Having that code in a separate function is confusing and adds code
complexity since it looks like an entry point to start feeing a TBF, but
it simply some (not yet really useful) set of instructions to be called
one 1 code path in tbf_free.
Let's move it there, this way it becomes clear tbf_free() is THE place
to be (if you want to get rid of a TBF).
Change-Id: I30febf4d21a0bfab37524c07598bbb0dd32f7f65
This way we clean up tbf_free entry point, and leave memory freeing for
later on at the end when talloc_free is called.
Change-Id: I1c45e3296e565725bcbbca391d9518772fffa89d
Function is already called by gprs_rlcmac_received_lost(), so next call
following it will be sum=0 and return EINVAL.
Change-Id: I015ba16d18fdd6e2441ec3c256b5ac88771d7a8b
It's fine to always attemt dropping the timer since it's set up in the
constructor.
This also drps the double function call abort()+cleanup() which is
confusing.
Change-Id: Ia2aaa43bd8faacf09fe4b36b11b38022bea7a59c
PdchUlcTest output changes because the original state NULL is not
expected when transactioning to RELEASING upon MAX N310* being hit. In
any case, none of those events should happen in NULL state, but we
don't really care about TBF states there so we are fine with whatever
the state is.
Related: OS#2709
Change-Id: I516b8d989a0d705e5664f8aeaf7d108e0105aa16
While at it, method maybe_start_new_window is renamed to
rcvd_dl_final_ack to make more sense out of the code.
Related: OS#2709
Change-Id: Iebd650c1036ef2d5132789778be7117ce3391c01
Prior code was wrong, as in it did stuff diferent to what is expected
and actually done in osmo-pcu. In osmo-pcu code, the function is guarded
and only called in FLOW or FINISHED state by the scheduler.
Change-Id: If8029bee90adceee128ebb20c033756efd50e90e
At some point later in time the state_flags will most probably be split
into different variables, one ending up in a different FSM. It is moved
so far to the exsiting FSM from the C++ class since it's easier to
access it from C and C++ code, and anyway that kind of information
belongs to the FSM.
Related: OS#2709
Change-Id: I3c62e9e83965cb28065338733f182863e54d7474
Run bts_pch_timer_remove() on each entry of the BTS specific pch_timer
list, so we don't have a memory leak and so the timer doesn't
potentially fire for a deallocated BTS.
Fixes: d3c7591 ("Add counters: pcu.bts.N.pch.requests.timeout")
Change-Id: Ia5e33d1894408e93a51c452002ef2f5758808269
Go through all callers of as_dl_tbf() and as_ul_tbf(), and make sure
they can handle the possible NULL return value.
OS#5205 reports a NULL deref crash of osmo-pcu at pdch.cpp:525. The
immediate cause is that as_dl_tbf() may well return NULL, which this
caller does not handle and instead dereferences immediately.
This is a code path that apparently assumes that a DL-TBF should always
be present. The higher level cause for the NULL DL-TBF has not been
identified.
Related: OS#5205 SYS#5561
Change-Id: I8ce21be6836549b47a606c00b793d6f005964c5c
This reverts commit 846fd248dc.
The commit introduced a leak of UL-TBF, which do not time out and
accumulate indefinitely, leading to out-of-memory for the running
osmo-pcu process.
A proper fix for the leak is pending on a development branch pespin/fsm,
but that branch is not yet ready for merging. Hence let's re-introduce
timer T3169 to avoid the OOM due to lingering UL-TBF.
Related: OS#5209
Change-Id: I99a7d2ddf68a76739ce2db1d6a44967dd97667b0
The main reason to change this is that the unit for T3172 is wrong. It
is defined as ms but the doc string says "(s)".
The tdef implementation already includes the unit as defined for each T
in the doc string implicitly, so instead of fixing that string, just
remove the unit strings from all the doc strings.
Now it will show:
OsmoPCU# show bts-timer
BTS0:
T3142 = 20 s Wait Indication used in Imm Ass Reject during TBF Establishment (CCCH) (default: 20 s, range: [0 .. 255])
T3169 = 5 s Reuse of USF and TFI(s) after the MS uplink TBF assignment is invalid (default: 5 s)
T3172 = 5000 ms Wait Indication used in Imm Ass Reject during TBF Establishment (PACCH) (default: 5000 ms, range: [0 .. 255000])
T3191 = 5 s Reuse of TFI(s) after sending (1) last RLC Data Block on TBF(s), or (2) PACKET TBF RELEASE for an MBMS radio bearer (default: 5 s)
T3193 = 1600 ms Reuse of TFI(s) after reception of final PACKET DOWNLINK ACK/NACK from MS for TBF (default: 100 ms)
T3195 = 5 s Reuse of TFI(s) upon no response from the MS (radio failure or cell change) for TBF/MBMS radio bearer (default: 5 s)
Related: OS#5209
Change-Id: I140122bb10f750bf996272cc7f9c5b541c9bd364
Implement T3113 for paging over PCH with default value of 7s (same as
T3113 in OsmoBSC). Increase the new counter on timeout.
Related: SYS#4878
Change-Id: I97475c3dbe2cf00b9cbfec39e93a3c65cb7f749f
When slowly debugging test_tbf_dl_llc_loss, bssgp_tx_llc_discarded() may
trigger, submitting events to the libosmogb code. Since it didn't
properly set up the callback, it would end up in a null pointer
dereference when lib code tried to use backward-compatible API (which
was neither set up properly).
"""
TBF(TFI=0 TLLI=0xc0123456 DIR=DL STATE=ASSIGN) Discarding LLC PDU because lifetime limit reached, count=3 new_queue_size=0
BSSGP (BVCI=2234) Tx LLC-DISCARDED TLLI=0xc0123456, FRAMES=3, OCTETS=57
/git/libosmocore/src/gb/gprs_ns.c:271:2: runtime error: member access within null pointer of type 'struct gprs_ns_inst'
"""
"""
(gdb) bt
#0 0x00007ffff729cac0 in gprs_active_nsvc_by_nsei (nsi=nsi@entry=0x0, nsei=2234, bvci=bvci@entry=0)
at /git/libosmocore/src/gb/gprs_ns.c:271
#1 0x00007ffff72b1fec in gprs_ns_sendmsg (nsi=0x0, msg=0x621000000160) at /git/libosmocore/src/gb/gprs_ns.c:1087
#2 0x00007ffff72d1803 in _gprs_ns_sendmsg (ctx=<optimized out>, msg=<optimized out>) at /git/libosmocore/src/gb/gprs_bssgp.c:80
#3 0x00007ffff730226f in bssgp_tx_llc_discarded (bctx=<optimized out>, tlli=<optimized out>, num_frames=<optimized out>, num_octets=<optimized out>)
at /git/libosmocore/src/gb/gprs_bssgp_bss.c:249
#4 0x000055555588243e in gprs_rlcmac_dl_tbf::llc_dequeue (this=0x7ffff1622860, bctx=<optimized out>)
at /git/osmo-pcu/src/tbf_dl.cpp:413
"""
Change-Id: Iee5bcf21afc8980a14f90f5b1ead6d2460a244ea
create_dl_ass() is only called in gprs_rlcmac_sched.cpp on
tbf_cand->dl_ass pointer, which is always assigned under the guard
"!tbf->is_control_ts(pdch->ts_no)", since we only send CTRL messages for
a TBF on its control TS.
Hence, condition "!is_control_ts(ts)" in create_dl_ass will always be
false, and as a result poll_ass_dl will always be 1.
So we can drop different code paths.
Change-Id: Ibea4100a5dc8bd49303cb6a3d02417038c3d3887
After my system's gcc was upgraded, I get false positivies like the one
below:
"""
/git/osmo-pcu/src/gprs_bssgp_pcu.c: In function ‘ns_configure_nse’:
/git/osmo-pcu/src/gprs_bssgp_pcu.c:1103:58: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 2 [-Werror=format-truncation=]
1103 | snprintf(name, sizeof(name), "pcu%d", i);
| ^~
/git/osmo-pcu/src/gprs_bssgp_pcu.c:1103:54: note: directive argument in the range [-2147483648, 1]
1103 | snprintf(name, sizeof(name), "pcu%d", i);
| ^~~~~~~
/git/osmo-pcu/src/gprs_bssgp_pcu.c:1103:25: note: ‘snprintf’ output between 5 and 15 bytes into a destination of size 5
1103 | snprintf(name, sizeof(name), "pcu%d", i);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"""
In this case, i can't never take a value with more than 1 digit, but gcc
seems to be unable to see that.
Let's increase the buffer size a few bytes to make gcc happy, and make
the variable unsigned since it never will get negative values.
Next change is also a false positive, since variables are always
initialized beforehand in the cod epaths where they are used:
"""
/git/osmo-pcu/src/bts.cpp: In function ‘int bts_rcv_rach(gprs_rlcmac_bts*, const rach_ind_params*)’:
/git/osmo-pcu/src/bts.cpp:859:25: error: ‘ts_no’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
859 | uint8_t trx_no, ts_no;
| ^~~~~
/git/osmo-pcu/src/bts.cpp:859:17: error: ‘trx_no’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
859 | uint8_t trx_no, ts_no;
| ^~~~~~
"""
Change-Id: I1362a335a0c761bde367dbc779de4afa88f13584
In existing previous code, pdch->ulc would be freed in
gprs_rlcmac_pdch::free_resources() when it became disabled as per PCUIF
info_ind (for instance, when a DYN TS is switched PDCH->SDCCH8).
However, pdch->ulc was so far only allocated during pdch_init, which is
only called during bts_alloc() time.
Hence, after first info_ind disabling it, if it became again enabled
(again by info_ind re-enabling it after SDCCH8 was not longer in use),
the pdch->ulc would be used again but it would point to freed memory.
Let's rearrange how/when resources are freed to make it more logical.
With this patch, pdch internal resources are freed upon ->disable(), and
re-allocated upon ->enable().
Change-Id: Id51f5f6a54ac9f24b784c17bc360ac38f5726fc7
If bts_ms_by_tlli() at the start of the function fails, ms could be
NULL. As a result "ms->nacc" access at the end of the function would
crash.
Solution:
In the function, we get the related expected TBF from pdch_ulc, and we only
continue if a TBF is found. Since tbf objects are always expected to
have a GprsMs, simply gather it from there.
Change-Id: I666ed5d157f42e74956fa49fc9eea85d27e63d44
msg->data_len is the total number of bytes available in the buffer,
while for CTR_RLC_DL_BYTES we need to count size of the actual
payload within the buffer. A consequence of this bug: osmo-pcu
was counting more Downlink bytes than it's actually transmitted.
Change-Id: I6884d220f3d06a79b16c18ccc2d2a6cd047b8251
OsmoPCU will need this SI2 in order to gain knowledge of the BCCH
Frequency List being broadcasted, in order to build a per-MS specific
Neighbour List using NC_FREQUENCY_LIST bits in Packet Measurement Order.
Related: SYS#5303
Change-Id: I4a9c4f70beac6805322a19835a0d30f7247780b4
Picked code from the Decoder function. I gave it a try
callback_init_Cell_Selection_Params_FREQUENCY_DIFF and looks
like working fine.
Change-Id: Iac962ae3e9f52f417f394060b64fc4d0ebf3d0bf
Other callback functions are properly specified as per what's in
"typedef CSN_CallBackStatus_t". However, these two were wrong.
Change-Id: I280b51d4c8c38c76cc1ccd49656b6b7bbe769760
This is only an initial implementation, where all state changes are
still done outside the FSM itself.
The idea is to do the move in several commits so that they can be
digested better in logical steps and avoid major break up.
Related: OS#2709
Change-Id: I6bb4baea2dee191ba5bbcbec2ea9dcf681aa1237
This is right now not an issue, but it will be whenever talloc
destructor contains extra steps like freeing an FSM.
Change-Id: I096ff56321c8ae5e66634537aae8b95804282c65
The ul_tbfs/dl_tbfs lists will become per-trx. Since in this case we
want to operate on the BTS globally, let's iterate over MS objects
instead. This makes more sense too since here we really aim at reaching
a MS (subscriber) instead of specific TBFs. Later on the code can be
optimized easily to schedule a Pkt Paging Request for only 1 of the TBFs
of each MS instad of scheduling it for each TBFs in the MS.
Change-Id: I671e531921bbea2f5cc0f2bfcb8a39ea5c6673b8
Before this patch, when a PAGING-GS was received in PCU from SGSN, it
would always forward the paging request to all PDCHs in all TRXs of all
BTS (well, it did some heuristics to avoid sending it in some PDCHs
where onyl repeated TBFs would be listening).
The previous behavior, didn't make much sense in the case where the PCU
is asked to page an MS which it knows (ie in which PDCHs is listening
to). Hence, in that case it makes sense to simply send the paging
request on 1 PDCH where the MS is listening, instead of sending it in a
big set of different PDCHs.
This commit also splits the old get_paging_mi() helper which was
erroneously created to parseboth CS/PS-PAGING requesst, since they
actually use a different set of target subscriber information (for
instance, CS-PAGING provides optionally a TLLI, and one provides P-TMSI
while the other provides TMSI).
In this patch, the handling of CS paging request is split into 2 parts:
1- A new helper "struct paging_req_cs" is introduced, where incoming
CS-PAGING requests (from both SGSN over BSSGP and BTS/BSC over PCUIF)
are parsed and information stored. Then, from available information, it
tries to find a target MS if avaialable
2- bts_add_paging() is called from both BSSGP and PCUIF paths with the
helper struct and the target MS (NULL if not found). If MS exists,
paging is forwarding only on 1 PDCH that MS is attached to. If no MS
exists, then the old heursitics are used to forward the request to all
MS.
Change-Id: Iea46d5321a29d800813b1aa2bf4ce175ce45e2cf