<p>pespin has uploaded this change for <strong>review</strong>.</p><p><a href="https://gerrit.osmocom.org/c/osmo-pcu/+/25776">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;">tbf: Avoid keeping poll nodes in pdch_ulc of temporary control_ts used during PACCH assignment<br><br>When MS sends us the Packet Resource Request as RRBP from final UL ACK/NACK, we create a new TBF<br>with a different set of allocated TS. However, we must send the Pkt UL Assignment with information<br>of the new TBF using that same TS where we receive the Packet Resource Request, which happens to<br>be the control TS of the previous/old TBF. The original control TS of the new TBF is kept in<br>tbf->first_common_ts.<br><br>Hence the code does gprs_rlcmac_pdch::rcv_resource_request():<br>"""<br>ul_tbf->control_ts = ts_no;<br>"""<br><br>And later, when we receive a CTRL ACK answering the Pkt UL Assigment, we change the control TS of<br>the new TBF back to the new one, by calling tbf_assign_control_ts(), which basically does:<br>"""<br>tbf->control_ts = tbf->first_common_ts;<br>"""<br><br>So, for instance we have a TBF which was allocated with tbf->control_ts=4 and hence is only attached<br>to PDCH 4 (tbf->pdch[]), but for which is temporarily applied tbf->control_ts=7. Hence, when a poll<br>is requested, it is done in control_ts, aka 7, which is not in the array of attached PDCH.<br><br>The problem is of course if we never reach the point where the final control_ts is set, due to never<br>receiving the CTRL ACK. If the TBF is freed (due to timer X2001) before receiving the CTRL ACK and<br>hence tbf_assign_control_ts() is called, a crash may occur, because potentially a poll for the TBF is<br>left in TS 7 because it's not a PDCH attached to the TBF and hence poll<br>entries on that TS are not released, hence keeping a pointer to the<br>freed TBF.<br><br>Related: SYS#5647<br>Change-Id: I0c49f2695e0d932d956c01976c9458eebee63cd4<br>---<br>M src/tbf.cpp<br>1 file changed, 10 insertions(+), 0 deletions(-)<br><br></pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;">git pull ssh://gerrit.osmocom.org:29418/osmo-pcu refs/changes/76/25776/1</pre><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/src/tbf.cpp b/src/tbf.cpp</span><br><span>index af15c72..0331a80 100644</span><br><span>--- a/src/tbf.cpp</span><br><span>+++ b/src/tbf.cpp</span><br><span>@@ -243,6 +243,16 @@</span><br><span> {</span><br><span> int ts;</span><br><span> </span><br><span style="color: hsl(120, 100%, 40%);">+ /* During assignment (state=ASSIGN), tbf may be temporarily using</span><br><span style="color: hsl(120, 100%, 40%);">+ * tbf->control_ts from a previous TBF/SBA to transmit the UL/DL</span><br><span style="color: hsl(120, 100%, 40%);">+ * Assignment, which may not be necessarly be a TS where the current TBF</span><br><span style="color: hsl(120, 100%, 40%);">+ * is attached to. Hence, we may have ULC pollings ongoing and we need</span><br><span style="color: hsl(120, 100%, 40%);">+ * to make sure we drop all reserved nodes there: */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (tbf_state(tbf) == TBF_ST_ASSIGN &&</span><br><span style="color: hsl(120, 100%, 40%);">+ tbf->control_ts != TBF_CONTROL_TS_UNSET && !tbf->pdch[tbf->control_ts])</span><br><span style="color: hsl(120, 100%, 40%);">+ pdch_ulc_release_tbf(tbf->trx->pdch[tbf->control_ts].ulc, tbf);</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Now simply detach from all attached PDCHs */</span><br><span> for (ts = 0; ts < 8; ts++) {</span><br><span> if (!tbf->pdch[ts])</span><br><span> continue;</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.osmocom.org/c/osmo-pcu/+/25776">change 25776</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.osmocom.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.osmocom.org/c/osmo-pcu/+/25776"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: osmo-pcu </div>
<div style="display:none"> Gerrit-Branch: master </div>
<div style="display:none"> Gerrit-Change-Id: I0c49f2695e0d932d956c01976c9458eebee63cd4 </div>
<div style="display:none"> Gerrit-Change-Number: 25776 </div>
<div style="display:none"> Gerrit-PatchSet: 1 </div>
<div style="display:none"> Gerrit-Owner: pespin <pespin@sysmocom.de> </div>
<div style="display:none"> Gerrit-Reviewer: Jenkins Builder </div>
<div style="display:none"> Gerrit-MessageType: newchange </div>