Fixed the crash in UERANSIM 500 test (#1652)

2022-07-21 00:02:31 +09:00 · 2022-07-21 00:02:31 +09:00 · 2b41a215d7
parent da1905b36c
commit 2b41a215d7
7 changed files with 41 additions and 7 deletions
--- a/lib/sbi/context.c
+++ b/lib/sbi/context.c
@ -1447,15 +1447,21 @@ void ogs_sbi_xact_remove(ogs_sbi_xact_t *xact)
    ogs_sbi_object_t *sbi_object = NULL;

    ogs_assert(xact);
+
+    xact = ogs_pool_cycle(&xact_pool, xact);
+    if (!xact) {
+        ogs_error("SBI transaction has already been removed");
+        return;
+    }
+
    sbi_object = xact->sbi_object;
    ogs_assert(sbi_object);

    ogs_assert(xact->t_response);
    ogs_timer_delete(xact->t_response);

-    /* If ogs_sbi_send() is called, xact->request has already been freed */
-    if (xact->request)
-        ogs_sbi_request_free(xact->request);
+    ogs_assert(xact->request);
+    ogs_sbi_request_free(xact->request);

    ogs_list_remove(&sbi_object->xact_list, xact);
    ogs_pool_free(&xact_pool, xact);
--- a/lib/sbi/nghttp2-server.c
+++ b/lib/sbi/nghttp2-server.c
@ -307,7 +307,7 @@ static bool server_send_rspmem_persistent(

    stream = ogs_pool_cycle(&stream_pool, stream);
    if (!stream) {
-        ogs_error("stream has already been closed");
+        ogs_error("stream has already been removed");
        return true;
    }

@ -435,6 +435,8 @@ static ogs_sbi_stream_t *stream_add(

    stream->session = sbi_sess;

+    ogs_list_add(&sbi_sess->stream_list, stream);
+
    return stream;
 }

--- a/src/amf/amf-sm.c
+++ b/src/amf/amf-sm.c
@ -598,6 +598,22 @@ void amf_state_operational(ogs_fsm_t *s, amf_event_t *e)
                    break;
                }

+                amf_ue = sess->amf_ue;
+                ogs_assert(amf_ue);
+                amf_ue = amf_ue_cycle(amf_ue);
+                ogs_assert(amf_ue);
+                ran_ue = ran_ue_cycle(amf_ue->ran_ue);
+                if (!ran_ue) {
+                    ogs_error("NG context has already been removed");
+                    break;
+                }
+
+                gnb = amf_gnb_cycle(ran_ue->gnb);
+                if (!gnb) {
+                    ogs_error("gNB context has already been removed");
+                    break;
+                }
+
                ogs_error("[%d:%d] Cannot receive SBI message",
                        sess->psi, sess->pti);
                if (sess->payload_container_type) {
--- a/src/amf/context.c
+++ b/src/amf/context.c
@ -955,6 +955,11 @@ int amf_gnb_sock_type(ogs_sock_t *sock)
    return SOCK_STREAM;
 }

+amf_gnb_t *amf_gnb_cycle(amf_gnb_t *gnb)
+{
+    return ogs_pool_cycle(&amf_gnb_pool, gnb);
+}
+
 /** ran_ue_context handling function */
 ran_ue_t *ran_ue_add(amf_gnb_t *gnb, uint32_t ran_ue_ngap_id)
 {
--- a/src/amf/context.h
+++ b/src/amf/context.h
@ -637,6 +637,7 @@ amf_gnb_t *amf_gnb_find_by_addr(ogs_sockaddr_t *addr);
 amf_gnb_t *amf_gnb_find_by_gnb_id(uint32_t gnb_id);
 int amf_gnb_set_gnb_id(amf_gnb_t *gnb, uint32_t gnb_id);
 int amf_gnb_sock_type(ogs_sock_t *sock);
+amf_gnb_t *amf_gnb_cycle(amf_gnb_t *gnb);

 ran_ue_t *ran_ue_add(amf_gnb_t *gnb, uint32_t ran_ue_ngap_id);
 void ran_ue_remove(ran_ue_t *ran_ue);
--- a/src/amf/nas-path.c
+++ b/src/amf/nas-path.c
@ -44,9 +44,7 @@ int nas_5gs_send_to_downlink_nas_transport(amf_ue_t *amf_ue, ogs_pkbuf_t *pkbuf)
    ran_ue = ran_ue_cycle(amf_ue->ran_ue);
    if (!ran_ue) {
        ogs_warn("NG context has already been removed");
-        ogs_pkbuf_free(pkbuf);
-
-        return OGS_ERROR;
+        return OGS_OK;
    } else {
        ngapbuf = ngap_build_downlink_nas_transport(
                ran_ue, pkbuf, false, false);
--- a/src/amf/ngap-path.c
+++ b/src/amf/ngap-path.c
@ -51,6 +51,12 @@ int ngap_send_to_gnb(amf_gnb_t *gnb, ogs_pkbuf_t *pkbuf, uint16_t stream_no)
    char buf[OGS_ADDRSTRLEN];

    ogs_assert(gnb);
+    gnb = amf_gnb_cycle(gnb);
+    if (!gnb) {
+        ogs_warn("gNB has already been removed");
+        return OGS_OK;
+    }
+
    ogs_assert(pkbuf);
    ogs_assert(gnb->sctp.sock);
    if (gnb->sctp.sock->fd == INVALID_SOCKET) {