10 Nov
2014
10 Nov
'14
10:57 p.m.
On Mon, Nov 10, 2014 at 02:29:37PM -0600, Ciaby wrote:
(gdb) p *ho->old_lchan
$1 = {ts = 0x7fb1a80fa020, nr = 0 '\000', type = GSM_LCHAN_TCH_F, rsl_cmode =
RSL_CMOD_SPD_SIGN, tch_mode = GSM48_CMODE_SIGN, csd_mode = LCHAN_CSD_M_NT,
state = LCHAN_S_ACTIVE, bs_power = 0 '\000', ms_power = 5 '\005', encr
= {alg_id = 1 '\001', key_len = 0 '\000', key = '\000' <repeats
15 times>}, mr_conf = {
(gdb) p *ho->old_lchan->conn
$2 = {entry = {next = 0x66ebb0, prev = 0x66ebb0},
subscr = 0x0, expire_timer_stopped = 0 '\000', next_rp_ref = 0 '\000',
loc_operation = 0x0, sec_operation = 0x0,
anch_operation = 0x9ceed0, silent_call = 0, put_channel = 0, sccp_con = 0x0, in_release
= 0, lchan = 0x7fb1a80fb128, ho_lchan = 0x7fb1a80dd0b0, bts = 0x8a3290, T10 = {
node = {rb_parent_color = 0, rb_right = 0x0, rb_left = 0x0}, list = {next = 0x0, prev
= 0x0}, timeout = {tv_sec = 0, tv_usec = 0}, active = 0, cb = 0, data = 0x0},
secondary_lchan = 0x0}
a.) The lchan has been re-used and "old_lchan" is already for someone
new.
b.) We start the handover too early. E.g. while still trying to
determine the subscriber?
diff --git a/openbsc/src/libbsc/handover_logic.c b/openbsc/src/libbsc/handover_logic.c
index 22f9883..d7e1a16 100644
--- a/openbsc/src/libbsc/handover_logic.c
+++ b/openbsc/src/libbsc/handover_logic.c
@@ -93,6 +93,9 @@ int bsc_handover_start(struct gsm_lchan *old_lchan, struct gsm_bts
*bts)
if (bsc_ho_by_old_lchan(old_lchan))
return -EBUSY;
+ if (!old_lchan->conn->subscr)
+ return -EBUSY;
+
DEBUGP(DHO, "(old_lchan on BTS %u, new BTS %u)\n",
old_lchan->ts->trx->bts->nr, bts->nr);
this would be a band-aid and it would be interesting if you still see
the crash.