hnbgw: remove close_cb() to fix a crash when releasing a hnbgw

The read callback should catch all errors already.
Previous when a read fails it:

* hnb_context_release() -> osmo_stream_srv_destroy() -> hnb_context_release()
On the second hnb_context_release() the hnbgw will crash because calling
llist_del() twice on the same object.

Fixes: OS#3416
Change-Id: Ic84b2184b7fc850c0de2acacf179e86771e17510

3 files changed, 8 insertions, 19 deletions

diff --git a/include/osmocom/iuh/hnbgw.h b/include/osmocom/iuh/hnbgw.h
index b79bcc1..db49dc1 100644
--- a/include/osmocom/iuh/hnbgw.h
+++ b/include/osmocom/iuh/hnbgw.h
@@ -161,7 +161,7 @@ struct ue_context *ue_context_alloc(struct hnb_context *hnb, const char *imsi,
 void ue_context_free(struct ue_context *ue);
 
 struct hnb_context *hnb_context_alloc(struct hnb_gw *gw, struct osmo_stream_srv_link *link, int new_fd);
-void hnb_context_release(struct hnb_context *ctx, bool destroy_conn);
+void hnb_context_release(struct hnb_context *ctx);
 
 void hnbgw_vty_init(struct hnb_gw *gw, void *tall_ctx);
 int hnbgw_vty_go_parent(struct vty *vty);
diff --git a/src/hnbgw.c b/src/hnbgw.c
index 94d8fb9..91e551b 100644
--- a/src/hnbgw.c
+++ b/src/hnbgw.c
@@ -202,16 +202,6 @@ void ue_context_free(struct ue_context *ue)
 	llist_del(&ue->list);
 	talloc_free(ue);
 }
-static int hnb_close_cb(struct osmo_stream_srv *conn)
-{
-	struct hnb_context *hnb = osmo_stream_srv_get_data(conn);
-
-	/* This connection is about to be closed. Destroy the HNB context now. */
-	if (hnb)
-		hnb_context_release(hnb, false);
-
-	return 0;
-}
 
 static int hnb_read_cb(struct osmo_stream_srv *conn)
 {
@@ -234,10 +224,10 @@ static int hnb_read_cb(struct osmo_stream_srv *conn)
 	} else if (rc < 0) {
 		LOGP(DMAIN, LOGL_ERROR, "Error during sctp_recvmsg()\n");
 		/* FIXME: clean up after disappeared HNB */
-		hnb_context_release(hnb, true);
+		hnb_context_release(hnb);
 		goto out;
 	} else if (rc == 0) {
-		hnb_context_release(hnb, true);
+		hnb_context_release(hnb);
 		rc = -1;
 
 		goto out;
@@ -283,7 +273,7 @@ struct hnb_context *hnb_context_alloc(struct hnb_gw *gw, struct osmo_stream_srv_
 	INIT_LLIST_HEAD(&ctx->map_list);
 
 	ctx->gw = gw;
-	ctx->conn = osmo_stream_srv_create(tall_hnb_ctx, link, new_fd, hnb_read_cb, hnb_close_cb, ctx);
+	ctx->conn = osmo_stream_srv_create(tall_hnb_ctx, link, new_fd, hnb_read_cb, NULL, ctx);
 	if (!ctx->conn) {
 		LOGP(DMAIN, LOGL_INFO, "error while creating connection\n");
 		talloc_free(ctx);
@@ -294,7 +284,7 @@ struct hnb_context *hnb_context_alloc(struct hnb_gw *gw, struct osmo_stream_srv_
 	return ctx;
 }
 
-void hnb_context_release(struct hnb_context *ctx, bool destroy_conn)
+void hnb_context_release(struct hnb_context *ctx)
 {
 	struct hnbgw_context_map *map, *map2;
 
@@ -312,8 +302,7 @@ void hnb_context_release(struct hnb_context *ctx, bool destroy_conn)
 	}
 	ue_context_free_by_hnb(ctx->gw, ctx);
 
-	if (destroy_conn)
-		osmo_stream_srv_destroy(ctx->conn);
+	osmo_stream_srv_destroy(ctx->conn);
 
 	talloc_free(ctx);
 }
diff --git a/src/hnbgw_hnbap.c b/src/hnbgw_hnbap.c
index acc5aff..2a19dda 100644
--- a/src/hnbgw_hnbap.c
+++ b/src/hnbgw_hnbap.c
@@ -84,7 +84,7 @@ static int hnbgw_tx_hnb_register_rej(struct hnb_context *ctx)
 		osmo_stream_srv_set_flush_and_destroy(ctx->conn);
 	} else {
 		/* The message was not queued. Destroy the connection right away. */
-		hnb_context_release(ctx, true);
+		hnb_context_release(ctx);
 	}
 }
 
@@ -401,7 +401,7 @@ static int hnbgw_rx_hnb_deregister(struct hnb_context *ctx, ANY_t *in)
 		hnbap_cause_str(&ies.cause));
 
 	hnbap_free_hnbde_registeries(&ies);
-	hnb_context_release(ctx, true);
+	hnb_context_release(ctx);
 
 	return 0;
 }