From 3b4b7c1efd2e59296f5f5551170b2e2d1fa3ff14 Mon Sep 17 00:00:00 2001 From: Neels Hofmeyr Date: Mon, 13 Dec 2021 17:00:05 +0100 Subject: [PATCH] lchan/gscon: always clear both cross ref pointers During specific release scenarios, it became clear that an lchan still pointed at a conn even after it had been deallocated. That was due to setting conn->lchan = NULL but not lchan->conn = NULL. Fix that. Do lchan_forget_conn() first, because during gscon_forget_lchan() we may enter the gscon clearing dance, which in case of no SCCP conn being present will soon / should immediately deallocate the conn. Related: OS#5337 Related: I8c8537acf6b47b121903197608636c43ae601a57 (osmo-bsc) Change-Id: Idbfe4672233ba8105eff5ba77ee07fd871358255 --- src/osmo-bsc/lchan_fsm.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/osmo-bsc/lchan_fsm.c b/src/osmo-bsc/lchan_fsm.c index 5ae6df651..84f8dc5ef 100644 --- a/src/osmo-bsc/lchan_fsm.c +++ b/src/osmo-bsc/lchan_fsm.c @@ -478,8 +478,11 @@ static void lchan_reset(struct gsm_lchan *lchan) { LOG_LCHAN(lchan, LOGL_DEBUG, "Clearing lchan state\n"); - if (lchan->conn) - gscon_forget_lchan(lchan->conn, lchan); + if (lchan->conn) { + struct gsm_subscriber_connection *conn = lchan->conn; + lchan_forget_conn(lchan); + gscon_forget_lchan(conn, lchan); + } if (lchan->rqd_ref) { talloc_free(lchan->rqd_ref); @@ -1392,8 +1395,9 @@ static void lchan_fsm_wait_rf_release_ack_onenter(struct osmo_fsm_inst *fi, uint * lchan_reset(), we make sure it does. But in case of releases from error handling, the * conn might as well notice now already that its lchan is becoming unusable. */ if (lchan->conn) { - gscon_forget_lchan(lchan->conn, lchan); + struct gsm_subscriber_connection *conn = lchan->conn; lchan_forget_conn(lchan); + gscon_forget_lchan(conn, lchan); } rc = rsl_tx_rf_chan_release(lchan);