Go through all callers of as_dl_tbf() and as_ul_tbf(), and make sure
they can handle the possible NULL return value.
OS#5205 reports a NULL deref crash of osmo-pcu at pdch.cpp:525. The
immediate cause is that as_dl_tbf() may well return NULL, which this
caller does not handle and instead dereferences immediately.
This is a code path that apparently assumes that a DL-TBF should always
be present. The higher level cause for the NULL DL-TBF has not been
identified.
Related: OS#5205 SYS#5561
Change-Id: I8ce21be6836549b47a606c00b793d6f005964c5c
This reverts commit 846fd248dc.
The commit introduced a leak of UL-TBF, which do not time out and
accumulate indefinitely, leading to out-of-memory for the running
osmo-pcu process.
A proper fix for the leak is pending on a development branch pespin/fsm,
but that branch is not yet ready for merging. Hence let's re-introduce
timer T3169 to avoid the OOM due to lingering UL-TBF.
Related: OS#5209
Change-Id: I99a7d2ddf68a76739ce2db1d6a44967dd97667b0
The main reason to change this is that the unit for T3172 is wrong. It
is defined as ms but the doc string says "(s)".
The tdef implementation already includes the unit as defined for each T
in the doc string implicitly, so instead of fixing that string, just
remove the unit strings from all the doc strings.
Now it will show:
OsmoPCU# show bts-timer
BTS0:
T3142 = 20 s Wait Indication used in Imm Ass Reject during TBF Establishment (CCCH) (default: 20 s, range: [0 .. 255])
T3169 = 5 s Reuse of USF and TFI(s) after the MS uplink TBF assignment is invalid (default: 5 s)
T3172 = 5000 ms Wait Indication used in Imm Ass Reject during TBF Establishment (PACCH) (default: 5000 ms, range: [0 .. 255000])
T3191 = 5 s Reuse of TFI(s) after sending (1) last RLC Data Block on TBF(s), or (2) PACKET TBF RELEASE for an MBMS radio bearer (default: 5 s)
T3193 = 1600 ms Reuse of TFI(s) after reception of final PACKET DOWNLINK ACK/NACK from MS for TBF (default: 100 ms)
T3195 = 5 s Reuse of TFI(s) upon no response from the MS (radio failure or cell change) for TBF/MBMS radio bearer (default: 5 s)
Related: OS#5209
Change-Id: I140122bb10f750bf996272cc7f9c5b541c9bd364
Implement T3113 for paging over PCH with default value of 7s (same as
T3113 in OsmoBSC). Increase the new counter on timeout.
Related: SYS#4878
Change-Id: I97475c3dbe2cf00b9cbfec39e93a3c65cb7f749f
When slowly debugging test_tbf_dl_llc_loss, bssgp_tx_llc_discarded() may
trigger, submitting events to the libosmogb code. Since it didn't
properly set up the callback, it would end up in a null pointer
dereference when lib code tried to use backward-compatible API (which
was neither set up properly).
"""
TBF(TFI=0 TLLI=0xc0123456 DIR=DL STATE=ASSIGN) Discarding LLC PDU because lifetime limit reached, count=3 new_queue_size=0
BSSGP (BVCI=2234) Tx LLC-DISCARDED TLLI=0xc0123456, FRAMES=3, OCTETS=57
/git/libosmocore/src/gb/gprs_ns.c:271:2: runtime error: member access within null pointer of type 'struct gprs_ns_inst'
"""
"""
(gdb) bt
#0 0x00007ffff729cac0 in gprs_active_nsvc_by_nsei (nsi=nsi@entry=0x0, nsei=2234, bvci=bvci@entry=0)
at /git/libosmocore/src/gb/gprs_ns.c:271
#1 0x00007ffff72b1fec in gprs_ns_sendmsg (nsi=0x0, msg=0x621000000160) at /git/libosmocore/src/gb/gprs_ns.c:1087
#2 0x00007ffff72d1803 in _gprs_ns_sendmsg (ctx=<optimized out>, msg=<optimized out>) at /git/libosmocore/src/gb/gprs_bssgp.c:80
#3 0x00007ffff730226f in bssgp_tx_llc_discarded (bctx=<optimized out>, tlli=<optimized out>, num_frames=<optimized out>, num_octets=<optimized out>)
at /git/libosmocore/src/gb/gprs_bssgp_bss.c:249
#4 0x000055555588243e in gprs_rlcmac_dl_tbf::llc_dequeue (this=0x7ffff1622860, bctx=<optimized out>)
at /git/osmo-pcu/src/tbf_dl.cpp:413
"""
Change-Id: Iee5bcf21afc8980a14f90f5b1ead6d2460a244ea
create_dl_ass() is only called in gprs_rlcmac_sched.cpp on
tbf_cand->dl_ass pointer, which is always assigned under the guard
"!tbf->is_control_ts(pdch->ts_no)", since we only send CTRL messages for
a TBF on its control TS.
Hence, condition "!is_control_ts(ts)" in create_dl_ass will always be
false, and as a result poll_ass_dl will always be 1.
So we can drop different code paths.
Change-Id: Ibea4100a5dc8bd49303cb6a3d02417038c3d3887
After my system's gcc was upgraded, I get false positivies like the one
below:
"""
/git/osmo-pcu/src/gprs_bssgp_pcu.c: In function ‘ns_configure_nse’:
/git/osmo-pcu/src/gprs_bssgp_pcu.c:1103:58: error: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 2 [-Werror=format-truncation=]
1103 | snprintf(name, sizeof(name), "pcu%d", i);
| ^~
/git/osmo-pcu/src/gprs_bssgp_pcu.c:1103:54: note: directive argument in the range [-2147483648, 1]
1103 | snprintf(name, sizeof(name), "pcu%d", i);
| ^~~~~~~
/git/osmo-pcu/src/gprs_bssgp_pcu.c:1103:25: note: ‘snprintf’ output between 5 and 15 bytes into a destination of size 5
1103 | snprintf(name, sizeof(name), "pcu%d", i);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"""
In this case, i can't never take a value with more than 1 digit, but gcc
seems to be unable to see that.
Let's increase the buffer size a few bytes to make gcc happy, and make
the variable unsigned since it never will get negative values.
Next change is also a false positive, since variables are always
initialized beforehand in the cod epaths where they are used:
"""
/git/osmo-pcu/src/bts.cpp: In function ‘int bts_rcv_rach(gprs_rlcmac_bts*, const rach_ind_params*)’:
/git/osmo-pcu/src/bts.cpp:859:25: error: ‘ts_no’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
859 | uint8_t trx_no, ts_no;
| ^~~~~
/git/osmo-pcu/src/bts.cpp:859:17: error: ‘trx_no’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
859 | uint8_t trx_no, ts_no;
| ^~~~~~
"""
Change-Id: I1362a335a0c761bde367dbc779de4afa88f13584
In existing previous code, pdch->ulc would be freed in
gprs_rlcmac_pdch::free_resources() when it became disabled as per PCUIF
info_ind (for instance, when a DYN TS is switched PDCH->SDCCH8).
However, pdch->ulc was so far only allocated during pdch_init, which is
only called during bts_alloc() time.
Hence, after first info_ind disabling it, if it became again enabled
(again by info_ind re-enabling it after SDCCH8 was not longer in use),
the pdch->ulc would be used again but it would point to freed memory.
Let's rearrange how/when resources are freed to make it more logical.
With this patch, pdch internal resources are freed upon ->disable(), and
re-allocated upon ->enable().
Change-Id: Id51f5f6a54ac9f24b784c17bc360ac38f5726fc7
If bts_ms_by_tlli() at the start of the function fails, ms could be
NULL. As a result "ms->nacc" access at the end of the function would
crash.
Solution:
In the function, we get the related expected TBF from pdch_ulc, and we only
continue if a TBF is found. Since tbf objects are always expected to
have a GprsMs, simply gather it from there.
Change-Id: I666ed5d157f42e74956fa49fc9eea85d27e63d44
msg->data_len is the total number of bytes available in the buffer,
while for CTR_RLC_DL_BYTES we need to count size of the actual
payload within the buffer. A consequence of this bug: osmo-pcu
was counting more Downlink bytes than it's actually transmitted.
Change-Id: I6884d220f3d06a79b16c18ccc2d2a6cd047b8251
OsmoPCU will need this SI2 in order to gain knowledge of the BCCH
Frequency List being broadcasted, in order to build a per-MS specific
Neighbour List using NC_FREQUENCY_LIST bits in Packet Measurement Order.
Related: SYS#5303
Change-Id: I4a9c4f70beac6805322a19835a0d30f7247780b4
Picked code from the Decoder function. I gave it a try
callback_init_Cell_Selection_Params_FREQUENCY_DIFF and looks
like working fine.
Change-Id: Iac962ae3e9f52f417f394060b64fc4d0ebf3d0bf
Other callback functions are properly specified as per what's in
"typedef CSN_CallBackStatus_t". However, these two were wrong.
Change-Id: I280b51d4c8c38c76cc1ccd49656b6b7bbe769760
This is only an initial implementation, where all state changes are
still done outside the FSM itself.
The idea is to do the move in several commits so that they can be
digested better in logical steps and avoid major break up.
Related: OS#2709
Change-Id: I6bb4baea2dee191ba5bbcbec2ea9dcf681aa1237
This is right now not an issue, but it will be whenever talloc
destructor contains extra steps like freeing an FSM.
Change-Id: I096ff56321c8ae5e66634537aae8b95804282c65
The ul_tbfs/dl_tbfs lists will become per-trx. Since in this case we
want to operate on the BTS globally, let's iterate over MS objects
instead. This makes more sense too since here we really aim at reaching
a MS (subscriber) instead of specific TBFs. Later on the code can be
optimized easily to schedule a Pkt Paging Request for only 1 of the TBFs
of each MS instad of scheduling it for each TBFs in the MS.
Change-Id: I671e531921bbea2f5cc0f2bfcb8a39ea5c6673b8
Before this patch, when a PAGING-GS was received in PCU from SGSN, it
would always forward the paging request to all PDCHs in all TRXs of all
BTS (well, it did some heuristics to avoid sending it in some PDCHs
where onyl repeated TBFs would be listening).
The previous behavior, didn't make much sense in the case where the PCU
is asked to page an MS which it knows (ie in which PDCHs is listening
to). Hence, in that case it makes sense to simply send the paging
request on 1 PDCH where the MS is listening, instead of sending it in a
big set of different PDCHs.
This commit also splits the old get_paging_mi() helper which was
erroneously created to parseboth CS/PS-PAGING requesst, since they
actually use a different set of target subscriber information (for
instance, CS-PAGING provides optionally a TLLI, and one provides P-TMSI
while the other provides TMSI).
In this patch, the handling of CS paging request is split into 2 parts:
1- A new helper "struct paging_req_cs" is introduced, where incoming
CS-PAGING requests (from both SGSN over BSSGP and BTS/BSC over PCUIF)
are parsed and information stored. Then, from available information, it
tries to find a target MS if avaialable
2- bts_add_paging() is called from both BSSGP and PCUIF paths with the
helper struct and the target MS (NULL if not found). If MS exists,
paging is forwarding only on 1 PDCH that MS is attached to. If no MS
exists, then the old heursitics are used to forward the request to all
MS.
Change-Id: Iea46d5321a29d800813b1aa2bf4ce175ce45e2cf
Got this today with newer gcc (11.1.0) after system upgrade:
egprs_rlc_compression.cpp:693:9: error: this ‘else’ clause does not guard... [-Werror=misleading-indentation]
The indentation was indeed wrong, provoking a warning in GCC. From code
flow point of view, however, the previous state was fine too, so no
logical change is involved in this commit.
Change-Id: I37bfc8e85daaabbbf10dfd907b305e3e0ec31863
Previous implementation of the Rx path was first checking the APP ID
before checking the lower layer (container type), which was confusing
because the information is then not verified in ascending order in the
protocol stack.
Let's instead, first, pass the pdu to the correct container type
handler, and only once there, let each container type handler verify the
available applications.
Change-Id: Ibe017c1a6e789f45d74c4a5f5f4608298c8c9f91
The logic checking whether the UL TBF had already been sent all the data
(and hence was marked as finished and requesting UL ACK to be sent) was
not taking into account the case where there was still no valid block
stored, ie. when the first received UL data block was discarded for some
reason (ex: because TLLI was not set during content resolution).
Related: OS#1940
Change-Id: I739e67ae1bb40555a362170f26fb98ac69caabb2
Let's avoid different code paths in the loop based on is_tlli_invalid.
Instead, always do the proper storing of the block, and if later on the
corner case is found (no TLLI received while in Content Resolution
process) when checking tlli related stuff, then simply invalidate the
block.
Related: OS#1940
Change-Id: I77afaa617d7ce045c0f6d994fc0d8e03fe69de53
Since a while ago, tbf should always have an MS attached since its
creation, so there's no sense to check for it here.
Change-Id: If056a3fb83b43a48c2a6382fc30c6c81fe2b2651
It could happen that if MS sends first UL blocks without TLLI (wrongly,
due to being in contention resolution), the submitted UL ACK/NACK would
contain an invalid TLLI.
Related: OS#1940
Change-Id: Ibae5df6cfbb56f8f8007cb9fec9c29006d673b72
This allows more easily finding when this specific scenario happens, and
can easily be compared against the PACCH one.
Change-Id: I609792a40fda2a798ca71a0e9f5639d0a0f011d7
Untangle variable assignment at the start of the function. Changes end
up in same kind of assignment, but are far easier to understand based on
the variable use later on.
* reserved_{dl,ul}_slots contain mask of TS either "previously-reserved" or
"intended to be reserved now" based on MS's ms_class.
* {dl,ul}_slots contain a derived mask from the one above, filtered
further based on more factors like type of allocation requested (multi
vs single), available USFs (UL), etc.
Change-Id: If3cfa82f8b793a87e97145ee8a6fc0fe1a61add6
Store direction check to simplify the code.
Get rid of 2-step LOGP to avoid multi-row logs in gsmtap log.
Change-Id: Ia2e061da82ddce564b2d768d8ade1672c22934e2