diff options
author | Jacob Erlbeck <jerlbeck@sysmocom.de> | 2016-01-20 22:02:19 +0100 |
---|---|---|
committer | Jacob Erlbeck <jerlbeck@sysmocom.de> | 2016-02-01 13:56:32 +0100 |
commit | c362df25a2eb469aa70827b469f3898447814697 (patch) | |
tree | d7d7e451c2d0a7f7e6096631ac03dfcfb446eae1 /src | |
parent | 27dc9414757df5436f7f5a5c8708219aa7a1ee6d (diff) |
pcu: Fix memory corruption bugs (ASAN)
ASAN has found improper deletion of objects. These only occur
on shutdown but makes it impossible to run the test cases with
full ASAN support.
This commit fixes some of them and deactivates the freeing of the_pcu.bctx
which may cause a corruption in BTS::~BTS() later on.
Note that the latter is only a work-aound and should be fixed
properly. It will leak bctx objects, but this is currently not
critical, since gprs_bssgp_destroy is only called once, immediately
before a call to exit().
Ticket: OW#1572
Sponsored-by: On-Waves ehf
Diffstat (limited to 'src')
-rw-r--r-- | src/bts.cpp | 5 | ||||
-rw-r--r-- | src/gprs_bssgp_pcu.cpp | 21 | ||||
-rw-r--r-- | src/gprs_ms_storage.cpp | 5 | ||||
-rw-r--r-- | src/gprs_ms_storage.h | 2 |
4 files changed, 25 insertions, 8 deletions
diff --git a/src/bts.cpp b/src/bts.cpp index 5e29364e..d1d738c6 100644 --- a/src/bts.cpp +++ b/src/bts.cpp @@ -150,7 +150,12 @@ BTS::BTS() BTS::~BTS() { + /* this can cause counter updates and must not be left to the + * m_ms_store's destructor */ + m_ms_store.cleanup(); + rate_ctr_group_free(m_ratectrs); + osmo_stat_item_group_free(m_statg); } diff --git a/src/gprs_bssgp_pcu.cpp b/src/gprs_bssgp_pcu.cpp index a7391d92..838c667d 100644 --- a/src/gprs_bssgp_pcu.cpp +++ b/src/gprs_bssgp_pcu.cpp @@ -872,28 +872,33 @@ struct gprs_bssgp_pcu *gprs_bssgp_create_and_connect(struct gprs_rlcmac_bts *bts void gprs_bssgp_destroy(void) { - if (!bssgp_nsi) + struct gprs_ns_inst *nsi = bssgp_nsi; + if (!nsi) return; + bssgp_nsi = NULL; + osmo_timer_del(&the_pcu.bvc_timer); osmo_signal_unregister_handler(SS_L_NS, nsvc_signal_cb, NULL); the_pcu.nsvc = NULL; - /* FIXME: move this to libgb: btsctx_free() */ - llist_del(&the_pcu.bctx->list); - talloc_free(the_pcu.bctx); - the_pcu.bctx = NULL; - /* FIXME: blocking... */ the_pcu.nsvc_unblocked = 0; the_pcu.bvc_sig_reset = 0; the_pcu.bvc_reset = 0; the_pcu.bvc_unblocked = 0; - gprs_ns_destroy(bssgp_nsi); - bssgp_nsi = NULL; + gprs_ns_destroy(nsi); + + /* FIXME: move this to libgb: btsctx_free() */ + llist_del(&the_pcu.bctx->list); +#warning "This causes ASAN to complain. It is not critical for normal operation but should be fixed nevertheless" +#if 0 + talloc_free(the_pcu.bctx); +#endif + the_pcu.bctx = NULL; } struct bssgp_bvc_ctx *gprs_bssgp_pcu_current_bctx(void) diff --git a/src/gprs_ms_storage.cpp b/src/gprs_ms_storage.cpp index e0aee5ec..6a7f3360 100644 --- a/src/gprs_ms_storage.cpp +++ b/src/gprs_ms_storage.cpp @@ -34,6 +34,11 @@ GprsMsStorage::GprsMsStorage(BTS *bts) : GprsMsStorage::~GprsMsStorage() { + cleanup(); +} + +void GprsMsStorage::cleanup() +{ LListHead<GprsMs> *pos, *tmp; llist_for_each_safe(pos, tmp, &m_list) { diff --git a/src/gprs_ms_storage.h b/src/gprs_ms_storage.h index df788bf7..44ad0ed4 100644 --- a/src/gprs_ms_storage.h +++ b/src/gprs_ms_storage.h @@ -33,6 +33,8 @@ public: GprsMsStorage(BTS *bts); ~GprsMsStorage(); + void cleanup(); + virtual void ms_idle(class GprsMs *); virtual void ms_active(class GprsMs *); |