Attention is currently required from: fixeria, fixeria, laforge.
pespin has uploaded a new patch set (#5) to the change originally created by fixeria. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email )
Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) ......................................................................
trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
- If the llist is flushed during rx rsp callback, when the flow is returned to trx_ctrl_read_cb() it would access tcm which was in the llist and end up in use-after-free. - We need to store state on whether code path is inside the read_cb in order to: -- Delay transmission of new message if callback calls trx_if_flush() followed by trx_ctrl_send(), since the trx_ctrl_send() at the end of trx_ctrl_read_cb would retransmit it again immediatelly. -- Avoid accessing tcm pointer if the callback called trx_if_flush(), since it has been freed.
Related: OS#6020 Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df --- M src/osmo-bts-trx/l1_if.h M src/osmo-bts-trx/trx_if.c 2 files changed, 52 insertions(+), 7 deletions(-)
git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/52/32552/5