[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
Attention is currently required from: fixeria, fixeria, laforge. pespin has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email ) Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) .. Patch Set 6: Code-Review+2 -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df Gerrit-Change-Number: 32552 Gerrit-PatchSet: 6 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: daniel Gerrit-Reviewer: fixeria Gerrit-Reviewer: fixeria Gerrit-Reviewer: laforge Gerrit-Reviewer: pespin Gerrit-Attention: laforge Gerrit-Attention: fixeria Gerrit-Attention: fixeria Gerrit-Comment-Date: Wed, 25 Oct 2023 16:00:57 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment
[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
pespin has submitted this change. (
https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email )
Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC
callback (v2)
..
trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
- If the llist is flushed during rx rsp callback, when the flow is
returned to trx_ctrl_read_cb() it would access tcm which was in the
llist and end up in use-after-free.
- We need to store state on whether code path is inside the read_cb in
order to:
-- Delay transmission of new message if callback calls trx_if_flush()
followed by trx_ctrl_send(), since the trx_ctrl_send() at the end of
trx_ctrl_read_cb would retransmit it again immediatelly.
-- Avoid accessing tcm pointer if the callback called trx_if_flush(),
since it has been freed.
Related: OS#6020
Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df
---
M src/osmo-bts-trx/l1_if.h
M src/osmo-bts-trx/trx_if.c
2 files changed, 52 insertions(+), 7 deletions(-)
Approvals:
daniel: Looks good to me, but someone else must approve
Jenkins Builder: Verified
pespin: Looks good to me, approved
diff --git a/src/osmo-bts-trx/l1_if.h b/src/osmo-bts-trx/l1_if.h
index 18d84c2..84fd4b5 100644
--- a/src/osmo-bts-trx/l1_if.h
+++ b/src/osmo-bts-trx/l1_if.h
@@ -120,6 +120,10 @@
struct llist_head trx_ctrl_list;
/* Latest RSPed cmd, used to catch duplicate RSPs from sent
retransmissions */
struct trx_ctrl_msg *last_acked;
+ /* Whether the code path is in the middle of handling a received
message. */
+ boolin_trx_ctrl_read_cb;
+ /* Whether the l1h->trx_ctrl_list was flushed by the callback handling
a received message */
+ boolflushed_while_in_trx_ctrl_read_cb;
//struct gsm_bts_trx*trx;
struct phy_instance *phy_inst;
diff --git a/src/osmo-bts-trx/trx_if.c b/src/osmo-bts-trx/trx_if.c
index 3f9fc04..89078a3 100644
--- a/src/osmo-bts-trx/trx_if.c
+++ b/src/osmo-bts-trx/trx_if.c
@@ -269,8 +269,10 @@
tcm->cmd, tcm->params_len ? " " : "", tcm->params);
llist_add_tail(>list, >trx_ctrl_list);
- /* send message, if we didn't already have pending messages */
- if (prev == NULL)
+ /* send message, if we didn't already have pending messages.
+* If we are in the rx_rsp callback code path, skip sending, the
+* callback will do so when returning to it. */
+ if (prev == NULL && !l1h->in_trx_ctrl_read_cb)
trx_ctrl_send(l1h);
return 0;
@@ -673,6 +675,7 @@
struct trx_ctrl_rsp rsp;
int len, rc;
struct trx_ctrl_msg *tcm;
+ bool flushed;
len = recv(ofd->fd, buf, sizeof(buf) - 1, 0);
if (len <= 0)
@@ -722,21 +725,34 @@
rsp.cb = tcm->cb;
/* check for response code */
+ l1h->in_trx_ctrl_read_cb = true;
rc = trx_ctrl_rx_rsp(l1h, , tcm);
+ /* Reset state: */
+ flushed = l1h->flushed_while_in_trx_ctrl_read_cb;
+ l1h->flushed_while_in_trx_ctrl_read_cb = false;
+ l1h->in_trx_ctrl_read_cb = false;
+
if (rc == -EINVAL)
goto rsp_error;
/* re-schedule last cmd in rc seconds time */
if (rc > 0) {
- osmo_timer_schedule(>trx_ctrl_timer, rc, 0);
+ /* The queue may have been flushed in the trx_ctrl_rx_rsp(): */
+ if (!llist_empty(>trx_ctrl_list))
+ osmo_timer_schedule(>trx_ctrl_timer, rc, 0);
return 0;
}
- /* remove command from list, save it to last_acked and removed previous
last_acked */
- llist_del(>list);
- talloc_free(l1h->last_acked);
- l1h->last_acked = tcm;
+ if (!flushed) {
+ /* Remove command from list, save it to last_acked and removed
+* previous last_acked */
+ llist_del(>list);
+ talloc_free(l1h->last_acked);
+ l1h->last_acked = tcm;
+ } /* else: tcm was freed by trx_if_flush(), do not access it. */
+
+ /* Send next message waiting in the list: */
trx_ctrl_send(l1h);
return 0;
@@ -1224,6 +1240,10 @@
/* Tx queue is now empty, so there's no point in keeping the retrans
timer armed: */
osmo_timer_del(>trx_ctrl_timer);
+
+ /* If we are in read_cb, signal to the returning code path that we
freed the list. */
+ if (l1h->in_trx_ctrl_read_cb)
+ l1h->flushed_while_in_trx_ctrl_read_cb = true;
}
/*! close the TRX for given handle (data + control socket) */
--
To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email
To unsubscribe, or for help writing mail filters, visit
https://gerrit.osmocom.org/settings
Gerrit-Project: osmo-bts
Gerrit-Branch: master
Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df
[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
Attention is currently required from: fixeria, fixeria, laforge, pespin. daniel has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email ) Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) .. Patch Set 6: Code-Review+1 (2 comments) File src/osmo-bts-trx/l1_if.h: https://gerrit.osmocom.org/c/osmo-bts/+/32552/comment/2565e7db_0cd7c392 PS5, Line 125: lis > list Done https://gerrit.osmocom.org/c/osmo-bts/+/32552/comment/54d8fa80_a1011157 PS5, Line 126: wile > while Done -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df Gerrit-Change-Number: 32552 Gerrit-PatchSet: 6 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: daniel Gerrit-Reviewer: fixeria Gerrit-Reviewer: fixeria Gerrit-Reviewer: laforge Gerrit-Reviewer: pespin Gerrit-Attention: laforge Gerrit-Attention: fixeria Gerrit-Attention: pespin Gerrit-Attention: fixeria Gerrit-Comment-Date: Wed, 25 Oct 2023 15:51:15 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: daniel Gerrit-MessageType: comment
[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
Attention is currently required from: fixeria, fixeria, laforge, pespin. pespin has uploaded a new patch set (#6) to the change originally created by fixeria. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email ) The following approvals got outdated and were removed: Code-Review+1 by fixeria, Verified+1 by Jenkins Builder Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) .. trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) - If the llist is flushed during rx rsp callback, when the flow is returned to trx_ctrl_read_cb() it would access tcm which was in the llist and end up in use-after-free. - We need to store state on whether code path is inside the read_cb in order to: -- Delay transmission of new message if callback calls trx_if_flush() followed by trx_ctrl_send(), since the trx_ctrl_send() at the end of trx_ctrl_read_cb would retransmit it again immediatelly. -- Avoid accessing tcm pointer if the callback called trx_if_flush(), since it has been freed. Related: OS#6020 Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df --- M src/osmo-bts-trx/l1_if.h M src/osmo-bts-trx/trx_if.c 2 files changed, 52 insertions(+), 7 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/52/32552/6 -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df Gerrit-Change-Number: 32552 Gerrit-PatchSet: 6 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria Gerrit-Reviewer: fixeria Gerrit-Reviewer: laforge Gerrit-Reviewer: pespin Gerrit-CC: daniel Gerrit-Attention: laforge Gerrit-Attention: fixeria Gerrit-Attention: pespin Gerrit-Attention: fixeria Gerrit-MessageType: newpatchset
[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
Attention is currently required from: fixeria, fixeria, laforge, pespin. daniel has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email ) Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) .. Patch Set 5: (3 comments) Patchset: PS5: Found two typos File src/osmo-bts-trx/l1_if.h: https://gerrit.osmocom.org/c/osmo-bts/+/32552/comment/b4fa1225_b234ad68 PS5, Line 125: lis list https://gerrit.osmocom.org/c/osmo-bts/+/32552/comment/864bfb82_a44874aa PS5, Line 126: wile while -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df Gerrit-Change-Number: 32552 Gerrit-PatchSet: 5 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria Gerrit-Reviewer: fixeria Gerrit-Reviewer: laforge Gerrit-Reviewer: pespin Gerrit-CC: daniel Gerrit-Attention: laforge Gerrit-Attention: fixeria Gerrit-Attention: pespin Gerrit-Attention: fixeria Gerrit-Comment-Date: Wed, 25 Oct 2023 14:49:51 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment
[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
Attention is currently required from: fixeria, laforge, pespin. fixeria has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email ) Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) .. Patch Set 3: Code-Review+1 (4 comments) File src/osmo-bts-trx/trx_if.c: https://gerrit.osmocom.org/c/osmo-bts/+/32552/comment/5dab35f0_dbd09cfa PS1, Line 737: > I was thinking about this too. But this would make the logging/flow a bit > confusing: […] Done https://gerrit.osmocom.org/c/osmo-bts/+/32552/comment/11319e4a_34c93535 PS1, Line 743: re-schedule last cmd in rc seconds time > Looks like I introduced related issues back in > 262a6ab1e1e231ea81c4ec990f1a1f571a1f (https://ger […] Done File src/osmo-bts-trx/trx_if.c: https://gerrit.osmocom.org/c/osmo-bts/+/32552/comment/fe89a4de_7d8e07b8 PS3, Line 731: goto rsp_error; just to confirm, don't we need to reset `flushed_wile_in_trx_ctrl_read_cb` to `false` here? https://gerrit.osmocom.org/c/osmo-bts/+/32552/comment/9b9642af_af8e78bd PS3, Line 738: return 0; just to confirm, don't we need to reset `flushed_wile_in_trx_ctrl_read_cb` to `false` here? -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df Gerrit-Change-Number: 32552 Gerrit-PatchSet: 3 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria Gerrit-Reviewer: fixeria Gerrit-Reviewer: laforge Gerrit-Reviewer: pespin Gerrit-Attention: laforge Gerrit-Attention: pespin Gerrit-Attention: fixeria Gerrit-Comment-Date: Wed, 25 Oct 2023 13:55:29 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: fixeria Comment-In-Reply-To: pespin Gerrit-MessageType: comment
[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
Attention is currently required from: fixeria, fixeria, laforge. pespin has uploaded a new patch set (#5) to the change originally created by fixeria. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email ) Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) .. trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) - If the llist is flushed during rx rsp callback, when the flow is returned to trx_ctrl_read_cb() it would access tcm which was in the llist and end up in use-after-free. - We need to store state on whether code path is inside the read_cb in order to: -- Delay transmission of new message if callback calls trx_if_flush() followed by trx_ctrl_send(), since the trx_ctrl_send() at the end of trx_ctrl_read_cb would retransmit it again immediatelly. -- Avoid accessing tcm pointer if the callback called trx_if_flush(), since it has been freed. Related: OS#6020 Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df --- M src/osmo-bts-trx/l1_if.h M src/osmo-bts-trx/trx_if.c 2 files changed, 52 insertions(+), 7 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/52/32552/5 -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df Gerrit-Change-Number: 32552 Gerrit-PatchSet: 5 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria Gerrit-Reviewer: fixeria Gerrit-Reviewer: laforge Gerrit-Reviewer: pespin Gerrit-Attention: laforge Gerrit-Attention: fixeria Gerrit-Attention: fixeria Gerrit-MessageType: newpatchset
[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
Attention is currently required from: fixeria, laforge, pespin. fixeria has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email ) Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) .. Patch Set 5: Code-Review+1 (1 comment) File src/osmo-bts-trx/trx_if.c: https://gerrit.osmocom.org/c/osmo-bts/+/32552/comment/ec7b4506_d65f4b94 PS3, Line 731: goto rsp_error; > Yes, I actually forgot that one, thanks!. Done -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df Gerrit-Change-Number: 32552 Gerrit-PatchSet: 5 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria Gerrit-Reviewer: fixeria Gerrit-Reviewer: laforge Gerrit-Reviewer: pespin Gerrit-Attention: laforge Gerrit-Attention: pespin Gerrit-Attention: fixeria Gerrit-Comment-Date: Wed, 25 Oct 2023 14:04:00 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: pespin Comment-In-Reply-To: fixeria Gerrit-MessageType: comment
[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
Attention is currently required from: fixeria, fixeria, laforge. pespin has uploaded a new patch set (#4) to the change originally created by fixeria. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email ) The following approvals got outdated and were removed: Code-Review+1 by fixeria, Verified+1 by Jenkins Builder Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) .. trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) - If the llist is flushed during rx rsp callback, when the flow is returned to trx_ctrl_read_cb() it would access tcm which was in the llist and end up in use-after-free. - We need to store state on whether code path is inside the read_cb in order to: -- Delay transmission of new message if callback calls trx_if_flush() followed by trx_ctrl_send(), since the trx_ctrl_send() at the end of trx_ctrl_read_cb would retransmit it again immediatelly. -- Avoid accessing tcm pointer if the callback called trx_if_flush(), since it has been freed. Related: OS#6020 Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df --- M src/osmo-bts-trx/l1_if.h M src/osmo-bts-trx/trx_if.c 2 files changed, 51 insertions(+), 7 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/52/32552/4 -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df Gerrit-Change-Number: 32552 Gerrit-PatchSet: 4 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria Gerrit-Reviewer: fixeria Gerrit-Reviewer: laforge Gerrit-Reviewer: pespin Gerrit-Attention: laforge Gerrit-Attention: fixeria Gerrit-Attention: fixeria Gerrit-MessageType: newpatchset
[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
Attention is currently required from: fixeria, fixeria, laforge. pespin has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email ) Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) .. Patch Set 3: (2 comments) File src/osmo-bts-trx/trx_if.c: https://gerrit.osmocom.org/c/osmo-bts/+/32552/comment/7774bd75_2e5857fc PS3, Line 731: goto rsp_error; > just to confirm, don't we need to reset `flushed_wile_in_trx_ctrl_read_cb` to > `false` here? Yes, I actually forgot that one, thanks!. https://gerrit.osmocom.org/c/osmo-bts/+/32552/comment/55832446_86eab842 PS3, Line 738: return 0; > just to confirm, don't we need to reset `flushed_wile_in_trx_ctrl_read_cb` to > `false` here? Ack -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df Gerrit-Change-Number: 32552 Gerrit-PatchSet: 3 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria Gerrit-Reviewer: fixeria Gerrit-Reviewer: laforge Gerrit-Reviewer: pespin Gerrit-Attention: laforge Gerrit-Attention: fixeria Gerrit-Attention: fixeria Gerrit-Comment-Date: Wed, 25 Oct 2023 13:56:31 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: fixeria Gerrit-MessageType: comment
[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
Attention is currently required from: fixeria, fixeria, laforge. pespin has posted comments on this change. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email ) Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) .. Patch Set 3: (1 comment) Patchset: PS3: @axilira...@gmail.com do you mind giving a try to this new patch I submitted? -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df Gerrit-Change-Number: 32552 Gerrit-PatchSet: 3 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria Gerrit-Reviewer: laforge Gerrit-Reviewer: pespin Gerrit-Attention: laforge Gerrit-Attention: fixeria Gerrit-Attention: fixeria Gerrit-Comment-Date: Wed, 25 Oct 2023 13:36:23 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Gerrit-MessageType: comment
[M] Change in osmo-bts[master]: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2)
Attention is currently required from: laforge, pespin. pespin has uploaded a new patch set (#3) to the change originally created by fixeria. ( https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email ) The following approvals got outdated and were removed: Code-Review+1 by laforge, Code-Review-1 by pespin, Verified+1 by Jenkins Builder Change subject: trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) .. trx_if: Allow calling trx_if_flush/close from within TRXC callback (v2) - If the llist is flushed during rx rsp callback, when the flow is returned to trx_ctrl_read_cb() it would access tcm which was in the llist and end up in use-after-free. - We need to store state on whether code path is inside the read_cb in order to: -- Delay transmission of new message if callback calls trx_if_flush() followed by trx_ctrl_send(), since the trx_ctrl_send() at the end of trx_ctrl_read_cb would retransmit it again immediatelly. -- Avoid accessing tcm pointer if the callback called trx_if_flush(), since it has been freed. Related: OS#6020 Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df --- M src/osmo-bts-trx/l1_if.h M src/osmo-bts-trx/trx_if.c 2 files changed, 49 insertions(+), 7 deletions(-) git pull ssh://gerrit.osmocom.org:29418/osmo-bts refs/changes/52/32552/3 -- To view, visit https://gerrit.osmocom.org/c/osmo-bts/+/32552?usp=email To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: osmo-bts Gerrit-Branch: master Gerrit-Change-Id: Ibdffa4644aa3a7d219452644d3e74b411734f1df Gerrit-Change-Number: 32552 Gerrit-PatchSet: 3 Gerrit-Owner: fixeria Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: laforge Gerrit-Reviewer: pespin Gerrit-Attention: laforge Gerrit-Attention: pespin Gerrit-MessageType: newpatchset
