commit 22b26d8a1c74439af4b51d3e3e5f6a02eb7e0587
author Pau Espin Pedrol <pespin@sysmocom.de> Wed Oct 26 15:44:14 2022 +0200
committer Pau Espin Pedrol <pespin@sysmocom.de> Fri Oct 28 16:33:45 2022 +0200
tree 199aad5b51194f4c797f0356b82dbd8231753869
parent 3a7af57d03ed52bc00761f624380fcc420f932cb

Delay ImmAss(PCH, PktDlAss) if waiting for PKT_CTRL_ACK answering UL_ACK_NACK (FinACK=1)

In that state (ul_tbf=TBF_ST_FINISHED), we are unable to reach the MS to
assign a new DL TBF.
* MS Is not available in CCCH because it's attached the PDCH.
* MS won't be able to PKT_CTRL_ACK a PktDlAss on PACCH, because next
  thing it will do is to PKT_CTRL_ACK the UL_ACK_NACK(FINACK=1) we
  already polled it for, and immediatelly after that it will release the
  UL TBF on its side and go back to packet idle mode.

Hence, we must wait for MS to send the PKT_CTRL_ACK to us in order to be
able to assign the DL TBF in PCH (CCCH).

Related: OS#5700
Change-Id: I7a30db9cc7dae70e04054f1a4dba004bd1780d4a

src/tbf_fsm.c

diff --git a/src/tbf_fsm.c b/src/tbf_fsm.c
index 2b712e7..25253fd 100644
--- a/src/tbf_fsm.c
+++ b/src/tbf_fsm.c
@@ -244,6 +244,9 @@
 static void st_finished(struct osmo_fsm_inst *fi, uint32_t event, void *data)
 {
 	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
+	struct GprsMs *ms;
+	bool new_ul_tbf_requested;
+
 	switch (event) {
 	case TBF_EV_DL_ACKNACK_MISS:
 		break;
@@ -254,9 +257,27 @@
 		tbf_fsm_state_chg(fi, TBF_ST_WAIT_RELEASE);
 		break;
 	case TBF_EV_FINAL_UL_ACK_CONFIRMED:
+		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_UL_TBF);
+		new_ul_tbf_requested = (bool)data;
+		/* Ref the MS, otherwise it may be freed after ul_tbf is
+		 * detached when sending event below. */
+		ms = tbf_ms(ctx->tbf);
+		ms_ref(ms);
 		/* UL TBF ACKed our transmitted UL ACK/NACK with final Ack
-		 * Indicator set to '1' t. We can free the TBF right away. */
+		 * Indicator set to '1'. We can free the TBF right away, the MS
+		 * also just released its TBF on its side. */
+		LOGPTBFUL(tbf_as_ul_tbf(ctx->tbf), LOGL_DEBUG, "[UPLINK] END\n");
 		tbf_free(ctx->tbf);
+		/* Here fi, ctx and ctx->tbf are already freed! */
+		/* TS 44.060 9.3.3.3.2: There might be LLC packets waiting in
+		 * the queue but the DL TBF assignment might have been delayed
+		 * because there was no way to reach the MS (because ul_tbf was
+		 * in packet-active mode with FINISHED state). If MS is going
+		 * back to packet-idle mode then we can assign the DL TBF on PCH
+		 * now. */
+		if (!new_ul_tbf_requested && ms_need_dl_tbf(ms))
+			ms_new_dl_tbf_assignment(ms);
+		ms_unref(ms);
 		break;
 	case TBF_EV_MAX_N3103:
 		ctx->T_release = 3169;