ipaccess_drop_oml was being called inside an osmo_fd cb context, were
-EBADF must be returned if the structure holding the osmo_fd is freed.
In the middle of the path (see OS#3495 for path tree) it goes through a
signal dispatch, so it's impossible to make sure we return some value to
the osmo_fd cb. As a result, it is required to defer dropping the OML
Link from current code path and do it through a timer.
Fixes following ASan report:
20180822124927913 <0004> abis_nm.c:787 OC=RADIO-CARRIER(02) INST=(00,00,ff): CHANGE ADMINISTRATIVE STATE NACK CAUSE=Message cannot be performed
20180822124927913 <0004> osmo_bsc_main.c:186 Got CHANGE ADMINISTRATIVE STATE NACK going to drop the OML links.
20180822124927913 <0015> bts_ipaccess_nanobts.c:406 (bts=0) Dropping OML link.
...
=================================================================
==17607==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000060a68 at pc 0x7f5ea8e27086 bp 0x7ffde92b6d80 sp 0x7ffde92b6d78
READ of size 8 at 0x62e000060a68 thread T0
#0 0x7f5ea8e27085 in handle_ts1_write input/ipaccess.c:371
#1 0x7f5ea8e27085 in ipaccess_fd_cb input/ipaccess.c:391
#2 0x7f5ea9147ca8 in osmo_fd_disp_fds libosmocore/src/select.c:217
#3 0x7f5ea9147ca8 in osmo_select_main libosmocore/src/select.c:257
#4 0x555813ab79d6 in main osmo-bsc/osmo_bsc_main.c:922
#5 0x7f5ea76d02e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#6 0x555813ab84e9 in _start (/bin/osmo-bsc+0x34d4e9)
Fixes: OS#3495
Change-Id: I7c794c763481c28e8c35dc9b11d27969e16feb3c
Release and Rollback events are allowed but unhandled in states
WAIT_MGW_CONFIGURED and ROLLBACK, and hence would result in an assertion. Add
handling in these states.
Change-Id: Iab233c592384902098644eee27bb8445fde3aa6f
LOGPFOH uses the msgb through "foh", so we have to free msgb after
calling it, not before.
Fixes following ASAN report:
[0;m[1;36m20180822120155990 [1;34mDNM[0;m[1;36m <0004> abis_nm.c:1889 OC=CHANNEL(03) INST=(00,01,06): Set Chan Attr (bts=0,trx=1,ts=6)
[0;m=================================================================
==16465==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00002b3f0 at pc 0x7f587f44c0db bp 0x7ffc59e31df0 sp 0x7ffc59e31de8
READ of size 1 at 0x61a00002b3f0 thread T0
#0 0x7f587f44c0da in abis_nm_dump_foh libosmocore/src/gsm/abis_nm.c:937
#1 0x561e09e1532c in abis_nm_set_channel_attr osmo-bsc/src/osmo-bsc/abis_nm.c:1892
#2 0x561e09efd269 in nm_statechg_event osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:168
#3 0x561e09efd269 in bts_ipa_nm_sig_cb osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:335
#4 0x7f587efb3d16 in osmo_signal_dispatch libosmocore/src/signal.c:120
#5 0x561e09e18e31 in abis_nm_rx_statechg_rep osmo-bsc/src/osmo-bsc/abis_nm.c:255
#6 0x561e09e18e31 in abis_nm_rcvmsg_report osmo-bsc/src/osmo-bsc/abis_nm.c:380
#7 0x561e09e18e31 in abis_nm_rcvmsg_fom osmo-bsc/src/osmo-bsc/abis_nm.c:778
#8 0x561e09e1dc19 in abis_nm_rcvmsg osmo-bsc/src/osmo-bsc/abis_nm.c:926
#9 0x7f587ec90cc2 in handle_ts1_read input/ipaccess.c:274
#10 0x7f587ec90cc2 in ipaccess_fd_cb input/ipaccess.c:389
#11 0x7f587efb1ca8 in osmo_fd_disp_fds libosmocore/src/select.c:217
#12 0x7f587efb1ca8 in osmo_select_main libosmocore/src/select.c:257
#13 0x561e09e049d6 in main osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:922
#14 0x7f587d53a2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#15 0x561e09e054e9 in _start (/bin/osmo-bsc+0x34d4e9)
Fixes: OS#3494
Change-Id: I030117abfdcee387516a4dea7e1e6a9bae8055f6
The intention was to use the file's basename, but __BASE_FILE__ means "the root
file that is being parsed and contains #include statements".
If we had a function using __BASE_FILE__ and that was defined in an #included
file, __BASE_FILE__ would indicate the first file where the #include is, and
not the file where the function is defined. __BASE_FILE__ works for us because
we don't ever include function definitions that log something, so __BASE_FILE__
always coincides with __FILE__ for our logging; but still __BASE_FILE__ is
semantically the wrong constant.
Related: OS#2740
Change-Id: Ic6d9dafc96c9d467ae53be2cd41adcf26a4e5125
libosmocore recently had the new API introduced for this purpose.
Depends: libosmocore Change-Id Id58ca18eb826b8f4183a7cf0dbb2b38cba702a09
Change-Id: Id07260635327617f8da5050af1e906891a89c530
The example config file lacks a default port setting for the local
mgcp client port. Lets update that.
Change-Id: I6b1c5097d98ec2ab97d51f99b1105db3de85c75f
Related: OS#2874
It is theoretically possible to LCLS two legs that use different
codecs. However, this requires transcoding capabilities on the
local MGW. If the local MGW lacks transcoding features such a
local circuit should be avoided. Enabeling LCLS under such
coditions should be optional (VTY)
- Add check to avoid LCLS on different codec/rate
- Add VTY-Option to optionally override the check
(MGW is able to transcode)
Change-Id: I157549129a40c64364dc126f67195759e5f1d60f
Related: OS#1602
The API of a_reset.c is currently called with a pointer to struct
reset_ctx. This puts the responsibility of checking the presence of
msc->a.reset_fsm to the caller. It would be much more effective if the
caller would check if msc->a.reset_fsm before dereferencing it.
This also fixes at least one segfault that ocurrs when gscon_timer_cb()
is called but no sccp connection is present yet. Therefore the pointer
to bsc_msc_data would not be populated. This is now detected by
a_reset.c itsself.
- minor code cleanups
- call a_reset.c functions with msc (struct bsc_msc_data)
Change-Id: I0802aaadf0af4e58e41c98999e8c6823838adb61
Related: OS#3447
When no connection is present and had never existed, then
conn->sccp.msc is unpopulated. However, there may be situations where
osmo_bsc_sigtran_send() is executed while no connection is present.
At the moment we assert on conn->sccp.msc, which would cause osmo-bsc
to exit. In order to avoid this, better check conn->sccp.msc and drop
the sccp message when the check is negative.
- Remove assertion, add check.
Change-Id: I4eaa983702224e5995a388ea9890ee04212eb569
Related: OS#3446
The function osmo_bsc_sigtran_send() checks if the MSC is ready by
calling a_reset_conn_ready(). If it is not ready it returns with
-EINVAL. The msg message buffer is not freed, so we leak memory in those
edge cases.
- Make sure msg is freed when MSC is not ready.
- Add a comment that osmo_bsc_sigtran_send() takes ownership of msg
Change-Id: Ib1ff1d20e960a356bcee276b7c1bf9c93283e7af
When building with -Werror=format-security, such as our OBS builds,
it fails like this:
[ 118s] handover_fsm.c: In function 'parse_ho_request':
[ 118s] handover_fsm.c:478:4: error: format not a string literal and no format arguments [-Werror=format-security]
[ 118s] gsm0808_cell_id_name(&req->cell_id_serving));
[ 118s] ^~~~~~~~~~~~~~~~~~~~
[ 118s] handover_fsm.c:489:4: error: format not a string literal and no format arguments [-Werror=format-security]
[ 118s] gsm0808_cell_id_name(&req->cell_id_target));
[ 118s] ^~~~~~~~~~~~~~~~~~~~
[ 120s] cc1: some warnings being treated as errors
Let's make sure we don't call sprintf() and friends without a format
string. In fact, if we only want to copy a string without extra
formatting, use osmo_strlcpy() or OSMO_STRLCPY_ARRAY().
Change-Id: I56cff3618f012f6b019f4fca7e2768814487137a
In libosmocore Change-ID I1834d90fbcdbfcb05f5b8cfe39bfe9543737ef8f
we have introduced ipa_ccm_id_resp_parse() as a bugfixed replacement
of ipa_ccm_idtag_parse().
The main difference is that the returned "value" parts now have
a correct reported "length", whereas before this commit they all
reported a one-byte too-long "length" for each IE.
Change-Id: I7d5ab323989c13d0cc6ff05547306edb918e423f
In cases where a codec has no fixed (IANA) payload type number, a
dynamically coosen payload type number is used. For the route between
BSC and MSC 3GPP as designated certain payload type numbers. However,
beond that, those payload type numbers may not necessarly apply. The
RTP communication between BTS and BSC still might run on a completely
different payload type number.
libosmo-netif contains a header file which payload type numbers
shall be used. Lets use those in order to signal the same payload type
numbers as we actually use in the RTP packets to the MGW.
Change-Id: I507a1b1446c8f140b2950d73cf737797604c1ac3
Related: OS#2728
Related: OS#3384
The function mgcp_pick_codec is responsible to set the codec
information. In cases whee the codec type can not be determined
correctly it sets verb_info->codecs_len = 0, indicating to the caller
that no codocs are set. However, after that it does not return, it sets
an invalid codec anyway.
- Add missing return to keep the no-codec setting in case of error.
Change-Id: I8d1f8553357b6ad328ab1e5d4525fad0dd282a42
I often see "ERROR [ST_CLEARING] Entering ST_CLEARING not permitted!", avoid
the bogus error messages by checking entering ST_CLEARING only if not in it
yet. Still don't allow re-entering, to not restart the timeout.
Change-Id: Ia1f171c08dcbc529f907a20eed43bf5ee3a452b3
Remove as much as possible from bsc_api.h. Use '#pragma once'. Tweak head
comment.
BSC_API_CONN_POL_{ACCEPT,REJECT}: only user is static complete_layer3(), just
use a bool return value instead.
msc_connected(): only used in osmo_bsc_api.c, make static there.
Instead of including gsm_data.h, declare structs opaquely, include stdint.h.
codec_pref_test.c used this as indirect gsm_data.h include via osmo_bsc.h,
include gsm_data.h there directly.
osmo_bsc.h: instead of including bsc_api.h, declare opaque structs.
gsm_04_08_rr.h: declare opaque structs to replace indirect include of
gsm_data.h.
Change-Id: Ia9c0f9828317236048e40ec9ecf9990592e2190a
gsm0808_page() is just a thin wrapper for rsl_paging_cmd(), the only caller is
page_ms() from paging.c. Directly call rsl_paging_cmd() instead.
Move gsm0808_cipher_mode() to the only caller in osmo_bsc_bssap.c, make static.
Change-Id: Ib7ce026b52d4ba3e53a8b2824e74ea92432c48c5
The 'handover any' VTY command is only useful for testing. It is even more
useful if it doesn't always pick the first used lchan but produces more random
handovers.
The algorithm takes a random number as input, iterates over used lchans once,
and if the random number is larger, takes modulo of the nr of used lchans
counted. A second iteration will then produce a match.
Instead of figuring out the lchan type logic in bsc_vty.c, just use
lchan_select_by_type();
Change-Id: I50b70e02d665b967e401db65581e110bc83101e7
If a release event is being handled, ignore other ricocheting release events
until that release handling has concluded.
For example, if an lchan is regularly released, it signals the lchan RTP FSM to
release, which then calls back to say "RTP is released" on termination -- this
should not trigger other state changes than the initial release intends.
Change-Id: Iec41e006b6ab9d0f618d36925341f9536353e5d8
In various FSMs, some events may appear later or earlier without need of
action. Do not indicate these as 'ERROR' (event not permitted), but allow and
ignore them.
Debug-log about some of those.
From the old code, we've taken over the habit to change into
WAIT_BEFORE_RF_RELEASE even before SAPI[0] is released. Hence we may still
receive a SAPI[0] REL_IND in WAIT_BEFORE_RF_RELEASE. Don't show this as error
message, just silently accept it.
Change-Id: Ie320c7c6a1436184aaf2ec5a1843e04f4b3414ab
If PDCH ACT sending fails and we go back to UNUSED, the UNUSED onenter goes
right back to PDCH ACT and we loop. Avoid by going straight to broken state.
Actually, if we can't send messages, the timeslot is obviously broken, so also
enter the broken state if PDCH deactivation fails to be sent out.
Change-Id: Iebaffd0547a9651c5ba435b54dedab99c2cfdd31
Noticed by ttcn3-bsc-test: after TC_ms_rel_ind_does_not_cause_bssmap_reset the
test TC_dyn_pdch_ipa_act_deact would fail because RSL was still indicated as
available, and only OML was properly signalled as down.
Before recent commit I4843d03b3237cdcca0ad2041ef6895ff253d8419 to fix nanobts
and use only flags for RSL and OML presence, the timeslot FSM actually checked
RSL link presence and the lacking RSL DOWN event was not noticed.
Change-Id: I66c7fc5fcc676f4960f3d089b8c2ae5bce37ed99
Before this patch, the timeslot FSM receives OML and RSL ready events.
Afterwards, it relies on examining the RSL and OML status to match the received
events. This doesn't work for the ip.access nanobts, which fails to change the
CHANNEL OM's operational status even though it has sent an Opstart ACK. We
receive OML CHANNEL Opstart ACK, but the mo's state left at OP_STATE=Disabled.
We apparently cannot rely on the gsm_abis_mo state as assumed before this
patch, since changing the state depends on each BTS vendor's OML
implementation.
Also, implementation wise, it is better to not include assumptions on RSL and
OML implementations in the timeslot FSM. Simply receive the OML and RSL ready
events and remember that they arrived in dedicated flags.
Remove the no longer needed oml_is_ts_ready() callback from struct
gsm_bts_model added in:
commit 91aa68f762
"dyn TS: init only when both RSL and the Channel OM are established"
I99f29d2ba079f6f4b77f0af12d9784588d2f56b3
This keeps osmo-bts operational while fixing ip.access nanobts, where the
CHANNEL OM's state prevented the timeslot FSM from entering operation.
Change-Id: I4843d03b3237cdcca0ad2041ef6895ff253d8419
Add FSMs:
- timeslot_fsm: handle dynamic timeslots and OML+RSL availability.
- lchan_fsm: handle an individual lchan activation, RTP stream and release,
signal the appropriate calling FSMs on success, failure, release.
- mgw_endpoint_fsm: handle one entire endpoint with several CI.
- assignment_fsm: BSSMAP Assignment Request.
- handover_fsm: all of intra, inter-MO and inter-MT handover.
Above FSMs absorb large parts of the gscon FSM. The gscon FSM was surpassing
the maximum amount events (32), and it is more logical to treat assignment,
handover and MGW procedures in separate FSMs.
- Add logging macros for each FSM type:
- LOG_TS()
- LOG_LCHAN()
- LOG_MGWEP(), LOG_CI()
- LOG_ASSIGNMENT()
- LOG_HO()
These log with the osmo_fsm_inst where present.
New style decision: logging without a final newline char is awkward,
especially for gsmtap logging and when other logs interleave LOGPC() calls;
we have various cases where the final \n goes missing, and also this invokes
the log category checking N times instead of once.
So I decided to make these macros *always* append a newline, but only if
there is no final newline yet. I hope that the compiler optimizes the
strlen() of the constant format strings away. Thus I can log with or without
typing "\n" and always get an \n termination anyway.
General:
- replace osmo_timers, state enums and program-wide osmo_signal_dispatch()
with dedicated FSM timeouts, states and events.
- introduce a common way to handle Tnnn timers: gsm_timers.h/.c: struct T_def.
These can be used (with some macro magic) to define a state's timeout once,
and not make mistakes for each osmo_fsm_inst_state_chg().
Details:
bsc_subscr_conn_fsm.c:
- move most states of this FSM to lchan_fsm, assignment_fsm, handover_fsm and
mgw_endpoint_fsm.
- There is exactly one state for an ongoing Assignment, with all details
handled in conn->assignment.fi. The state relies on the assignment_fsm's
timeout.
- There is one state for an ongoing Handover; except for an incoming Handover
from a remote BSS, the gscon remains in ST_INIT until the new lchan and conn
are both established.
- move bssmap_add_lcls_status() to osmo_bsc_lcls.c
abis_rsl.c:
- move all dynamic timeslot logic away into timeslot_fsm. Only keep plain send/receive functions in
abis_rsl.c
- reduce some rsl functions to merely send a message, rename to "_tx_".
- rsl_ipacc_mdcx(): add '_tx_' in the name; move parts that change the lchan state out into the
lchan_fsm, the lchan->abis_ip.* are now set there prior to invoking this function.
- move all timers and error/release handling away into various FSMs.
- tweak ipa_smod_s_for_lchan() and ipa_rtp_pt_for_lchan() to not require an
lchan passed, but just mode,type that they require. Rename to
ipacc_speech_mode*() and ipacc_payload_type().
- add rsl_forward_layer3_info, used for inter-BSC HO MO, to just send the RR
message received during BSSMAP Handover Command.
- move various logging to LOG_LCHAN() in order to log with the lchan FSM instance.
One drawback is that the lchan FSM is limited to one logging category, i.e. this moves some logging
from DRR to DRSL. It might actually make sense to combine those categories.
- lose LOGP...LOGPC logging cascades: they are bad for gsmtap logging and for performance.
- handle_classmark_chg(): change logging, move cm2 len check out of the cm3 condition (I hope that's
correct).
- gsm48_send_ho_cmd(): split off gsm48_make_ho_cmd() which doesn't send right away, so that during
inter-bsc HO we can make an RR Handover Command to send via the MSC to the remote BSS.
assignment_fsm.c:
- the Chan Mode Modify in case of re-using the same lchan is not implemented
yet, because this was also missing in the previous implementation (OS#3357).
osmo_bsc_api.c:
- simplify bsc_mr_config() and move to lchan_fsm.c, the only caller; rename to
lchan_mr_config(). (bsc_mr_config() used to copy the values to mr_bts_lv
twice, once by member assignment and then again with a memcpy.)
- During handover, we used to copy the MR config from the old lchan. Since we
may handover between FR and HR, rather set the MR Config anew every time, so
that FR rates are always available on FR lchans, and never on HR lchans.
Depends: I03ee7ce840ecfa0b6a33358e7385528aabd4873f (libosmocore),
I1f2918418c38918c5ac70acaa51a47adfca12b5e (libosmocore)
Change-Id: I82e3f918295daa83274a4cf803f046979f284366
Rationale: bsc_api.c used to be a kind of kitchen sink for various
implementations, we want to dissolve it. Also, combining 0808 and 0408 in the
same c file causes "weird" linking dependencies for utility and test programs.
bsc_api.c will be completely dissolved in upcoming
Ib7ce026b52d4ba3e53a8b2824e74ea92432c48c5.
Change-Id: Ie8ee334145bf7bc3a601d395ea7ab9b2009b61c7
"utils" suggests thin helpers to aid using a proper API, while this .c file
actually *is* the proper RR API. Rename from "utils" to "rr".
Change-Id: I0ffff63d57f03cb324df8e40e41caea5b55a2c85
In certain situations like handover or assignment, DTAP must not go out via RSL
directly but is cached to be submitted later. Make sure that all RSL DTAP
sending adheres to this:
gscon_submit_rsl_dtap() is the new "public" API to request an RSL DTAP to be
sent. Depending on the gscon's state, this ends up in the cache or is sent
directly. When caching, there is no way to tell whether sending will succeed or
not, so semantically it does not make sense to even return a result code. Just
return void. Change all "public" callers to gscon_submit_rsl_dtap().
Merge gsm0808_submit_dtap() and submit_dtap() guts to gsm0808_send_rsl_dtap(),
static in bsc_subscr_conn_fsm.c: directly send DTAP, assume a conn->lchan to be
present, or otherwise trigger a BSSMAP Clear Request.
The static submit_dtap() becomes a thin convenience wrapper.
Move ho_dtap_cache* functions to bsc_subscr_conn_fsm.c and rename to
gscon_dtap_cache_* -- they are not only for handover, also for assignment.
Function gsm0808_submit_dtap() m
Introduce function gscon_submit_rsl_dtap()
Change-Id: I6ffd7aa641c8905292c769400048c96aa0949585
These reflect the plan for refactoring, and will be implemented by
I82e3f918295daa83274a4cf803f046979f284366 and
Id7a4407d9b63be05ce63f5f2768b7d7e3d5c86fb
Change-Id: I29e31b753e23a4207662e0e385a337e7df836f45
9-bit BSIC exist in the 3GPP specs, but we don't use them anywhere. Rather
remove that choice from the API and UI.
Change-Id: I29b92f47da2636d3a19f073755f9382fa98f9010
The payload constants for AMR, EFR, GSM-FR, and GSM-HR are already
defined in libosmo-netif, there is no need to re-define them locally.
- include rtp.h from libosmo-netif in abis_rsl.c
- remove duplicate payload type constants
Change-Id: Ib6a866b29d863d6875c67748dbe6b6468941ab29
Related: OS#2728
This check is not in all our repos that use git-version-gen. Indeed it
seems to be a leftover of openbsc where I think it wanted to ensure
being called in the openbsc subfolder or something? libosmocore e.g.
doesn't have it.
In any case .git being a directory is not always true (if using git
worktree) so remove this check.
Change-Id: I976dd4ff20cc5b220b244b1fb6192c0528c32638
Legacy compat: we used to not check the BTS codec-pref settings upon assignment
until we added checks for the BTS codec-pref in osmo-bsc
5bc43cd107, change-id
I285234e9c81de74d9fb9907fca2c443b08537435, "codec_pref: check bts codec
support". From that commit onwards, config setups without a 'codec-pref'
potentially stop working (like all osmo-gsm-tester runs just did), because with
no codec-pref settings, now only FR is permitted, while before the patch, we
would allow any codecs as long as MSC and the overall BSC config agree on them.
So, upon BTS initialization, enable all codecs. These get reset to a more fine
grained selection IF a 'codec-support' config appears in the config file (see
bsc_vty.c).
Change-Id: I4650a1f8e350c6f74f48391f43ddfe771be01e1b
The function lchan_free() is supposed to reset the lchan so that
it can be used by another connection. This function does not yet
reset the struct memebers in lchan->abis_ip. This may lead to
confusion if some other end re-uses that lchan and finds old RTP
voice port/ip settings there. Those data must be reset to
ensure it does accidently migrate into an unrelated conext.
- do a memset to 0 on lchan->abis_ip in lchan_free()
Change-Id: I0c99494292cd1d058a19a21413d0ddb51471c6be
Related: OS#3396
The vty option bts->codec-support allows the user to set the supported
codecs per BTS level. However, those values are currently only used to
make the handover decision but the logic that handles the BSSMAP
ASSIGNMENT REQUEST does not check those flags.
- Do not ignore bts->codec-support flags on BSSMAP ASSIGNMENT REQUEST
Change-Id: I285234e9c81de74d9fb9907fca2c443b08537435
Closes: OS#3361
At the moment there are three sources that may advertise a list of
supported audio codec/rate settings. There is the MS that advertises
advertises a speech codec list and the MSC that sends a channel type
information element over A and there are also settings in the bsc
configuration file that may restrict the codec/rate types that are
allowed to use.
The function match_codec_pref() looks at all of the three buckets and
selects a codec that satisfies all three. This is already a somewhat
complicated process, overit is very isolated, so lets give it its own
c-file.
Due to the lack of unit-tests it is very hard to make changes here so
lets add also unit-test to make sure that regressions are catched early.
- Put match_codec_pref() and all its helper functions into a separate
c-file.
- Add a unit test.
Change-Id: Iabedfdcec8b99a319f2d57cbea45c5e36c7b6e29
Related: OS#3361