fix segfault upon release paging on BSSMAP Reset: init llist

Initialize the llist head gsm_bts->paging.pending_requests at the time gsm_bts
is allocated, not only at paging_init_if_needed().

The gsm_bts->paging sub-struct is invalid as long as gsm_bts->paging.bts
doesn't point back to bts. Hence the recently added iteration of
gsm_bts->paging.pending_requests should have checked whether bts is NULL. The
llist_head pending_requests is not initialized unless paging_init_if_needed()
has been called (and paging.bts is hence set). However, this fix is a safer way
to prevent errors like this in general.

The segfault was introduced by d382bf63e2 /
If3f53d3bb66ad2dc02db823cb813590c6b59c700

Related: OS#2747
Change-Id: Idfafac4e2c0e0a241a62aecbbdc22be71febf840

src/libbsc/paging.c

@@ -240,7 +240,11 @@ static void paging_init_if_needed(struct gsm_bts *bts)
 		return;
 
 	bts->paging.bts = bts;
-	INIT_LLIST_HEAD(&bts->paging.pending_requests);
+
+	/* This should be initialized only once. There is currently no code that sets bts->paging.bts
+	 * back to NULL, so let's just assert this one instead of graceful handling. */
+	OSMO_ASSERT(llist_empty(&bts->paging.pending_requests));
+
 	osmo_timer_setup(&bts->paging.work_timer, paging_worker,
 			 &bts->paging);
 

src/libcommon/gsm_data_shared.c

@@ -364,7 +364,10 @@ struct gsm_bts *gsm_bts_alloc(struct gsm_network *net, uint8_t bts_num)
 
 	bts->rach_b_thresh = -1;
 	bts->rach_ldavg_slots = -1;
+
 	bts->paging.free_chans_need = -1;
+	INIT_LLIST_HEAD(&bts->paging.pending_requests);
+
 	bts->features.data = &bts->_features_data[0];
 	bts->features.data_len = sizeof(bts->_features_data);