Vadim Yanitskiy
c2729a525c
In ipaccess_bts_keepalive_fsm_alloc() we allocate a keepalive FSM
instance as a child of the respective struct ipa_client_conn, and
store the pointer to the respective struct e1inp_ts.
+ struct e1inp_line
|
---+ struct ipaccess_line (void *driver_data)
| |
| ---+ struct ipa_client_conn *ipa_cli[NUM_E1_TS] // <-- parent
|
---+ struct e1inp_ts ts[NUM_E1_TS]
| |
| ---+ .driver.ipaccess.ka_fsm // <-- pointer
When an ipaccess connection (be it OML or RSL) goes down and then
up again, for instance if the BSC gets restarted, osmo-bts crashes.
The problem is that struct ipa_client_conn gets free()ed before the
associated FSM instance gets terminated:
* e1inp_ipa_bts_rsl_connect_n() is called
** calling e1inp_ipa_bts_rsl_close_n()
*** this function free()s struct ipa_client_conn
*** (!) as well as the struct osmo_fsm_inst (talloc child)
** calling ipaccess_bts_keepalive_fsm_alloc()
*** calling ipaccess_keepalive_fsm_cleanup()
**** accessing free()d e1i_ts->driver.ipaccess.ka_fsm
**** BOOOM! segmentation fault
Fix this by calling ipaccess_keepalive_fsm_cleanup() before free()ing
the associated struct ipa_client_conn.
Note that ipaccess_bsc_keepalive_fsm_alloc() is not affected because
it's allocating keepalive FSMs using the global tall_ipa_ctx.
Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b
Related: SYS#6438
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| input | ||
| trau | ||
| Makefile.am | ||
| e1_input.c | ||
| e1_input_vty.c | ||
| init.c | ||
| ipa_proxy.c | ||
| subchan_demux.c | ||
| trau_frame.c | ||