[MERGED] osmo-bsc[master]: fix segfault upon release paging on BSSMAP Reset: init llist

[Harald Welte]

Harald Welte has submitted this change and it was merged.

Change subject: fix segfault upon release paging on BSSMAP Reset: init llist
......................................................................


fix segfault upon release paging on BSSMAP Reset: init llist

Initialize the llist head gsm_bts->paging.pending_requests at the time gsm_bts
is allocated, not only at paging_init_if_needed().

The gsm_bts->paging sub-struct is invalid as long as gsm_bts->paging.bts
doesn't point back to bts. Hence the recently added iteration of
gsm_bts->paging.pending_requests should have checked whether bts is NULL. The
llist_head pending_requests is not initialized unless paging_init_if_needed()
has been called (and paging.bts is hence set). However, this fix is a safer way
to prevent errors like this in general.

The segfault was introduced by d382bf63e2b7e28fe41c5310c26fe584f0356897 /
If3f53d3bb66ad2dc02db823cb813590c6b59c700

Related: OS#2747
Change-Id: Idfafac4e2c0e0a241a62aecbbdc22be71febf840
---
M src/libbsc/paging.c
M src/libcommon/gsm_data_shared.c
2 files changed, 8 insertions(+), 1 deletion(-)

Approvals:
  Harald Welte: Looks good to me, approved
  Jenkins Builder: Verified



diff --git a/src/libbsc/paging.c b/src/libbsc/paging.c
index 8d54d0a..d657bd3 100644
--- a/src/libbsc/paging.c
+++ b/src/libbsc/paging.c
@@ -240,7 +240,11 @@
 		return;
 
 	bts->paging.bts = bts;
-	INIT_LLIST_HEAD(&bts->paging.pending_requests);
+
+	/* This should be initialized only once. There is currently no code that sets bts->paging.bts
+	 * back to NULL, so let's just assert this one instead of graceful handling. */
+	OSMO_ASSERT(llist_empty(&bts->paging.pending_requests));
+
 	osmo_timer_setup(&bts->paging.work_timer, paging_worker,
 			 &bts->paging);
 
diff --git a/src/libcommon/gsm_data_shared.c b/src/libcommon/gsm_data_shared.c
index 2f7e7e3..30ef1ca 100644
--- a/src/libcommon/gsm_data_shared.c
+++ b/src/libcommon/gsm_data_shared.c
@@ -364,7 +364,10 @@
 
 	bts->rach_b_thresh = -1;
 	bts->rach_ldavg_slots = -1;
+
 	bts->paging.free_chans_need = -1;
+	INIT_LLIST_HEAD(&bts->paging.pending_requests);
+
 	bts->features.data = &bts->_features_data[0];
 	bts->features.data_len = sizeof(bts->_features_data);
 

-- 
To view, visit https://gerrit.osmocom.org/5327
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Idfafac4e2c0e0a241a62aecbbdc22be71febf840
Gerrit-PatchSet: 1
Gerrit-Project: osmo-bsc
Gerrit-Branch: master
Gerrit-Owner: Neels Hofmeyr <nhofmeyr at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Jenkins Builder