Merge branch 'althea-net-sctp_crash_upstream' into main

2022-05-15 22:38:29 +09:00 · 2022-05-15 22:38:29 +09:00 · f97f5f794d
parent c391ac1334 afc562f7d5
commit f97f5f794d
2 changed files with 28 additions and 13 deletions
--- a/src/mme/mme-gtp-path.c
+++ b/src/mme/mme-gtp-path.c
@ -480,15 +480,37 @@ int mme_gtp_send_release_access_bearers_request(mme_ue_t *mme_ue, int action)
 void mme_gtp_send_release_all_ue_in_enb(mme_enb_t *enb, int action)
 {
    mme_ue_t *mme_ue = NULL;
-    enb_ue_t *enb_ue = NULL;
+    enb_ue_t *enb_ue = NULL, *next = NULL;

-    ogs_list_for_each(&enb->enb_ue_list, enb_ue) {
+    ogs_list_for_each_safe(&enb->enb_ue_list, next, enb_ue) {
        mme_ue = enb_ue->mme_ue;

        if (mme_ue) {
+            if (action == OGS_GTP_RELEASE_S1_CONTEXT_REMOVE_BY_LO_CONNREFUSED) {
+                /*
+                 * https://github.com/open5gs/open5gs/pull/1497
+                 *
+                 * 1. eNB, SGW-U and UPF go offline at the same time.
+                 * 2. MME sends Release Access Bearer Request to SGW-C
+                 * 3. SGW-C/SMF sends PFCP modification,
+                 *    but SGW-U/UPF does not respond.
+                 * 4. MME does not receive Release Access Bearer Response.
+                 * 5. timeout()
+                 * 6. MME sends Delete Session Request to the SGW-C/SMF
+                 * 7. No SGW-U/UPF, so timeout()
+                 * 8. MME sends UEContextReleaseRequest enb_ue.
+                 * 9. But there is no enb_ue, so MME crashed.
+                 *
+                 * To solve this situation,
+                 * Execute enb_ue_unlink(mme_ue) and enb_ue_remove(enb_ue)
+                 * before mme_gtp_send_release_access_bearers_request()
+                 */
+                enb_ue_unlink(mme_ue);
+                enb_ue_remove(enb_ue);
+            }
+
            ogs_assert(OGS_OK ==
                mme_gtp_send_release_access_bearers_request(mme_ue, action));
-
        } else {
            ogs_warn("mme_gtp_send_release_all_ue_in_enb()");
            ogs_warn("    ENB_UE_S1AP_ID[%d] MME_UE_S1AP_ID[%d] Action[%d]",
--- a/src/mme/mme-s11-handler.c
+++ b/src/mme/mme-s11-handler.c
@ -1152,16 +1152,10 @@ void mme_s11_handle_release_access_bearers_response(
            ogs_error("ENB-S1 Context has already been removed");
        }
    } else if (action == OGS_GTP_RELEASE_S1_CONTEXT_REMOVE_BY_LO_CONNREFUSED) {
-        enb_ue = enb_ue_cycle(mme_ue->enb_ue);
-
-        enb_ue_unlink(mme_ue);
-
-        if (enb_ue) {
-            enb_ue_remove(enb_ue);
-        } else {
-            ogs_error("ENB-S1 Context has already been removed");
-        }
+    /* enb_ue_unlink() and enb_ue_remove() has already been executed.
+     * So, there is no `enb_ue` context */

+    } else if (action == OGS_GTP_RELEASE_S1_CONTEXT_REMOVE_BY_RESET_ALL) {
    /*
     * TS36.413
     * 8.7.1.2.1 Reset Procedure Initiated from the MME
@ -1175,7 +1169,6 @@ void mme_s11_handle_release_access_bearers_response(
     * for new UE-associated logical S1-connections over the S1 interface,
     * the MME shall respond with the RESET ACKNOWLEDGE message.
     */
-    } else if (action == OGS_GTP_RELEASE_S1_CONTEXT_REMOVE_BY_RESET_ALL) {
        enb_ue = enb_ue_cycle(mme_ue->enb_ue);

        enb_ue_unlink(mme_ue);