llme_free: clean up related sndcp

Fix crash in vty_dump_sne when sndcp->lle has already been deallocated.

Context:
* sndcp->lle is set only once in gprs_sndcp_entity_alloc()
* sndcp->lle is a struct gprs_llc_lle, which gets allocated and
  deallocated together with struct gprs_llc_llme. From gprs_llc.h:

    struct gprs_llc_llme {
            ...
            struct gprs_llc_lle lle[NUM_SAPIS];

Fixes: OS#4824
Change-Id: I707029f78222bc6335837241e5a08c54c5ae6eb3

2 files changed, 15 insertions, 0 deletions

diff --git a/src/sgsn/gprs_llc.c b/src/sgsn/gprs_llc.c
index eea1cecfa..453ded5db 100644
--- a/src/sgsn/gprs_llc.c
+++ b/src/sgsn/gprs_llc.c
@@ -590,6 +590,7 @@ static struct gprs_llc_llme *llme_alloc(uint32_t tlli)
 
 static void llme_free(struct gprs_llc_llme *llme)
 {
+	gprs_sndcp_sm_deactivate_ind_by_llme(llme);
 	gprs_sndcp_comp_free(llme->comp.proto);
 	gprs_sndcp_comp_free(llme->comp.data);
 	llist_del(&llme->list);
diff --git a/src/sgsn/gprs_sndcp.c b/src/sgsn/gprs_sndcp.c
index 6692f1ae5..d8982accb 100644
--- a/src/sgsn/gprs_sndcp.c
+++ b/src/sgsn/gprs_sndcp.c
@@ -544,6 +544,20 @@ int sndcp_sm_deactivate_ind(struct gprs_llc_lle *lle, uint8_t nsapi)
 	return 0;
 }
 
+/* Clean up all gprs_sndcp_entities related to llme (OS#4824) */
+void gprs_sndcp_sm_deactivate_ind_by_llme(struct gprs_llc_llme *llme)
+{
+	struct gprs_sndcp_entity *sne, *sne2;
+
+	llist_for_each_entry_safe(sne, sne2, &gprs_sndcp_entities, list) {
+		if (sne->lle->llme == llme) {
+			LOGP(DSNDCP, LOGL_INFO, "SNSM-DEACTIVATE.ind for SNDCP attached to llme=%p\n", llme);
+			/* Free and remove from list */
+			sndcp_sm_deactivate_ind(sne->lle, sne->nsapi);
+		}
+	}
+}
+
 /* Fragmenter state */
 struct sndcp_frag_state {
 	uint8_t frag_nr;