t200_n200 failed (drop oml link), and
lchan was moved ACTIVE->NONE without lapdm_channel_exit() being called
on it. Hence, on next test (TC_rr_response_frame_loss), when
lchan_init_lapdm() was called again, some memory corruption was caused.
The lapdm_channel_exit can be dropped from gsm_lchan_release() and
rsl_tx_rf_rel_ack() since it's already called in the same path:
"""
rsl_rx_rf_chan_rel
gsm_lchan_release(lchan, LCHAN_REL_ACT_RSL);
l1sap_chan_rel(lchan->ts->trx, gsm_lchan2chan_nr(lchan));
l1sap_chan_act_dact_modify(trx, chan_nr, PRIM_INFO_DEACTIVATE)
bts_model_l1sap_down
bts_model_lchan_deactivate_sacch(lchan);
-
lchan_deactivate(lchan);
bts_model_lchan_deactivate
lchan_set_state(lchan, LCHAN_S_NONE); <---------
mph_info_chan_confirm(trx, chan_nr, PRIM_INFO_DEACTIVATE, 0);
l1sap_info_rel_cnf
rsl_tx_rf_rel_ack(lchan);
lapdm_channel_exit(&lchan->lapdm_ch);
lapdm_channel_exit(&lchan->lapdm_ch);
"""
Related: SYS#5262
Change-Id: If0ec5f0c7be4d15c8d684d33e15e24d68bd5192e
Diffstat (limited to 'src/common')
-rw-r--r-- | src/common/lchan.c | 13 | ||||
-rw-r--r-- | src/common/rsl.c | 15 |
2 files changed, 11 insertions, 17 deletions
diff --git a/src/common/lchan.c b/src/common/lchan.c index 28ea943a..a3be4ee0 100644 --- a/src/common/lchan.c +++ b/src/common/lchan.c @@ -231,8 +231,6 @@ void gsm_lchan_release(struct gsm_lchan *lchan, enum lchan_rel_act_kind rel_kind } l1sap_chan_rel(lchan->ts->trx, gsm_lchan2chan_nr(lchan)); - - lapdm_channel_exit(&lchan->lapdm_ch); } int lchan_deactivate(struct gsm_lchan *lchan) @@ -290,6 +288,17 @@ void lchan_set_state(struct gsm_lchan *lchan, enum gsm_lchan_state state) osmo_tdef_get(abis_T_defs, -15, OSMO_TDEF_US, -1)); } break; + case LCHAN_S_NONE: + lapdm_channel_exit(&lchan->lapdm_ch); + /* Also ensure that there are no leftovers from repeated FACCH or + * repeated SACCH that might cause memory leakage. */ + msgb_free(lchan->tch.rep_facch[0].msg); + msgb_free(lchan->tch.rep_facch[1].msg); + lchan->tch.rep_facch[0].msg = NULL; + lchan->tch.rep_facch[1].msg = NULL; + msgb_free(lchan->rep_sacch); + lchan->rep_sacch = NULL; + /* fall through */ default: if (lchan->early_rr_ia) { /* Early Immediate Assignment: Transition to any other diff --git a/src/common/rsl.c b/src/common/rsl.c index 99e81952..145cc8a9 100644 --- a/src/common/rsl.c +++ b/src/common/rsl.c @@ -1296,21 +1296,6 @@ int rsl_tx_rf_rel_ack(struct gsm_lchan *lchan) gsm_ts_and_pchan_name(lchan->ts), lchan->nr, gsm_lchant_name(lchan->type)); - /* - * Free the LAPDm resources now that the BTS - * has released all the resources. - */ - lapdm_channel_exit(&lchan->lapdm_ch); - - /* Also ensure that there are no leftovers from repeated FACCH or - * repeated SACCH that might cause memory leakage. */ - msgb_free(lchan->tch.rep_facch[0].msg); - msgb_free(lchan->tch.rep_facch[1].msg); - lchan->tch.rep_facch[0].msg = NULL; - lchan->tch.rep_facch[1].msg = NULL; - msgb_free(lchan->rep_sacch); - lchan->rep_sacch = NULL; - return tx_rf_rel_ack(lchan, chan_nr); } |