EUTRAN neighbors can be deleted using the following command:
$ osmo_ctrl.py \
-d 127.0.0.1 -p 4249 \
-s "bts.0.si2quater-neighbor-list.del.earfcn" EARFCN
UTRAN neighbors can be deleted using the following command:
$ osmo_ctrl.py \
-d 127.0.0.1 -p 4249 \
-s "bts.0.si2quater-neighbor-list.del.uarfcn" UARFCN,SCRAMBLE
This commit implements only deletion, implementing the add command
would require slightly more effort (lots of manual string parsing),
so it's left as a TODO for later.
The BTS can immediatelly ACK the OPSTART, but that doesn't mean the TS
is already usable. It should only be used when the BTS reports it is in
Don't fall back to the legacy config if the pool is configured but no
connection to any pool member can be established.
Depends: osmo-mgw I009483ac9dfd6627e414f14d43b89f40ea4644db
NSVC local port 0 is actually a valid value, which tells the PCU to
pick a random port for bind()ing. It was supported before 315af2f9e,
but now osmo-bsc would simply ignore NSVCs with 'local udp port 0'
and leave the respective MOs unconfigured in the BTS.
Fixes: 315af2f9e "bts: ipa/osmo-bts/sysmobts: MO: add support for the second NSVC"
User reports a SEGV:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 send_assignment_complete (conn=conn@entry=0x557dbabb75a0) at assignment_fsm.c:188
#1 0x0000557db66aa6b0 in assignment_success (conn=0x557dbabb75a0) at assignment_fsm.c:277
#2 0x00007f6007afee82 in _osmo_fsm_inst_dispatch (fi=0x557db9615b80, event=4, data=0x0, file=0x7f6007a7dc21 "mgcp_client_endpoint_fsm.c", line=513) at fsm.c:875
#3 0x00007f6007a78c12 in ?? () from /lib/x86_64-linux-gnu/libosmo-mgcp-client.so.9
version: osmo-bsc 126.96.36.199.fc339.202212220009
The situation apparently is conn->lchan == NULL (primary lchan is gone),
but Assignment has just concluded. Apparently an unexpected / orthogonal
event has interrupted operations.
During assignment_success(), do not assume that conn->lchan is still
present. This should normally be true, but if not, fail the assignment
procedure instead of crashing osmo-bsc.
The current PCU implementation has never been tested with multiple BTS
attached to it. This is due to the fact that it has been used
exclusively in an BTS co-located setup where naturally only one BTS is
present. The PCU sock protocol supports multiple BTSs in theory and we
should handle this correctly.
When updating the BTS information in the bsc co-located PCU, first check
if the BTS has a BSC co-located PCU at all. Also check if the BTS is E1
based since those type of BTS require extra information about the E1
At the momemnt we use is_ericsson_bts() to check if the BTS uses a BSC
co-located PCU, this is a bit ambiguous, lets have a function that
explicitly checks for a BSC co-located PCU and nothing else.
Since there were complaints about this old parsing code during recent
code review in Ifdc9e04bf1d623da65bfb8a2fddea765601f6d9b, and now also
coverity finds something odd in it, just rewrite this.
In osmo-bsc, there's currently 0..1 Lb links and 0..N A links, where N
is the number of MSC, but links can be shared in the underlaying stack
(struct osmo_sccp_instance), hence range 0..N of different
osmo_sccp_instance (identified by PC).
Even more, the Lb and A link can share the same underlaying stack, so
osmo-bsc can end up with only 1 struct osmo_sccp_instance shared by all
the above mentioned links in case all are configured under the same PC.
Total range A+Lb is 0..(1+N).
A struct gsm_subscriber_conn stores 2 struct sccp_instance*, one for
Lb (conn->lcs.lb.*)and one for A (conn->sccp.*).
They can actually point to the same sccp_instance or to different ones,
as explained above, depending on the configured setup. In any case, a
gsm_subscriber_conn needs 2 rb_nodes since it can hold
any of the 2 conn_ids independently (A or Lb).
The previous patch forgot to add that 2nd rb_node as well as some
initialization and release code for the Lb conn. This patch addresses
When the 2nd rb_node, a problem when iterating the rbtree appears: how to
find out the "conn" pointer from the rb_node pointer, since the rb_node pointer
can be any of the 2 rb_nodes inside the struct at a different offsets.
In order to solve that problem, a new struct bscp_sccp_conn_node is
added, which holds all the relevant information used by the rbtree lookup code
in a generic way (rb_node and conn_id), plus a backpointer to the struct
bsc_gsm_subcriber it relates too.
It was found that on a busy osmo-bsc process (>1000 concurrent calls
spead over different BTSs), a good amount of time is spent iterating the
subscribers list trying to find a subscriber based on a TMSI (1.60% of
total CPU time used by osmo-bsc).
This patch introduces a new rbtree under struct bsc_subscr_store which
allows storing all the busbs ordered by TMSI.
This way, lookup time changes O(N) -> O(log(N)), at the expense of
increased insert/deletion time O(1) -> O(log(N)).
This allows keeping the bsc_subscriber storage internals outside of main
gsm_network code, while easily allowing making the internal
implementation more complex (in order to optimize it in a follow-up
It is also nice since we get rid of uncommon procedures being used in
this code, like allocating an llist directly as a talloc context, etc.
The function was currently in osmo_bsc_sigtran.c but was never used
there, and it really doesn't have any relation to that file.
Let's move it to the only place where it's used so far, and mark it as
It was found that, on a busy osmo-bsc (>1000 concurrent calls spread over
several BTS), the CPU consumption looking up for gsm_subscriber_conn
based on SCCP conn_id can take a considerable amount of time (>5% of
osmo-bsc already taking 70% of the CPU time on the core it is running on).
The huge CPU consumption happens because a linear search is done (llist)
over the entire list of SCCP connections every time an SCCP message is
In order to optimize this lookup, this patch introduces a new struct
bsc_sccp_inst which becomes associated to the libosmo-sccp
osmo_sccp_instance. Each of this strucs maintains an rbtree of
gsm_subscriber_conn ordered by conn_id.
As a result algorithmic complexity adds O(log(N)) during insert, lookup
and delete of SCCP conns, but gets rid of O(N) previous lookup.
As a plus, finding a new conn_id now takes generally O(log(N)), while
before it used to take O(N).
Refactor the double loop to check a code path matching the sccp_instance
once instead of doing so for every subscr_conn.
If for instance let's say we have 1000 concurrent calls in progress,
which means we have 1000 subscr_conn, which means we at least do the
extra check regarding SMLC vs MSC 1000 times (at least, xN times if N
conn_id already used are already found).
That overhead happens every time a new subscr_conn is created (which in
a BSC with already 1000 concurrent calls can potentially happen quite
Function bsc_sccp_inst_next_conn_id() allocating conn_id creates address
spaces based on sccp_instance, aka conn_id values can be reused given
the sccp_instance (MSC) is different.
Hence, when looking up a bsc_conn based on a conn_id, it must also match
the sccp_instance, otherwise a bsc_conn from another MSC could be
The 0x00FFFFFF source local reference is reserved in M3UA/SCCP, hence
avoid allocating a conn_id with that value since later on when reused as
a source local reference it would fail to be encoded.
Currently, the conn_id is allocated in a range 0..0xffffff by
bsc_sccp_inst_next_conn_id(), and -1 means it is unset.
This means allocation expects "int" to be at least 32 bits integer,
in order to fit 24 bits for 0..0xffffff plus the -1.
Hence, let's define the variable as uint32_t, as already done in
libosmo-sccp. Use last value 0xFFFFFFFF ((uint32_t)-1) and avoid playing
with the value being unsigned sometimes and signed only for "unset"
The value is actually already handled as unsigned (printed with %u) in
It's possible that a BTS gets disconnected, updated to a more recent
version or downgraded to an older version, and then connects to the
BSC again. That more recent or older BTS version may have a different
set of supported features, so osmo-bsc must not trust the previously
reported feature vector.
All non ericsson BTSs we support use a BTS co-located PCU, so we must
not depend on a PCU connection in those cases.
Fixes: ecf825dc ("pcu_sock: activate/deactivate PDCH on pcu reconnect")
When the IMMEDIATE ASSIGNMENT is sent from the PCU to the BSC using the
"direct TLLI" method, the TLLI (and the last three digits of the IMSI)
is prepended to the MAC block. Currently we are taking the fields apart
manually using offsets. The code for this is difficult to read and the
method is error prone. Let's define a struct that we can just overlay
to access the fields directly. Let's also transfer the full IMSI.
When the PCU is disconnected while the BSC keeps running the PDCH should
be closed. Also the PDCH should be reopened when the PCU is
When a data request is received from the PCU, some of the switch cases
allocate a message buffer but the message buffer is only used to pass
its data and length to other functions. The message buffer itself is not
passed anywhere and it is also not freed. Lets get rid of the message
buffer and avoid unnecessary memcopy calls.
Use the full gsm0808_chan_indicator value throughout the lchan related
structs (assignment_fsm_data, gsm_lchan, lchan_activate_info,
lchan_modify_info) instead of reducing it to the boolean
This is needed so we don't lose the information whether an lchan was
requested for data or speech (both need an rtp stream).
Add a new bsc_chan_ind_requires_rtp_stream function and use it in
conditionals like the previous requires_voice_stream.
Replace check_requires_voice_stream, which used to iterate over
ch_mode_rate_list and verify that all entries are either for speech or
signalling. Instead verify in check_chan_mode_rate_against_ch_indctr,
that all entries of ch_mode_rate_list have a chan_mode that matches the
ch_indctr (data, speech, signalling; called "speech / data indicator" in
3GPP TS 48.008 § 188.8.131.52).
This ensures that all of them are either data, speech or signalling and
Remove "speech mode" from the log message, as the log message is
relevant for CSD too. According to 3GPP TS 48.008 § 184.108.40.206 note 13 the
IE shall be included for AoIP unless channel type is signalling.
Handle assignment requests for CSD. In this initial version, the code
for non-transparent data mode is a stub.
Depends: libosmocore Ia965cdd9f53af756e5ffaff9b8f389b5ad629969
It looks like the idea was to translate the CSD rate from BSSAP to
lchan_csd_mode before translating it to RSL. But instead we can just
directly translate the BSSAP value to the RSL value.
The previous code was not used yet (nothing wrote to csd_mode).
Depends: libosmocore I25bfd02aa1428a35492b20376a31635a442e545f
gsm_pchan_ids exists only to compose osmo_fsm compliant IDs. We do
have osmo_fsm_inst_update_id_f_sanitize() now, rather use that.
This removes some confusion about which value_string array has an effect
on the VTY command 'ts' / 'phys_chan_config'.
Note that tests/bsc_test.ok does not change, hence the new way of
composing FSM IDs is identical to using the old gsm_pchan_ids.
This patch affects *only* on osmo_fsm instance IDs, which are visible on
the CTRL and VTY interfaces to identify FSM instances, and in the log.
Why bother: An upcoming patch wants to replace gsm_pchan_ids with
osmo_fsm_inst_update_id_f_sanitize(gsm_pchan_name(x)), this is an
explicit step to match gsm_pchan_names.
Show the timeslot_fsm, lchan_fsm, assignment_fsm fi->id strings.
The IDs include the current pchan configuration. I want to tweak the
composition of these in an upcoming patch, so the test should show
whether any FSM IDs change from that.
Change names of stat exports to be consistent with VTY,CTRL:
- from "chan_osmo_dyn" to "chan_dynamic_osmocom"
- from "chan_tch_f_pdch" to "chan_dynamic_ipaccess"
We already use "OSMO_DYN" as C name for "fully dynamic" timeslot config,
when working with osmo-bsc.cfg I dearly miss this short name, it is a
pain / has become ridiculous to write 'tch/f_tch/h_sdcch8_pdch'.
Introduce 'dynamic/osmocom' and 'dynamic/ipaccess' as default names for
our dynamic timeslots on VTY and CTRL. The old 'tch/f_tch/h_sdcch8_pdch'
and 'tch/f_pdch' are still supported.
I'm going to add a regression test that probes lchan_fsm. I noticed that
I have to call lchan_fsm_init() for osmo_fsm_register(). Let's make this
implicit as we usually do now, to not have to register FSMs in tests.
The length parameter in rsl_imm_assign_cmd_common() may cause a buffer
overflow when it is chosen larger than GSM_MACBLOCK_LEN. Lets make sure
this cannot happen.
Comparing an array to null is not useful, since the test will
always evaluate as true (NO_EFFECT).
Fixes: fbead4327 utils: store more fields from meas-feed in db
The PCU is able to send OML alerts via the BTS to the BSC. When the PCU
operates in co-location to the BSC we just print the alerts in the log
Move the translation from osmo_sockaddr_to_str_and_uint into
bssmap_handle_ass_req_tp_rtp_addr, which will be used by
bssmap_handle_ass_req_ct_data in a future patch too.
Pass pointers to variables in req, instead of duplicating variables and
filling it in later (like in bssmap_handle_ass_req_ct_sign).
Allow reusing common code in an upcoming bssmap_handle_ass_req_ct_data.
It won't use _osmux for now (maybe in the future?), but splitting it
out as well makes it consistent.
More fields need to be captured from meas-feed
to perform meaningful analysis of data from
multi-bts and multi-trx systems.
This patch adds expands the existing db utils
to record nearly all available fields from
Remove "Helper function for match_codec_pref()" at the beginning of the
descriptions of these functions, looks like a leftover from before this
was moved to its own c file. Remove a duplicated "received" in a
tall_ctr_ctx is not defined or used in osmo-bsc and apparently was only
exported by accident from libosmocore. It's not exported anymore since
libosmocore.map was introduced in I13169c00a59fb59513dfc598de5a71d094492422.
/usr/bin/ld: osmo_bsc_main.o: in function `main':
osmo_bsc_main.c:(.text+0x830d): undefined reference to `tall_ctr_ctx'
/usr/bin/ld: osmo_bsc_main.c:(.text+0x8331): undefined reference to `tall_ctr_ctx'
T23042 was a placeholder for timers to be filled in later. Replace it
with timers that can be configured via VTY.
Previous timeout for the states was 5s, from using the default of 5 for
* ASSIGNMENT_ST_WAIT_MGW_ENDPOINT_TO_MSC and
* Runs gscon_connect_mgw_to_msc() on enter, which waits for one MGCP
CRCX or MDCX response (or changes state immediately)
* Use existing X9 ("Timeout for availability of MGW endpoint"), 5s,
which is already being used by lchan_rtp_fsm for a similar purpose
* Handover initiation as described in 3GPP TS 04.08 § 220.127.116.11:
"The network initiates the handover procedure by sending a HANDOVER
COMMAND message to the mobile station on the main DCCH. It then
starts timer T3103."
* Use existing but unused timer T3103 ("Handover"), 5s
* Handover completion as described in 3GPP TS 04.08 § 18.104.22.168:
"When receiving the HANDOVER COMPLETE message, the network stops
timer T3103 and releases the old channels."
* Continue using T3103 with keep_timer = true
Remove placeholder timer T23042. This handover fsm state waits for both
RSL/RR and RTP/MGW to be complete. I've added TTCN-3 tests to ensure
that both cases are covered by existing timer T3101 in lchan fsm state
LCHAN_ST_WAIT_RLL_RTP_ESTABLISH, which on timeout lets the handover
Related: osmo-ttcn3-hacks I30e1811f97406cff6ba794fcd6882e2bb0205087
Related: osmo-ttcn3-hacks I2f79e3ff988a4315fbef3538f02403b818fa7839
Remove placeholder timer T23042.
> I think the right thing here is to remove this timeout; this needs
> no timeout at all because we can rely on the lchan_fsm to either
> return HO_EV_LCHAN_ACTIVE or HO_EV_LCHAN_ERROR after the usual
> timeouts set for lchan activation. IOW since it is internal to
> osmo-bsc one of the two events is guaranteed to occur.
> If we superimpose a timer on top of the lchan timeouts, configuring
> larger lchan activation timeouts becomes complex, because the user
> has to take care to also allow a larger timeout for the same
> procedure during HO.
In classic E1 based GSM networks the audio is usually transfered through
16bkps I.460 subslots while 4 16kbps subslots are multiplexed into one
E1 timeslot. However, there may be setups where still 16kbps subslots
are used, but with 1 instead of 4 channels per timeslot. In those cases
the bit offset is 0, while the rate is still 16kbps.
osmo-bsc requires the PCU to tag IMMEDIATE ASSIGNMENTS that shall be
sent via PCU with a TLLI. This is required to confirm the sending of the
IMMEDIATE ASSIGNMENT messages to the PCU.
The BSC has all information about the E1 line configuration of each
timeslot/channel. The PCU is responsible for opening and managing the
CCU connection. To enable the CCU to do that, we have to transfer the E1
connection information (which TS, SS, rate) to the PCU.
We have introduced the function extract_paging_group() with the previous
patch. Lets use it for PCU_IF_SAPI_PCH as well to remove code
The IMMEDIATE ASSIGNMENT for downlink TBFs needs to be sent through the
PCH instead of the AGCH. Since this method is not specified in RSL, it
is usually a vendor specific extension.
The current name of PCU_IF_SAPI_AGCH_DT is a bit misleading as it
describes a method to send immediate assignment messages (normally AGCH)
via the PCH. The name in the constant should reflect that correctly
A new VTY node was added in commit , but bsc_vty_go_parent() was
not updated. Because of that, commands following the MGW node may
crash osmo-bsc. In the example below:
network country code 901
mobile network code 70
periodic location update 30
the 'periodic location update 30' will trigger a segfault:
#0 0x00005555555dfc09 in cfg_net_per_loc_upd ()
#1 0x00007ffff7af6c3f in cmd_execute_command_strict () from /usr/local/lib/libosmovty.so.9
#2 0x00007ffff7af6f1c in config_from_file () from /usr/local/lib/libosmovty.so.9
#3 0x00007ffff7afd4e1 in vty_read_config_filep () from /usr/local/lib/libosmovty.so.9
#4 0x00007ffff7afe375 in vty_read_config_file () from /usr/local/lib/libosmovty.so.9
#5 0x0000555555579616 in bsc_network_configure ()
#6 0x000055555557a352 in main ()
because vty->index would be NULL after returning from the MGW node.
Fix this by adding the missing case to bsc_vty_go_parent().
Fixes:  8d22e68706
The intended endienaess for the remote_port member is host byte order,
while the endianess in the nsvc struct is in network byte order.
(see also pcu_sock.c in osmo-bts.git)
The Ericsson RBS is a BTS that natively works with dynamic timeslots.
This colides with the current understanding of static PDCH channels
because the BTSs we support so far get thier static PDCH information on
startup and then handle everything related internally. The BSC does not
actively manage the channel in those cases. In the case of Ericsson we
have to activate the PDCH via RSL like any other channel and the timeslot
FSM has to manage it. Lets not add work arouds for this, lets just print
and error message and use the BTS in the dynamic scheme as intended by
Before filling in the TS in the info indication, it is checked that the
MO opstate is enabled. Also it is checked that the TS serves a PDCH.
Lets restructure this check and move the PDCH check into a helper
function as we need to check for PDCH from other location as well later.
We send the TS_EV_OML_READY event early, even though the TRX is not
fully done with all OML initialization steps. Lets complete the TRX
initialization first and then notify each timeslot FSM with
The function pcu_tx_info_ind() fills the trx information in the info
indication. Since the function is already quite long, move the trx
related part into a sperate helper function.
The pcuif only supports a limited but sufficient number of TRXs. When
filling in the TRX array in info_ind, we must guard against overflowing
the maximum number of TRXs
The formula that is used to recover the (relative) frame number from the
T1, T2, T3 parameters matches the definition in the spec, but since the
partial term t3-t2 can be negative special precaution is required when
performing the MOD 26 operation. This is due to the truncated modulo
implementation in C/C++, which has a very specific understanding on how
to deal with negative input parameters.
The libosmocore gsm_gsmtime2fn(() offers a correct implementation, so
lets use it.
The function trx_get_hlayer1() is defined as a prototype but it is not
used anywhere and there is also no implementation, lets drop it.
The second NSVC MO has been explicit skipped and never been interacted with.
osmo-bts is already supporting it for a long time as well the PCU is
supporting it at least since the NS2 code migration.
Fixes the ttcn3 test case BTS_Tests.TC_pcu_socket_two_nsvc.
It was found in a BSC on the field that an MS sending an incorrect
MobileIdentity IE (wrong length) in PagingResponse was generating a
crash on the BSC.
When the MobileIdentity cannot be parsed right now we keep on instead of
rejecting the conn. This should change in the future, but it needs
further improvements in our TTCN3 tests. For now let's simply validate
the subscriber is not NULL; since recently paging optimizations made
paging_request_stop() require the subscriber to be non-null.