Bump version: 1.12.0.5-193b7 → 1.12.1

Change-Id: I3470865febcc53b63e59cf791869f02d0be3aaa7
debian/control: remove build-dep: libosmo-sccp-dev
2025-11-02 13:13:16 +00:00 · 2024-09-16 12:36:46 +02:00 · 2024-09-16 12:36:46 +02:00 · 2024-09-16 12:13:57 +02:00 · 2024-09-16 12:13:25 +02:00 · 2024-09-16 12:11:17 +02:00
8 changed files with 55 additions and 5 deletions
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+osmo-sgsn (1.12.1) unstable; urgency=medium
+
+  [ Pau Espin Pedrol ]
+  * Fix DeactPDPCtxAcc when UE goes PMM ENABLED but lost its PDP context
+  * Fix double free during RAU with unexpected Old RAI
+  * llc: Mark old/current tlli as all 1's when unassigning LLME
+
+  [ Vadim Yanitskiy ]
+  * sm: pdpctx_timer_stop(): warn about timer not running
+
+  [ Oliver Smith ]
+  * debian/control: remove build-dep: libosmo-sccp-dev
+
+ -- Oliver Smith <osmith@sysmocom.de>  Mon, 16 Sep 2024 12:18:11 +0200
+
 osmo-sgsn (1.12.0) unstable; urgency=medium

  [ Andreas Eversberg ]
--- a/debian/control
+++ b/debian/control
@@ -19,7 +19,6 @@ Build-Depends: debhelper (>= 10),
               libasn1c-dev (>= 0.9.30),
               libosmo-ranap-dev (>= 1.6.0),
               libosmo-sigtran-dev (>= 1.9.0),
-               libosmo-sccp-dev (>= 1.9.0),
               osmo-gsm-manuals-dev (>= 1.6.0)
 Standards-Version: 3.9.8
 Vcs-Git: https://gitea.osmocom.org/cellular-infrastructure/osmo-sgsn
--- a/include/osmocom/sgsn/mmctx.h
+++ b/include/osmocom/sgsn/mmctx.h
@@ -257,6 +257,7 @@ struct sgsn_mm_ctx *sgsn_mm_ctx_by_tlli(uint32_t tlli,
 struct sgsn_mm_ctx *sgsn_mm_ctx_by_ptmsi(uint32_t tmsi);
 struct sgsn_mm_ctx *sgsn_mm_ctx_by_imsi(const char *imsi);
 struct sgsn_mm_ctx *sgsn_mm_ctx_by_ue_ctx(const void *uectx);
+struct sgsn_mm_ctx *sgsn_mm_ctx_by_llme(const struct gprs_llc_llme *llme);

 /* look-up by matching TLLI and P-TMSI (think twice before using this) */
 struct sgsn_mm_ctx *sgsn_mm_ctx_by_tlli_and_ptmsi(uint32_t tlli,
--- a/include/osmocom/sgsn/pdpctx.h
+++ b/include/osmocom/sgsn/pdpctx.h
@@ -68,6 +68,7 @@ struct sgsn_pdp_ctx {
 	//uint32_t		qos_profile_neg;
 	uint8_t			radio_prio;
 	//uint32_t		charging_id;
+	bool			ue_pdp_active; /* PDP Context is active for this NSAPI?  */

 	struct osmo_timer_list	timer;
 	unsigned int		T;		/* Txxxx number */
--- a/src/sgsn/gprs_gmm.c
+++ b/src/sgsn/gprs_gmm.c
@@ -1591,6 +1591,7 @@ static void process_ms_ctx_status(struct sgsn_mm_ctx *mmctx,
 		LOGMMCTXP(LOGL_NOTICE, mmctx, "Dropping PDP context for NSAPI=%u "
 			"due to PDP CTX STATUS IE=0x%02x%02x\n",
 			pdp->nsapi, pdp_status[1], pdp_status[0]);
+		pdp->ue_pdp_active = false;
 		if (pdp->ggsn)
 			sgsn_delete_pdp_ctx(pdp);
 		else /* GTP side already detached, freeing */
@@ -1747,6 +1748,21 @@ static int gsm48_rx_gmm_ra_upd_req(struct sgsn_mm_ctx *mmctx, struct msgb *msg,
 			 * in the MS */
 			LOGGBP(llme, DMM, LOGL_NOTICE, "LLC XID RESET\n");
 			gprs_llgmm_reset_oldmsg(msg, GPRS_SAPI_GMM, llme);
+
+			/* The RAU didn't come from expected TLLI+RAI, so it's for sure bad and should be rejected.
+			 * In any case, before unassigning (freeing) the LLME during the REJECT below, make sure
+			 * beforehand that if there's an mmctx relating to that llme it is also freed.
+			 * Otherwise it would be kept pointining at a dangling freed llme object.
+			 */
+			mmctx = sgsn_mm_ctx_by_llme(llme);
+			if (mmctx) {
+				char old_ra_id_name[32];
+				osmo_rai_name_buf(old_ra_id_name, sizeof(old_ra_id_name), &old_ra_id);
+				LOGMMCTXP(LOGL_NOTICE, mmctx,
+					  "Rx RA Update Request with unexpected TLLI=%08x Old RA=%s (expected Old RA: %s)!\n",
+					  msgb_tlli(msg), old_ra_id_name, osmo_rai_name(&mmctx->ra));
+				/* mmctx will be released (and its llme un assigned) after REJECT below. */
+			}
 		}
 		/* The MS has to perform GPRS attach */
 		/* Device is still IMSI attached for CS but initiate GPRS ATTACH,
--- a/src/sgsn/gprs_llc.c
+++ b/src/sgsn/gprs_llc.c
@@ -1112,7 +1112,7 @@ int gprs_llgmm_assign(struct gprs_llc_llme *llme,
 		llme->state = GPRS_LLMS_ASSIGNED;
 	} else if (old_tlli != TLLI_UNASSIGNED && new_tlli == TLLI_UNASSIGNED) {
 		/* TLLI Unassignment 8.3.3) */
-		llme->tlli = llme->old_tlli = 0;
+		llme->tlli = llme->old_tlli = TLLI_UNASSIGNED;
 		llme->state = GPRS_LLMS_UNASSIGNED;
 		for (i = 0; i < ARRAY_SIZE(llme->lle); i++) {
 			struct gprs_llc_lle *l = &llme->lle[i];
--- a/src/sgsn/mmctx.c
+++ b/src/sgsn/mmctx.c
@@ -105,6 +105,21 @@ struct sgsn_mm_ctx *sgsn_mm_ctx_by_ue_ctx(const void *uectx)
 	return NULL;
 }

+
+/* look-up an SGSN MM context based on Gb LLME context (struct gprs_llc_llme)*/
+struct sgsn_mm_ctx *sgsn_mm_ctx_by_llme(const struct gprs_llc_llme *llme)
+{
+	struct sgsn_mm_ctx *ctx;
+
+	llist_for_each_entry (ctx, &sgsn->mm_list, list) {
+		if (ctx->ran_type == MM_CTX_T_GERAN_Gb
+		    && llme == ctx->gb.llme)
+			return ctx;
+	}
+
+	return NULL;
+}
+
 /* look-up a SGSN MM context based on TLLI + RAI */
 struct sgsn_mm_ctx *sgsn_mm_ctx_by_tlli(uint32_t tlli,
 					const struct gprs_ra_id *raid)
--- a/src/sgsn/sgsn_libgtp.c
+++ b/src/sgsn/sgsn_libgtp.c
@@ -378,6 +378,7 @@ int send_act_pdp_cont_acc(struct sgsn_pdp_ctx *pctx)
 	rc = gsm48_tx_gsm_act_pdp_acc(pctx);
 	if (rc < 0)
 		return rc;
+	pctx->ue_pdp_active = true;

 	if (pctx->mm->ran_type == MM_CTX_T_GERAN_Gb) {
 		/* Send SNDCP XID to MS */
@@ -567,9 +568,11 @@ static int delete_pdp_conf(struct pdp_t *pdp, void *cbp, int cause)
 			return -ENOTSUP;
 #endif
 		}
-
-		/* Confirm deactivation of PDP context to MS */
-		rc = gsm48_tx_gsm_deact_pdp_acc(pctx);
+		if (pctx->ue_pdp_active) {
+			/* Confirm deactivation of PDP context to MS */
+			rc = gsm48_tx_gsm_deact_pdp_acc(pctx);
+			pctx->ue_pdp_active = false;
+		}
 	} else {
 		LOGPDPCTXP(LOGL_NOTICE, pctx,
 			   "Not deactivating SNDCP layer since the MM context "
Author	SHA1	Message	Date
Oliver Smith	6f68477981	Bump version: 1.12.0.5-193b7 → 1.12.1 Change-Id: I3470865febcc53b63e59cf791869f02d0be3aaa7	2024-09-16 12:36:46 +02:00
Oliver Smith	8d37827695	debian/control: remove build-dep: libosmo-sccp-dev This follows the removal of the libsccp.a and the pkg-config libosmo-sccp.pc from libosmo-sccp.git Related: libosmo-sccp I299a32a2f8f61477cf49c8126567fef2092d5407 Change-Id: I2fc827cf15b7f78173e5ee489abe2c6d12b82c2f (cherry picked from commit `a39a564906`)	2024-09-16 12:36:46 +02:00
Pau Espin Pedrol	517333a241	llc: Mark old/current tlli as all 1's when unassigning LLME TS 44.064 section 8.3.3 (and other sections) talk about special unassigned value of "all 1's", but I couldn't find any reference to a "all 0's" specific value/meaning. In practice in the code this may not be super important since those values may not ve checked due to the FSM state, but in any case they are initially set to all 1's, so it makes total sense to re-set them to the same unassigned value instead of a randomly chosen all 0's value. Change-Id: I660c8d0ef08b34f8cb74fd51b5c59e5628d687ae (cherry picked from commit `35c178e84d`)	2024-09-16 12:13:57 +02:00
Pau Espin Pedrol	c14f2429ab	Fix double free during RAU with unexpected Old RAI If an MS which had an MMCTX at the SGSN sent RAU update with an unexpected Old RA field, the RAU was rejected and LLME (LLC layer) unassigned (freed), because no MMCTX was found matching the wrong old RA. However, an MMCTX may actually exist pointing to that LLME, and hence when the LLME is freed, it stayed unnoticed with a dangling pointer to the freed LLME in ctx->gb.llme. Let's try to harder to avoid this kind of bugs which make osmo-sgsn crash. Once we properly split the code into separate independent layers (LLC, MMCTX, etc.) each holding their own structs, this kind of bugs shouldn't happen anymore. Related: OS#6441 Change-Id: I5a4328c6e945b85dd815215724feecadba59c435 (cherry picked from commit `868d818e6e`)	2024-09-16 12:13:25 +02:00
Pau Espin Pedrol	5ebe3b778f	Fix DeactPDPCtxAcc when UE goes PMM ENABLED but lost its PDP context Scenario: UE activates a PDP context, then after a while goes PMM IDLE (Iu conn is destroyed but PDP is kept). When UE connects through Iu again, it sends eg. RAU or ServiceRequest with pdp_status bitmask statis the active NSAPIs. If some NSAPI (PDP context) is enabled at SGSN but doesn't show up in the bitmask, SGSN will destroy the PDP context with GGSN (DeletePDPContextReq) towards GGSN prior to re-creating it. When SGSN receives the DeletePDPContextResp, it would forward a DeactivatePDPContextReq to the UE for a PDP context which was not known by the UE anymore, this is wrong. With this patch, the state of the NSAPI/PDP at the UE side is tracked, and used to know whether when the PDP gets deleted on the GGSN side then it needs to also be deleted on the Iu side. Change-Id: I0ccd9228d71c29248b5f510356dbfdb09565dc30 (cherry picked from commit `4ced617eb6`)	2024-09-16 12:11:17 +02:00