diff --git a/src/Makefile.am b/src/Makefile.am
index f338624..ccc40ac 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -62,9 +62,11 @@
 	tbf.cpp \
 	tbf_fsm.c \
 	tbf_ul.cpp \
+	tbf_ul_fsm.c \
 	tbf_ul_ack_fsm.c \
 	tbf_ul_ass_fsm.c \
 	tbf_dl.cpp \
+	tbf_dl_fsm.c \
 	tbf_dl_ass_fsm.c \
 	bts.cpp \
 	bts_pch_timer.c \
diff --git a/src/pcu_vty_functions.cpp b/src/pcu_vty_functions.cpp
index 91f2068..1fac787 100644
--- a/src/pcu_vty_functions.cpp
+++ b/src/pcu_vty_functions.cpp
@@ -40,10 +40,20 @@
 	#include "coding_scheme.h"
 }
 
+static uint32_t tbf_state_flags(const struct gprs_rlcmac_tbf *tbf)
+{
+	const struct gprs_rlcmac_ul_tbf *ul_tbf = tbf_as_ul_tbf_const(tbf);
+	const struct gprs_rlcmac_dl_tbf *dl_tbf = tbf_as_dl_tbf_const(tbf);
+	if (ul_tbf)
+		return ul_tbf->state_fsm.state_flags;
+	return dl_tbf->state_fsm.state_flags;
+}
+
 static void tbf_print_vty_info(struct vty *vty, struct gprs_rlcmac_tbf *tbf)
 {
 	gprs_rlcmac_ul_tbf *ul_tbf = tbf_as_ul_tbf(tbf);
 	gprs_rlcmac_dl_tbf *dl_tbf = tbf_as_dl_tbf(tbf);
+	uint32_t state_flags = tbf_state_flags(tbf);
 
 	vty_out(vty, "TBF: TFI=%d TLLI=0x%08x (%s) TA=%u DIR=%s IMSI=%s%s", tbf->tfi(),
 		tbf->tlli(), tbf->is_tlli_valid() ? "valid" : "invalid",
@@ -52,9 +62,9 @@
 		tbf->imsi(), VTY_NEWLINE);
 	vty_out(vty, " created=%lu state=%s flags=%08x [CCCH:%u, PACCH:%u] 1st_TS=%d 1st_cTS=%d ctrl_TS=%d MS_CLASS=%d/%d%s",
 		tbf->created_ts(), tbf->state_name(),
-		tbf->state_fsm.state_flags,
-		tbf->state_fsm.state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH),
-		tbf->state_fsm.state_flags & (1 << GPRS_RLCMAC_FLAG_PACCH),
+		state_flags,
+		state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH),
+		state_flags & (1 << GPRS_RLCMAC_FLAG_PACCH),
 		tbf->first_ts,
 		tbf->first_common_ts, tbf->control_ts,
 		tbf->ms_class(),
@@ -101,6 +111,8 @@
 	struct llist_item *iter;
 	const struct gprs_rlcmac_trx *trx;
 	struct gprs_rlcmac_tbf *tbf;
+	const struct gprs_rlcmac_ul_tbf *ul_tbf;
+	const struct gprs_rlcmac_dl_tbf *dl_tbf;
 	size_t trx_no;
 
 	vty_out(vty, "UL TBFs%s", VTY_NEWLINE);
@@ -108,7 +120,8 @@
 		trx = &bts->trx[trx_no];
 		llist_for_each_entry(iter, &trx->ul_tbfs, list) {
 			tbf = (struct gprs_rlcmac_tbf *)iter->entry;
-			if (tbf->state_fsm.state_flags & flags)
+			ul_tbf = tbf_as_ul_tbf_const(tbf);
+			if (ul_tbf->state_fsm.state_flags & flags)
 				tbf_print_vty_info(vty, tbf);
 		}
 	}
@@ -118,7 +131,8 @@
 		trx = &bts->trx[trx_no];
 		llist_for_each_entry(iter, &trx->dl_tbfs, list) {
 			tbf = (struct gprs_rlcmac_tbf *)iter->entry;
-			if (tbf->state_fsm.state_flags & flags)
+			dl_tbf = tbf_as_dl_tbf_const(tbf);
+			if (dl_tbf->state_fsm.state_flags & flags)
 				tbf_print_vty_info(vty, tbf);
 		}
 	}
diff --git a/src/tbf.cpp b/src/tbf.cpp
index 4aa4089..86b501e 100644
--- a/src/tbf.cpp
+++ b/src/tbf.cpp
@@ -115,11 +115,6 @@
 	memset(&m_trx_list, 0, sizeof(m_trx_list));
 	m_trx_list.entry = this;
 
-	memset(&state_fsm, 0, sizeof(state_fsm));
-	state_fsm.tbf = this;
-	state_fi = osmo_fsm_inst_alloc(&tbf_fsm, this, &state_fsm, LOGL_INFO, NULL);
-	OSMO_ASSERT(state_fi);
-
 	memset(&ul_ass_fsm, 0, sizeof(ul_ass_fsm));
 	ul_ass_fsm.tbf = this;
 	ul_ass_fsm.fi = osmo_fsm_inst_alloc(&tbf_ul_ass_fsm, this, &ul_ass_fsm, LOGL_INFO, NULL);
@@ -912,18 +907,23 @@
 	struct osmo_strbuf sb = { .buf = buf, .len = sizeof(buf) };
 
 	OSMO_STRBUF_PRINTF(sb, "|");
-	if (tbf->state_fsm.state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH))
-		OSMO_STRBUF_PRINTF(sb, "Assignment was on CCCH|");
-	if (tbf->state_fsm.state_flags & (1 << GPRS_RLCMAC_FLAG_PACCH))
-		OSMO_STRBUF_PRINTF(sb, "Assignment was on PACCH|");
 	if (tbf->direction == GPRS_RLCMAC_UL_TBF) {
-		const struct gprs_rlcmac_ul_tbf *ul_tbf = static_cast<const gprs_rlcmac_ul_tbf *>(tbf);
+		const struct gprs_rlcmac_ul_tbf *ul_tbf = tbf_as_ul_tbf_const(tbf);
+		if (ul_tbf->state_fsm.state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH))
+			OSMO_STRBUF_PRINTF(sb, "Assignment was on CCCH|");
+		if (ul_tbf->state_fsm.state_flags & (1 << GPRS_RLCMAC_FLAG_PACCH))
+			OSMO_STRBUF_PRINTF(sb, "Assignment was on PACCH|");
 		if (ul_tbf->m_rx_counter)
 			OSMO_STRBUF_PRINTF(sb, "Uplink data was received|");
 		else
 			OSMO_STRBUF_PRINTF(sb, "No uplink data received yet|");
 	} else {
-		if (tbf->state_fsm.state_flags & (1 << GPRS_RLCMAC_FLAG_DL_ACK))
+		const struct gprs_rlcmac_dl_tbf *dl_tbf = tbf_as_dl_tbf_const(tbf);
+		if (dl_tbf->state_fsm.state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH))
+			OSMO_STRBUF_PRINTF(sb, "Assignment was on CCCH|");
+		if (dl_tbf->state_fsm.state_flags & (1 << GPRS_RLCMAC_FLAG_PACCH))
+			OSMO_STRBUF_PRINTF(sb, "Assignment was on PACCH|");
+		if (dl_tbf->state_fsm.state_flags & (1 << GPRS_RLCMAC_FLAG_DL_ACK))
 			OSMO_STRBUF_PRINTF(sb, "Downlink ACK was received|");
 		else
 			OSMO_STRBUF_PRINTF(sb, "No downlink ACK received yet|");
diff --git a/src/tbf.h b/src/tbf.h
index b1ff221..8155e1d 100644
--- a/src/tbf.h
+++ b/src/tbf.h
@@ -256,7 +256,6 @@
 
 	struct rate_ctr_group *m_ctrs;
 	struct osmo_fsm_inst *state_fi;
-	struct tbf_fsm_ctx state_fsm;
 	struct tbf_ul_ass_fsm_ctx ul_ass_fsm;
 	struct tbf_ul_ass_fsm_ctx dl_ass_fsm;
 
diff --git a/src/tbf_dl.cpp b/src/tbf_dl.cpp
index 5006675..ae90041 100644
--- a/src/tbf_dl.cpp
+++ b/src/tbf_dl.cpp
@@ -180,6 +180,10 @@
 	m_dl_gprs_ctrs(NULL),
 	m_dl_egprs_ctrs(NULL)
 {
+	memset(&state_fsm, 0, sizeof(state_fsm));
+	state_fsm.tbf = (struct gprs_rlcmac_tbf *)this;
+	state_fi = osmo_fsm_inst_alloc(&tbf_dl_fsm, this, &state_fsm, LOGL_INFO, NULL);
+	OSMO_ASSERT(state_fi);
 }
 
 /**
diff --git a/src/tbf_dl.h b/src/tbf_dl.h
index 3a7c41d..8d4d716 100644
--- a/src/tbf_dl.h
+++ b/src/tbf_dl.h
@@ -21,6 +21,14 @@
 
 #include <stdint.h>
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+#include <tbf_fsm.h>
+#ifdef __cplusplus
+}
+#endif
+
 /*
  * TBF instance
  */
@@ -78,6 +86,8 @@
 	struct rate_ctr_group *m_dl_gprs_ctrs;
 	struct rate_ctr_group *m_dl_egprs_ctrs;
 
+	struct tbf_dl_fsm_ctx state_fsm;
+
 protected:
 	struct ana_result {
 		unsigned received_packets;
diff --git a/src/tbf_dl_fsm.c b/src/tbf_dl_fsm.c
new file mode 100644
index 0000000..0cd8504
--- /dev/null
+++ b/src/tbf_dl_fsm.c
@@ -0,0 +1,456 @@
+/* tbf_dl_fsm.c
+ *
+ * Copyright (C) 2021-2022 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de>
+ * Author: Pau Espin Pedrol <pespin@sysmocom.de>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#include <unistd.h>
+
+#include <talloc.h>
+
+#include <tbf_fsm.h>
+#include <gprs_rlcmac.h>
+#include <gprs_debug.h>
+#include <gprs_ms.h>
+#include <encoding.h>
+#include <bts.h>
+
+#include <bts_pch_timer.h>
+
+#define X(s) (1 << (s))
+
+const struct osmo_tdef_state_timeout tbf_dl_fsm_timeouts[32] = {
+	[TBF_ST_NEW] = {},
+	[TBF_ST_ASSIGN] = { },
+	[TBF_ST_FLOW] = { },
+	[TBF_ST_FINISHED] = {},
+	[TBF_ST_WAIT_RELEASE] = {},
+	[TBF_ST_RELEASING] = {},
+};
+
+/* Transition to a state, using the T timer defined in tbf_fsm_timeouts.
+ * The actual timeout value is in turn obtained from conn->T_defs.
+ * Assumes local variable fi exists. */
+#define tbf_dl_fsm_state_chg(fi, NEXT_STATE) \
+	osmo_tdef_fsm_inst_state_chg(fi, NEXT_STATE, \
+				     tbf_dl_fsm_timeouts, \
+				     the_pcu->T_defs, \
+				     -1)
+
+static void mod_ass_type(struct tbf_dl_fsm_ctx *ctx, uint8_t t, bool set)
+{
+	const char *ch = "UNKNOWN";
+	bool prev_set = ctx->state_flags & (1 << t);
+
+	switch (t) {
+	case GPRS_RLCMAC_FLAG_CCCH:
+		ch = "CCCH";
+		break;
+	case GPRS_RLCMAC_FLAG_PACCH:
+		ch = "PACCH";
+		break;
+	default:
+		LOGPTBF(ctx->tbf, LOGL_ERROR,
+			"attempted to %sset unexpected ass. type %d - FIXME!\n",
+			set ? "" : "un", t);
+		return;
+	}
+
+	if (set && prev_set)
+		LOGPTBF(ctx->tbf, LOGL_ERROR,
+			"attempted to set ass. type %s which is already set.\n", ch);
+	else if (!set && !prev_set)
+		return;
+
+	LOGPTBF(ctx->tbf, LOGL_INFO, "%sset ass. type %s [prev CCCH:%u, PACCH:%u]\n",
+		set ? "" : "un", ch,
+		!!(ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH)),
+		!!(ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_PACCH)));
+
+	if (set) {
+		ctx->state_flags |= (1 << t);
+	} else {
+		ctx->state_flags &= GPRS_RLCMAC_FLAG_TO_MASK; /* keep to flags */
+		ctx->state_flags &= ~(1 << t);
+	}
+}
+
+
+static void st_new(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct tbf_dl_fsm_ctx *ctx = (struct tbf_dl_fsm_ctx *)fi->priv;
+	switch (event) {
+	case TBF_EV_ASSIGN_ADD_CCCH:
+		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_CCCH, true);
+		tbf_dl_fsm_state_chg(fi, TBF_ST_ASSIGN);
+		break;
+	case TBF_EV_ASSIGN_ADD_PACCH:
+		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_PACCH, true);
+		tbf_dl_fsm_state_chg(fi, TBF_ST_ASSIGN);
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+}
+
+static void st_assign_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state)
+{
+	struct tbf_dl_fsm_ctx *ctx = (struct tbf_dl_fsm_ctx *)fi->priv;
+	unsigned long val;
+	unsigned int sec, micro;
+
+	/* If assignment for this TBF is happening on PACCH, that means the
+	 * actual Assignment procedure (tx/rx) is happening on another TBF (eg
+	 * Ul TBF vs DL TBF). Hence we add a security timer here to free it in
+	 * case the other TBF doesn't succeed in informing (assigning) the MS
+	 * about this TBF, or simply because the scheduler takes too long to
+	 * schedule it. This timer can probably be dropped once we make the
+	 * other TBF always signal us assignment failure (we already get
+	 * assignment success through TBF_EV_ASSIGN_ACK_PACCH) */
+	if (ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_PACCH)) {
+		fi->T = -2001;
+		val = osmo_tdef_get(the_pcu->T_defs, fi->T, OSMO_TDEF_MS, -1);
+		sec = val / 1000;
+		micro = (val % 1000) * 1000;
+		LOGPTBF(ctx->tbf, LOGL_DEBUG,
+			"Starting timer X2001 [assignment (PACCH)] with %u sec. %u microsec\n",
+			sec, micro);
+		osmo_timer_schedule(&fi->timer, sec, micro);
+	} else {
+		 /* GPRS_RLCMAC_FLAG_CCCH is set, so here we submitted an DL Ass
+		  * through PCUIF on CCCH */
+	}
+}
+
+static void st_assign(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct tbf_dl_fsm_ctx *ctx = (struct tbf_dl_fsm_ctx *)fi->priv;
+	unsigned long val;
+	unsigned int sec, micro;
+
+	switch (event) {
+	case TBF_EV_ASSIGN_ADD_CCCH:
+		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_CCCH, true);
+		break;
+	case TBF_EV_ASSIGN_ADD_PACCH:
+		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_PACCH, true);
+		break;
+	case TBF_EV_ASSIGN_ACK_PACCH:
+		tbf_assign_control_ts(ctx->tbf);
+		if (ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH)) {
+			/* We now know that the PACCH really existed */
+			LOGPTBF(ctx->tbf, LOGL_INFO,
+				"The TBF has been confirmed on the PACCH, "
+				"changed type from CCCH to PACCH\n");
+			mod_ass_type(ctx, GPRS_RLCMAC_FLAG_CCCH, false);
+			mod_ass_type(ctx, GPRS_RLCMAC_FLAG_PACCH, true);
+		}
+		tbf_dl_fsm_state_chg(fi, TBF_ST_FLOW);
+		break;
+	case TBF_EV_ASSIGN_PCUIF_CNF:
+		/* BTS informs us it sent Imm Ass for DL TBF over CCCH. We now
+		 * have to wait for X2002 to trigger (meaning MS is already
+		 * listening on PDCH) in order to move to FLOW state and start
+		 * transmitting data to it. When X2002 triggers (see cb timer
+		 * end of the file) it will send  TBF_EV_ASSIGN_READY_CCCH back
+		 * to us here. */
+		fi->T = -2002;
+		val = osmo_tdef_get(the_pcu->T_defs, fi->T, OSMO_TDEF_MS, -1);
+		sec = val / 1000;
+		micro = (val % 1000) * 1000;
+		LOGPTBF(ctx->tbf, LOGL_DEBUG,
+			"Starting timer X2002 [assignment (AGCH)] with %u sec. %u microsec\n",
+			sec, micro);
+		osmo_timer_schedule(&fi->timer, sec, micro);
+		break;
+	case TBF_EV_ASSIGN_READY_CCCH:
+		/* change state to FLOW, so scheduler will start transmission */
+		tbf_dl_fsm_state_chg(fi, TBF_ST_FLOW);
+		break;
+	case TBF_EV_MAX_N3105:
+		/* We are going to release, so abort any Pkt Ul Ass pending to be scheduled: */
+		osmo_fsm_inst_dispatch(tbf_ul_ass_fi(ctx->tbf), TBF_UL_ASS_EV_ABORT, NULL);
+		ctx->T_release = 3195;
+		tbf_dl_fsm_state_chg(fi, TBF_ST_RELEASING);
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+}
+
+static void st_flow(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct tbf_dl_fsm_ctx *ctx = (struct tbf_dl_fsm_ctx *)fi->priv;
+
+	switch (event) {
+	case TBF_EV_DL_ACKNACK_MISS:
+		/* DL TBF: we missed a DL ACK/NACK. If we started assignment
+		 * over CCCH and never received any DL ACK/NACK yet, it means we
+		 * don't even know if the MS successfully received the Imm Ass on
+		 * CCCH and hence is listening on PDCH. Let's better refrain
+		 * from continuing and start assignment on CCCH again */
+		if ((ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH))
+		     && !(ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_DL_ACK))) {
+			struct GprsMs *ms = tbf_ms(ctx->tbf);
+			LOGPTBF(ctx->tbf, LOGL_DEBUG, "Re-send downlink assignment on PCH (IMSI=%s)\n",
+				ms_imsi_is_valid(ms) ? ms_imsi(ms) : "");
+			tbf_dl_fsm_state_chg(fi, TBF_ST_ASSIGN);
+			/* send immediate assignment */
+			bts_snd_dl_ass(ms->bts, ctx->tbf);
+		}
+		break;
+	case TBF_EV_LAST_DL_DATA_SENT:
+		/* All data has been sent or received, change state to FINISHED */
+		tbf_dl_fsm_state_chg(fi, TBF_ST_FINISHED);
+		break;
+	case TBF_EV_FINAL_ACK_RECVD:
+		/* We received Final Ack (DL ACK/NACK) from MS. move to
+		 * WAIT_RELEASE, we wait there for release or re-use the TBF in
+		 * case we receive more DL data to tx */
+		tbf_dl_fsm_state_chg(fi, TBF_ST_WAIT_RELEASE);
+		break;
+	case TBF_EV_MAX_N3105:
+		ctx->T_release = 3195;
+		tbf_dl_fsm_state_chg(fi, TBF_ST_RELEASING);
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+}
+
+static void st_finished(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct tbf_dl_fsm_ctx *ctx = (struct tbf_dl_fsm_ctx *)fi->priv;
+
+	switch (event) {
+	case TBF_EV_DL_ACKNACK_MISS:
+		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF);
+		break;
+	case TBF_EV_FINAL_ACK_RECVD:
+		/* We received Final Ack (DL ACK/NACK) from MS. move to
+		 * WAIT_RELEASE, we wait there for release or re-use the TBF in
+		 * case we receive more DL data to tx */
+		tbf_dl_fsm_state_chg(fi, TBF_ST_WAIT_RELEASE);
+		break;
+	case TBF_EV_MAX_N3105:
+		ctx->T_release = 3195;
+		tbf_dl_fsm_state_chg(fi, TBF_ST_RELEASING);
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+}
+
+static void st_wait_release_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state)
+{
+	struct tbf_dl_fsm_ctx *ctx = (struct tbf_dl_fsm_ctx *)fi->priv;
+	unsigned long val_s, val_ms, val_us;
+	OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF);
+
+	fi->T = 3193;
+	val_ms = osmo_tdef_get(tbf_ms(ctx->tbf)->bts->T_defs_bts, fi->T, OSMO_TDEF_MS, -1);
+	val_s = val_ms / 1000;
+	val_us = (val_ms % 1000) * 1000;
+	LOGPTBF(ctx->tbf, LOGL_DEBUG, "starting timer T%u with %lu sec. %lu microsec\n",
+		fi->T, val_s, val_us);
+	osmo_timer_schedule(&fi->timer, val_s, val_us);
+
+	mod_ass_type(ctx, GPRS_RLCMAC_FLAG_CCCH, false);
+}
+
+static void st_wait_release(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct tbf_dl_fsm_ctx *ctx = (struct tbf_dl_fsm_ctx *)fi->priv;
+	switch (event) {
+	case TBF_EV_FINAL_ACK_RECVD:
+		/* ignore, duplicate ACK, we already know about since we are in WAIT_RELEASE */
+		break;
+	case TBF_EV_MAX_N3105:
+		ctx->T_release = 3195;
+		tbf_dl_fsm_state_chg(fi, TBF_ST_RELEASING);
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+}
+
+static void st_releasing_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state)
+{
+	struct tbf_dl_fsm_ctx *ctx = (struct tbf_dl_fsm_ctx *)fi->priv;
+	unsigned long val;
+
+	if (!ctx->T_release)
+		return;
+
+	/* In  general we should end up here with an assigned timer in ctx->T_release. Possible values are:
+	* T3195: Wait for reuse of TFI(s) when there is no response from the MS
+	*	 (radio failure or cell change) for this TBF/MBMS radio bearer.
+	* T3169: Wait for reuse of USF and TFI(s) after the MS uplink assignment for this TBF is invalid.
+	*/
+	val = osmo_tdef_get(tbf_ms(ctx->tbf)->bts->T_defs_bts, ctx->T_release, OSMO_TDEF_S, -1);
+	fi->T = ctx->T_release;
+	LOGPTBF(ctx->tbf, LOGL_DEBUG, "starting timer T%u with %lu sec. %u microsec\n",
+		ctx->T_release, val, 0);
+	osmo_timer_schedule(&fi->timer, val, 0);
+}
+
+static void st_releasing(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct tbf_dl_fsm_ctx *ctx = (struct tbf_dl_fsm_ctx *)fi->priv;
+	switch (event) {
+	case TBF_EV_DL_ACKNACK_MISS:
+		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF);
+		/* Ignore, we don't care about missed DL ACK/NACK poll timeouts
+		 * anymore, we are already releasing the TBF */
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+}
+
+static void handle_timeout_X2002(struct osmo_fsm_inst *fi)
+{
+	struct tbf_dl_fsm_ctx *ctx = (struct tbf_dl_fsm_ctx *)fi->priv;
+	struct gprs_rlcmac_dl_tbf *dl_tbf = tbf_as_dl_tbf(ctx->tbf);
+
+	if (fi->state == TBF_ST_ASSIGN) {
+		tbf_assign_control_ts(ctx->tbf);
+
+		if (!tbf_can_upgrade_to_multislot(ctx->tbf)) {
+			/* change state to FLOW, so scheduler
+			 * will start transmission */
+			osmo_fsm_inst_dispatch(fi, TBF_EV_ASSIGN_READY_CCCH, NULL);
+			return;
+		}
+
+		/* This tbf can be upgraded to use multiple DL
+		 * timeslots and now that there is already one
+		 * slot assigned send another DL assignment via
+		 * PDCH. */
+
+		/* keep to flags */
+		ctx->state_flags &= GPRS_RLCMAC_FLAG_TO_MASK;
+
+		tbf_update(ctx->tbf);
+		dl_tbf_trigger_ass_on_pacch(dl_tbf, ctx->tbf);
+	} else
+		LOGPTBF(ctx->tbf, LOGL_NOTICE, "Continue flow after IMM.ASS confirm\n");
+}
+
+static int tbf_dl_fsm_timer_cb(struct osmo_fsm_inst *fi)
+{
+	struct tbf_dl_fsm_ctx *ctx = (struct tbf_dl_fsm_ctx *)fi->priv;
+	switch (fi->T) {
+	case -2002:
+		handle_timeout_X2002(fi);
+		break;
+	case -2001:
+		LOGPTBF(ctx->tbf, LOGL_NOTICE, "releasing due to PACCH assignment timeout.\n");
+		/* fall-through */
+	case 3169:
+	case 3193:
+	case 3195:
+		tbf_free(ctx->tbf);
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+	return 0;
+}
+
+static struct osmo_fsm_state tbf_dl_fsm_states[] = {
+	[TBF_ST_NEW] = {
+		.in_event_mask =
+			X(TBF_EV_ASSIGN_ADD_CCCH) |
+			X(TBF_EV_ASSIGN_ADD_PACCH),
+		.out_state_mask =
+			X(TBF_ST_ASSIGN) |
+			X(TBF_ST_RELEASING),
+		.name = "NEW",
+		.action = st_new,
+	},
+	[TBF_ST_ASSIGN] = {
+		.in_event_mask =
+			X(TBF_EV_ASSIGN_ADD_CCCH) |
+			X(TBF_EV_ASSIGN_ADD_PACCH) |
+			X(TBF_EV_ASSIGN_ACK_PACCH) |
+			X(TBF_EV_ASSIGN_PCUIF_CNF) |
+			X(TBF_EV_ASSIGN_READY_CCCH) |
+			X(TBF_EV_MAX_N3105),
+		.out_state_mask =
+			X(TBF_ST_FLOW) |
+			X(TBF_ST_FINISHED) |
+			X(TBF_ST_RELEASING),
+		.name = "ASSIGN",
+		.action = st_assign,
+		.onenter = st_assign_on_enter,
+	},
+	[TBF_ST_FLOW] = {
+		.in_event_mask =
+			X(TBF_EV_DL_ACKNACK_MISS) |
+			X(TBF_EV_LAST_DL_DATA_SENT) |
+			X(TBF_EV_FINAL_ACK_RECVD) |
+			X(TBF_EV_MAX_N3105),
+		.out_state_mask =
+			X(TBF_ST_ASSIGN) |
+			X(TBF_ST_FINISHED) |
+			X(TBF_ST_WAIT_RELEASE) |
+			X(TBF_ST_RELEASING),
+		.name = "FLOW",
+		.action = st_flow,
+	},
+	[TBF_ST_FINISHED] = {
+		.in_event_mask =
+			X(TBF_EV_DL_ACKNACK_MISS) |
+			X(TBF_EV_FINAL_ACK_RECVD) |
+			X(TBF_EV_MAX_N3105),
+		.out_state_mask =
+			X(TBF_ST_WAIT_RELEASE) |
+			X(TBF_ST_RELEASING),
+		.name = "FINISHED",
+		.action = st_finished,
+	},
+	[TBF_ST_WAIT_RELEASE] = {
+		.in_event_mask =
+			X(TBF_EV_FINAL_ACK_RECVD) |
+			X(TBF_EV_MAX_N3105),
+		.out_state_mask =
+			X(TBF_ST_RELEASING),
+		.name = "WAIT_RELEASE",
+		.action = st_wait_release,
+		.onenter = st_wait_release_on_enter,
+	},
+	[TBF_ST_RELEASING] = {
+		.in_event_mask =
+			X(TBF_EV_DL_ACKNACK_MISS),
+		.out_state_mask =
+			0,
+		.name = "RELEASING",
+		.action = st_releasing,
+		.onenter = st_releasing_on_enter,
+	},
+};
+
+struct osmo_fsm tbf_dl_fsm = {
+	.name = "DL_TBF",
+	.states = tbf_dl_fsm_states,
+	.num_states = ARRAY_SIZE(tbf_dl_fsm_states),
+	.timer_cb = tbf_dl_fsm_timer_cb,
+	.log_subsys = DTBFDL,
+	.event_names = tbf_fsm_event_names,
+};
+
+static __attribute__((constructor)) void tbf_dl_fsm_init(void)
+{
+	OSMO_ASSERT(osmo_fsm_register(&tbf_dl_fsm) == 0);
+}
diff --git a/src/tbf_fsm.c b/src/tbf_fsm.c
index 4dcac17..28c04a3 100644
--- a/src/tbf_fsm.c
+++ b/src/tbf_fsm.c
@@ -1,6 +1,6 @@
 /* tbf_fsm.c
  *
- * Copyright (C) 2021 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de>
+ * Copyright (C) 2021-2022 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de>
  * Author: Pau Espin Pedrol <pespin@sysmocom.de>
  *
  * This program is free software; you can redistribute it and/or
@@ -14,29 +14,12 @@
  * GNU General Public License for more details.
  */
 
-#include <unistd.h>
-
-#include <talloc.h>
+#include <osmocom/core/utils.h>
 
 #include <tbf_fsm.h>
-#include <gprs_rlcmac.h>
-#include <gprs_debug.h>
-#include <gprs_ms.h>
-#include <encoding.h>
-#include <bts.h>
 
-#include <bts_pch_timer.h>
-
-#define X(s) (1 << (s))
-
-const struct osmo_tdef_state_timeout tbf_fsm_timeouts[32] = {
-	[TBF_ST_NEW] = {},
-	[TBF_ST_ASSIGN] = { },
-	[TBF_ST_FLOW] = { },
-	[TBF_ST_FINISHED] = {},
-	[TBF_ST_WAIT_RELEASE] = {},
-	[TBF_ST_RELEASING] = {},
-};
+/* Note: This file contains shared code for UL/DL TBF FSM. See tbf_dl_fsm.c and
+ * tbf_ul_fsm.c for the actual implementations of the FSM */
 
 /* Transition to a state, using the T timer defined in tbf_fsm_timeouts.
  * The actual timeout value is in turn obtained from conn->T_defs.
@@ -65,503 +48,3 @@
 	{ TBF_EV_MAX_N3105 , "MAX_N3105" },
 	{ 0, NULL }
 };
-
-static void mod_ass_type(struct tbf_fsm_ctx *ctx, uint8_t t, bool set)
-{
-	const char *ch = "UNKNOWN";
-	bool prev_set = ctx->state_flags & (1 << t);
-
-	switch (t) {
-	case GPRS_RLCMAC_FLAG_CCCH:
-		ch = "CCCH";
-		break;
-	case GPRS_RLCMAC_FLAG_PACCH:
-		ch = "PACCH";
-		break;
-	default:
-		LOGPTBF(ctx->tbf, LOGL_ERROR,
-			"attempted to %sset unexpected ass. type %d - FIXME!\n",
-			set ? "" : "un", t);
-		return;
-	}
-
-	if (set && prev_set) {
-		LOGPTBF(ctx->tbf, LOGL_ERROR,
-			"attempted to set ass. type %s which is already set.\n", ch);
-	} else if (!set && !prev_set) {
-			return;
-	}
-
-	LOGPTBF(ctx->tbf, LOGL_INFO, "%sset ass. type %s [prev CCCH:%u, PACCH:%u]\n",
-		set ? "" : "un", ch,
-		!!(ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH)),
-		!!(ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_PACCH)));
-
-	if (set) {
-		ctx->state_flags |= (1 << t);
-	} else {
-		ctx->state_flags &= GPRS_RLCMAC_FLAG_TO_MASK; /* keep to flags */
-		ctx->state_flags &= ~(1 << t);
-	}
-}
-
-
-static void st_new(struct osmo_fsm_inst *fi, uint32_t event, void *data)
-{
-	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
-	switch (event) {
-	case TBF_EV_ASSIGN_ADD_CCCH:
-		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_CCCH, true);
-		if (tbf_direction(ctx->tbf) == GPRS_RLCMAC_UL_TBF) {
-			struct gprs_rlcmac_ul_tbf *ul_tbf = tbf_as_ul_tbf(ctx->tbf);
-			tbf_fsm_state_chg(fi, TBF_ST_FLOW);
-			ul_tbf_contention_resolution_start(ul_tbf);
-		} else {
-			tbf_fsm_state_chg(fi, TBF_ST_ASSIGN);
-		}
-		break;
-	case TBF_EV_ASSIGN_ADD_PACCH:
-		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_PACCH, true);
-		tbf_fsm_state_chg(fi, TBF_ST_ASSIGN);
-		break;
-	default:
-		OSMO_ASSERT(0);
-	}
-}
-
-static void st_assign_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state)
-{
-	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
-	unsigned long val;
-	unsigned int sec, micro;
-
-	/* If assignment for this TBF is happening on PACCH, that means the
-	 * actual Assignment procedure (tx/rx) is happening on another TBF (eg
-	 * Ul TBF vs DL TBF). Hence we add a security timer here to free it in
-	 * case the other TBF doesn't succeed in informing (assigning) the MS
-	 * about this TBF, or simply because the scheduler takes too long to
-	 * schedule it. This timer can probably be dropped once we make the
-	 * other TBF always signal us assignment failure (we already get
-	 * assignment success through TBF_EV_ASSIGN_ACK_PACCH) */
-	if (ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_PACCH)) {
-		fi->T = -2001;
-		val = osmo_tdef_get(the_pcu->T_defs, fi->T, OSMO_TDEF_MS, -1);
-		sec = val / 1000;
-		micro = (val % 1000) * 1000;
-		LOGPTBF(ctx->tbf, LOGL_DEBUG,
-			"Starting timer X2001 [assignment (PACCH)] with %u sec. %u microsec\n",
-			sec, micro);
-		osmo_timer_schedule(&fi->timer, sec, micro);
-	} else if (tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF) {
-		 /* GPRS_RLCMAC_FLAG_CCCH is set, so here we submitted an DL Ass through PCUIF on CCCH */
-	}
-}
-
-static void st_assign(struct osmo_fsm_inst *fi, uint32_t event, void *data)
-{
-	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
-	unsigned long val;
-	unsigned int sec, micro;
-
-	switch (event) {
-	case TBF_EV_ASSIGN_ADD_CCCH:
-		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_CCCH, true);
-		break;
-	case TBF_EV_ASSIGN_ADD_PACCH:
-		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_PACCH, true);
-		break;
-	case TBF_EV_ASSIGN_ACK_PACCH:
-		tbf_assign_control_ts(ctx->tbf);
-		if (ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH)) {
-			/* We now know that the PACCH really existed */
-			LOGPTBF(ctx->tbf, LOGL_INFO,
-				"The TBF has been confirmed on the PACCH, "
-				"changed type from CCCH to PACCH\n");
-			mod_ass_type(ctx, GPRS_RLCMAC_FLAG_CCCH, false);
-			mod_ass_type(ctx, GPRS_RLCMAC_FLAG_PACCH, true);
-		}
-		tbf_fsm_state_chg(fi, TBF_ST_FLOW);
-		break;
-	case TBF_EV_ASSIGN_PCUIF_CNF:
-		/* BTS informs us it sent Imm Ass for DL TBF over CCCH. We now
-		 * have to wait for X2002 to trigger (meaning MS is already
-		 * listening on PDCH) in order to move to FLOW state and start
-		 * transmitting data to it. When X2002 triggers (see cb timer
-		 * end of the file) it will send  TBF_EV_ASSIGN_READY_CCCH back
-		 * to us here. */
-		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF);
-		fi->T = -2002;
-		val = osmo_tdef_get(the_pcu->T_defs, fi->T, OSMO_TDEF_MS, -1);
-		sec = val / 1000;
-		micro = (val % 1000) * 1000;
-		LOGPTBF(ctx->tbf, LOGL_DEBUG,
-			"Starting timer X2002 [assignment (AGCH)] with %u sec. %u microsec\n",
-			sec, micro);
-		osmo_timer_schedule(&fi->timer, sec, micro);
-		break;
-	case TBF_EV_ASSIGN_READY_CCCH:
-		/* change state to FLOW, so scheduler will start transmission */
-		tbf_fsm_state_chg(fi, TBF_ST_FLOW);
-		break;
-	case TBF_EV_MAX_N3105:
-		/* We are going to release, so abort any Pkt Ul Ass pending to be scheduled: */
-		osmo_fsm_inst_dispatch(tbf_ul_ass_fi(ctx->tbf), TBF_UL_ASS_EV_ABORT, NULL);
-		ctx->T_release = 3195;
-		tbf_fsm_state_chg(fi, TBF_ST_RELEASING);
-		break;
-	default:
-		OSMO_ASSERT(0);
-	}
-}
-
-static void st_flow(struct osmo_fsm_inst *fi, uint32_t event, void *data)
-{
-	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
-	struct GprsMs *ms = tbf_ms(ctx->tbf);
-	struct gprs_rlcmac_dl_tbf *dl_tbf = NULL;
-
-	switch (event) {
-	case TBF_EV_FIRST_UL_DATA_RECVD:
-		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_UL_TBF);
-		/* TS 44.060 7a.2.1.1: "The contention resolution is completed on
-		 * the network side when the network receives an RLC data block that
-		 * comprises the TLLI value that identifies the mobile station and the
-		 * TFI value associated with the TBF." */
-		bts_pch_timer_stop(ms->bts, ms);
-		/* We may still have some DL-TBF waiting for assignment in PCH,
-		 * which clearly won't happen since the MS is on PDCH now. Get rid
-		 * of it, it will be re-assigned on PACCH when contention
-		 * resolution at the MS side is done (1st UL ACK/NACK sent) */
-		if ((dl_tbf = ms_dl_tbf(ms))) {
-			/* Get rid of previous finished UL TBF before providing a new one */
-			LOGPTBFDL(dl_tbf, LOGL_NOTICE,
-					"Got first UL data while DL-TBF pending, killing it\n");
-			tbf_free(dl_tbf_as_tbf(dl_tbf));
-			dl_tbf = NULL;
-		}
-		break;
-	case TBF_EV_CONTENTION_RESOLUTION_MS_SUCCESS:
-		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_UL_TBF);
-		ul_tbf_contention_resolution_success(tbf_as_ul_tbf(ctx->tbf));
-		break;
-	case TBF_EV_DL_ACKNACK_MISS:
-		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF);
-		/* DL TBF: we missed a DL ACK/NACK. If we started assignment
-		 * over CCCH and never received any DL ACK/NACK yet, it means we
-		 * don't even know if the MS successfuly received the Imm Ass on
-		 * CCCH and hence is listening on PDCH. Let's better refrain
-		 * from continuing and start assignment on CCCH again */
-		if ((ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH))
-		     && !(ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_DL_ACK))) {
-			struct GprsMs *ms = tbf_ms(ctx->tbf);
-			LOGPTBF(ctx->tbf, LOGL_DEBUG, "Re-send downlink assignment on PCH (IMSI=%s)\n",
-				ms_imsi_is_valid(ms) ? ms_imsi(ms) : "");
-			tbf_fsm_state_chg(fi, TBF_ST_ASSIGN);
-			/* send immediate assignment */
-			bts_snd_dl_ass(ms->bts, ctx->tbf);
-		}
-		break;
-	case TBF_EV_LAST_DL_DATA_SENT:
-	case TBF_EV_LAST_UL_DATA_RECVD:
-		/* All data has been sent or received, change state to FINISHED */
-		tbf_fsm_state_chg(fi, TBF_ST_FINISHED);
-		break;
-	case TBF_EV_FINAL_ACK_RECVD:
-		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF);
-		/* We received Final Ack (DL ACK/NACK) from MS. move to
-		   WAIT_RELEASE, we wait there for release or re-use the TBF in
-		   case we receive more DL data to tx */
-		tbf_fsm_state_chg(fi, TBF_ST_WAIT_RELEASE);
-		break;
-	case TBF_EV_MAX_N3101:
-		ctx->T_release = 3169;
-		tbf_fsm_state_chg(fi, TBF_ST_RELEASING);
-		break;
-	case TBF_EV_MAX_N3105:
-		ctx->T_release = 3195;
-		tbf_fsm_state_chg(fi, TBF_ST_RELEASING);
-		break;
-	default:
-		OSMO_ASSERT(0);
-	}
-}
-
-static void st_finished(struct osmo_fsm_inst *fi, uint32_t event, void *data)
-{
-	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
-	struct GprsMs *ms;
-	bool new_ul_tbf_requested;
-
-	switch (event) {
-	case TBF_EV_CONTENTION_RESOLUTION_MS_SUCCESS:
-		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_UL_TBF);
-		/* UL TBF: If MS only sends 1 RLCMAC UL block, it can be that we
-		 * end up in FINISHED state before sending the first UL ACK/NACK */
-		ul_tbf_contention_resolution_success(tbf_as_ul_tbf(ctx->tbf));
-		break;
-	case TBF_EV_DL_ACKNACK_MISS:
-		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF);
-		break;
-	case TBF_EV_FINAL_ACK_RECVD:
-		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF);
-		/* We received Final Ack (DL ACK/NACK) from MS. move to
-		   WAIT_RELEASE, we wait there for release or re-use the TBF in
-		   case we receive more DL data to tx */
-		tbf_fsm_state_chg(fi, TBF_ST_WAIT_RELEASE);
-		break;
-	case TBF_EV_FINAL_UL_ACK_CONFIRMED:
-		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_UL_TBF);
-		new_ul_tbf_requested = (bool)data;
-		/* Ref the MS, otherwise it may be freed after ul_tbf is
-		 * detached when sending event below. */
-		ms = tbf_ms(ctx->tbf);
-		ms_ref(ms);
-		/* UL TBF ACKed our transmitted UL ACK/NACK with final Ack
-		 * Indicator set to '1'. We can free the TBF right away, the MS
-		 * also just released its TBF on its side. */
-		LOGPTBFUL(tbf_as_ul_tbf(ctx->tbf), LOGL_DEBUG, "[UPLINK] END\n");
-		tbf_free(ctx->tbf);
-		/* Here fi, ctx and ctx->tbf are already freed! */
-		/* TS 44.060 9.3.3.3.2: There might be LLC packets waiting in
-		 * the queue but the DL TBF assignment might have been delayed
-		 * because there was no way to reach the MS (because ul_tbf was
-		 * in packet-active mode with FINISHED state). If MS is going
-		 * back to packet-idle mode then we can assign the DL TBF on PCH
-		 * now. */
-		if (!new_ul_tbf_requested && ms_need_dl_tbf(ms))
-			ms_new_dl_tbf_assigned_on_pch(ms);
-		ms_unref(ms);
-		break;
-	case TBF_EV_MAX_N3103:
-		ctx->T_release = 3169;
-		tbf_fsm_state_chg(fi, TBF_ST_RELEASING);
-		break;
-	case TBF_EV_MAX_N3105:
-		ctx->T_release = 3195;
-		tbf_fsm_state_chg(fi, TBF_ST_RELEASING);
-		break;
-	default:
-		OSMO_ASSERT(0);
-	}
-}
-
-static void st_wait_release_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state)
-{
-	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
-	unsigned long val_s, val_ms, val_us;
-	OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF);
-
-	fi->T = 3193;
-	val_ms = osmo_tdef_get(tbf_ms(ctx->tbf)->bts->T_defs_bts, fi->T, OSMO_TDEF_MS, -1);
-	val_s = val_ms / 1000;
-	val_us = (val_ms % 1000) * 1000;
-	LOGPTBF(ctx->tbf, LOGL_DEBUG, "starting timer T%u with %lu sec. %lu microsec\n",
-		fi->T, val_s, val_us);
-	osmo_timer_schedule(&fi->timer, val_s, val_us);
-
-	mod_ass_type(ctx, GPRS_RLCMAC_FLAG_CCCH, false);
-}
-
-static void st_wait_release(struct osmo_fsm_inst *fi, uint32_t event, void *data)
-{
-	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
-	switch (event) {
-	case TBF_EV_FINAL_ACK_RECVD:
-		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF);
-		/* ignore, duplicate ACK, we already know about since we are in WAIT_RELEASE */
-		break;
-	case TBF_EV_MAX_N3101:
-		ctx->T_release = 3169;
-		tbf_fsm_state_chg(fi, TBF_ST_RELEASING);
-		break;
-	case TBF_EV_MAX_N3105:
-		ctx->T_release = 3195;
-		tbf_fsm_state_chg(fi, TBF_ST_RELEASING);
-		break;
-	default:
-		OSMO_ASSERT(0);
-	}
-}
-
-static void st_releasing_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state)
-{
-	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
-	unsigned long val;
-
-	if (!ctx->T_release)
-		return;
-
-	/* In  general we should end up here with an assigned timer in ctx->T_release. Possible values are:
-	* T3195: Wait for reuse of TFI(s) when there is no response from the MS
-	*	 (radio failure or cell change) for this TBF/MBMS radio bearer.
-	* T3169: Wait for reuse of USF and TFI(s) after the MS uplink assignment for this TBF is invalid.
-	*/
-	val = osmo_tdef_get(tbf_ms(ctx->tbf)->bts->T_defs_bts, ctx->T_release, OSMO_TDEF_S, -1);
-	fi->T = ctx->T_release;
-	LOGPTBF(ctx->tbf, LOGL_DEBUG, "starting timer T%u with %lu sec. %u microsec\n",
-		ctx->T_release, val, 0);
-	osmo_timer_schedule(&fi->timer, val, 0);
-}
-
-static void st_releasing(struct osmo_fsm_inst *fi, uint32_t event, void *data)
-{
-	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
-	switch (event) {
-	case TBF_EV_DL_ACKNACK_MISS:
-		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_DL_TBF);
-		/* Ignore, we don't care about missed DL ACK/NACK poll timeouts
-		 * anymore, we are already releasing the TBF */
-		break;
-	default:
-		OSMO_ASSERT(0);
-	}
-}
-
-static void handle_timeout_X2002(struct osmo_fsm_inst *fi)
-{
-	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
-	struct gprs_rlcmac_dl_tbf *dl_tbf = tbf_as_dl_tbf(ctx->tbf);
-
-	/* X2002 is used only for DL TBF */
-	OSMO_ASSERT(dl_tbf);
-
-	if (fi->state == TBF_ST_ASSIGN) {
-		tbf_assign_control_ts(ctx->tbf);
-
-		if (!tbf_can_upgrade_to_multislot(ctx->tbf)) {
-			/* change state to FLOW, so scheduler
-			 * will start transmission */
-			osmo_fsm_inst_dispatch(fi, TBF_EV_ASSIGN_READY_CCCH, NULL);
-			return;
-		}
-
-		/* This tbf can be upgraded to use multiple DL
-		 * timeslots and now that there is already one
-		 * slot assigned send another DL assignment via
-		 * PDCH. */
-
-		/* keep to flags */
-		ctx->state_flags &= GPRS_RLCMAC_FLAG_TO_MASK;
-
-		tbf_update(ctx->tbf);
-		dl_tbf_trigger_ass_on_pacch(dl_tbf, ctx->tbf);
-	} else
-		LOGPTBF(ctx->tbf, LOGL_NOTICE, "Continue flow after IMM.ASS confirm\n");
-}
-
-static int tbf_fsm_timer_cb(struct osmo_fsm_inst *fi)
-{
-	struct tbf_fsm_ctx *ctx = (struct tbf_fsm_ctx *)fi->priv;
-	switch (fi->T) {
-	case -2002:
-		handle_timeout_X2002(fi);
-		break;
-	case -2001:
-		LOGPTBF(ctx->tbf, LOGL_NOTICE, "releasing due to PACCH assignment timeout.\n");
-		/* fall-through */
-	case 3169:
-	case 3193:
-	case 3195:
-		tbf_free(ctx->tbf);
-		break;
-	default:
-		OSMO_ASSERT(0);
-	}
-	return 0;
-}
-
-static struct osmo_fsm_state tbf_fsm_states[] = {
-	[TBF_ST_NEW] = {
-		.in_event_mask =
-			X(TBF_EV_ASSIGN_ADD_CCCH) |
-			X(TBF_EV_ASSIGN_ADD_PACCH),
-		.out_state_mask =
-			X(TBF_ST_ASSIGN) |
-			X(TBF_ST_FLOW) |
-			X(TBF_ST_RELEASING),
-		.name = "NEW",
-		.action = st_new,
-	},
-	[TBF_ST_ASSIGN] = {
-		.in_event_mask =
-			X(TBF_EV_ASSIGN_ADD_CCCH) |
-			X(TBF_EV_ASSIGN_ADD_PACCH) |
-			X(TBF_EV_ASSIGN_ACK_PACCH) |
-			X(TBF_EV_ASSIGN_PCUIF_CNF) |
-			X(TBF_EV_ASSIGN_READY_CCCH) |
-			X(TBF_EV_MAX_N3105),
-		.out_state_mask =
-			X(TBF_ST_FLOW) |
-			X(TBF_ST_FINISHED) |
-			X(TBF_ST_RELEASING),
-		.name = "ASSIGN",
-		.action = st_assign,
-		.onenter = st_assign_on_enter,
-	},
-	[TBF_ST_FLOW] = {
-		.in_event_mask =
-			X(TBF_EV_FIRST_UL_DATA_RECVD) |
-			X(TBF_EV_CONTENTION_RESOLUTION_MS_SUCCESS) |
-			X(TBF_EV_DL_ACKNACK_MISS) |
-			X(TBF_EV_LAST_DL_DATA_SENT) |
-			X(TBF_EV_LAST_UL_DATA_RECVD) |
-			X(TBF_EV_FINAL_ACK_RECVD) |
-			X(TBF_EV_MAX_N3101) |
-			X(TBF_EV_MAX_N3105),
-		.out_state_mask =
-			X(TBF_ST_ASSIGN) |
-			X(TBF_ST_FINISHED) |
-			X(TBF_ST_WAIT_RELEASE) |
-			X(TBF_ST_RELEASING),
-		.name = "FLOW",
-		.action = st_flow,
-	},
-	[TBF_ST_FINISHED] = {
-		.in_event_mask =
-			X(TBF_EV_CONTENTION_RESOLUTION_MS_SUCCESS) |
-			X(TBF_EV_DL_ACKNACK_MISS) |
-			X(TBF_EV_FINAL_ACK_RECVD) |
-			X(TBF_EV_FINAL_UL_ACK_CONFIRMED) |
-			X(TBF_EV_MAX_N3103) |
-			X(TBF_EV_MAX_N3105),
-		.out_state_mask =
-			X(TBF_ST_WAIT_RELEASE) |
-			X(TBF_ST_RELEASING),
-		.name = "FINISHED",
-		.action = st_finished,
-	},
-	[TBF_ST_WAIT_RELEASE] = {
-		.in_event_mask =
-			X(TBF_EV_FINAL_ACK_RECVD) |
-			X(TBF_EV_MAX_N3101) |
-			X(TBF_EV_MAX_N3105),
-		.out_state_mask =
-			X(TBF_ST_RELEASING),
-		.name = "WAIT_RELEASE",
-		.action = st_wait_release,
-		.onenter = st_wait_release_on_enter,
-	},
-	[TBF_ST_RELEASING] = {
-		.in_event_mask =
-			X(TBF_EV_DL_ACKNACK_MISS),
-		.out_state_mask =
-			0,
-		.name = "RELEASING",
-		.action = st_releasing,
-		.onenter = st_releasing_on_enter,
-	},
-};
-
-struct osmo_fsm tbf_fsm = {
-	.name = "TBF",
-	.states = tbf_fsm_states,
-	.num_states = ARRAY_SIZE(tbf_fsm_states),
-	.timer_cb = tbf_fsm_timer_cb,
-	.log_subsys = DTBF,
-	.event_names = tbf_fsm_event_names,
-};
-
-static __attribute__((constructor)) void tbf_fsm_init(void)
-{
-	OSMO_ASSERT(osmo_fsm_register(&tbf_fsm) == 0);
-}
diff --git a/src/tbf_fsm.h b/src/tbf_fsm.h
index 8f4f839..feb9e04 100644
--- a/src/tbf_fsm.h
+++ b/src/tbf_fsm.h
@@ -23,36 +23,50 @@
 struct gprs_rlcmac_tbf;
 
 enum tbf_fsm_event {
-	TBF_EV_ASSIGN_ADD_CCCH, /* An assignment is sent over CCCH and confirmation from MS is pending */
+	/* For both UL/DL TBF: */
+	TBF_EV_ASSIGN_ADD_CCCH,  /* An assignment is sent over CCCH and confirmation from MS is pending */
 	TBF_EV_ASSIGN_ADD_PACCH, /* An assignment is sent over PACCH and confirmation from MS is pending */
-	TBF_EV_ASSIGN_ACK_PACCH, /*  We received a CTRL ACK confirming assignment started on PACCH */
+	TBF_EV_ASSIGN_ACK_PACCH, /* We received a CTRL ACK confirming assignment started on PACCH */
+	TBF_EV_MAX_N3105, /* MAX N3105 (max poll timeout) reached */
+
+	/* Only for DL TBF: */
 	TBF_EV_ASSIGN_READY_CCCH, /* TBF Start Time timer triggered */
-	TBF_EV_ASSIGN_PCUIF_CNF, /* Transmission of IMM.ASS for DL TBF to the MS confirmed by BTS over PCUIF */
-	TBF_EV_FIRST_UL_DATA_RECVD, /* UL TBF: Received first UL data from MS. Equals to Contention Resolution completed on the network side */
-	TBF_EV_CONTENTION_RESOLUTION_MS_SUCCESS, /* UL TBF: Contention resolution success at the mobile station side (first UL_ACK_NACK confirming TLLI is received at the MS) */
-	TBF_EV_DL_ACKNACK_MISS, /* DL TBF: We polled for DL ACK/NACK but we received none (POLL timeout) */
-	TBF_EV_LAST_DL_DATA_SENT, /* DL TBF sends RLCMAC block containing last DL avilable data buffered */
-	TBF_EV_LAST_UL_DATA_RECVD, /* UL TBF sends RLCMAC block containing last UL data (cv=0) */
+	TBF_EV_ASSIGN_PCUIF_CNF, /* Transmission of IMM.ASS for to the MS confirmed by BTS over PCUIF */
+	TBF_EV_DL_ACKNACK_MISS, /* We polled for DL ACK/NACK but we received none (POLL timeout) */
+	TBF_EV_LAST_DL_DATA_SENT, /* Network sends RLCMAC block containing last DL avilable data buffered */
 	TBF_EV_FINAL_ACK_RECVD, /* DL ACK/NACK with FINAL_ACK=1 received from MS */
-	TBF_EV_FINAL_UL_ACK_CONFIRMED, /* UL TBF: MS ACKs (CtrlAck or PktResReq) our UL ACK/NACK w/ FinalAckInd=1. data = (bool) MS requests establishment of a new UL-TBF. */
-	TBF_EV_MAX_N3101, /* MAX N3101 (max usf timeout) reached (UL TBF) */
-	TBF_EV_MAX_N3103, /* MAX N3103 (max Pkt Ctrl Ack for last UL ACK/NACK timeout) reached (UL TBF) */
-	TBF_EV_MAX_N3105, /* MAX N3105 (max poll timeout) reached (UL/DL TBF) */
+
+	/* Only for UL TBF: */
+	TBF_EV_FIRST_UL_DATA_RECVD, /* Received first UL data from MS. Equals to Contention Resolution completed on the network side */
+	TBF_EV_CONTENTION_RESOLUTION_MS_SUCCESS, /* Contention resolution success at the mobile station side (first UL_ACK_NACK confirming TLLI is received at the MS) */
+	TBF_EV_LAST_UL_DATA_RECVD, /* MS ends RLCMAC block containing last UL data (cv=0) */
+	TBF_EV_FINAL_UL_ACK_CONFIRMED, /* MS ACKs (CtrlAck or PktResReq) our UL ACK/NACK w/ FinalAckInd=1. data = (bool) MS requests establishment of a new UL-TBF. */
+	TBF_EV_MAX_N3101, /* MAX N3101 (max usf timeout) reached */
+	TBF_EV_MAX_N3103, /* MAX N3103 (max Pkt Ctrl Ack for last UL ACK/NACK timeout) reached */
 };
 
+extern const struct value_string tbf_fsm_event_names[];
+
 enum tbf_fsm_states {
 	TBF_ST_NEW = 0,	/* new created TBF */
 	TBF_ST_ASSIGN,	/* wait for downlink assignment */
 	TBF_ST_FLOW,	/* RLC/MAC flow, resource needed */
 	TBF_ST_FINISHED,	/* flow finished, wait for release */
-	TBF_ST_WAIT_RELEASE,/* wait for release or restart of DL TBF */
+	TBF_ST_WAIT_RELEASE,/* DL TBF: wait for release or restart */
 	TBF_ST_RELEASING,	/* releasing, wait to free TBI/USF */
 };
 
-struct tbf_fsm_ctx {
-	struct gprs_rlcmac_tbf* tbf; /* back pointer */
+struct tbf_dl_fsm_ctx {
+	struct gprs_rlcmac_tbf *tbf; /* back pointer */
 	uint32_t state_flags;
 	unsigned int T_release; /* Timer to be used to end release: T3169 or T3195 */
 };
 
-extern struct osmo_fsm tbf_fsm;
+struct tbf_ul_fsm_ctx {
+	struct gprs_rlcmac_tbf *tbf; /* back pointer */
+	uint32_t state_flags;
+	unsigned int T_release; /* Timer to be used to end release: T3169 or T3195 */
+};
+
+extern struct osmo_fsm tbf_dl_fsm;
+extern struct osmo_fsm tbf_ul_fsm;
diff --git a/src/tbf_ul.cpp b/src/tbf_ul.cpp
index 9bfda4f..246c0e1 100644
--- a/src/tbf_ul.cpp
+++ b/src/tbf_ul.cpp
@@ -201,10 +201,14 @@
 {
 	memset(&m_usf, USF_INVALID, sizeof(m_usf));
 
+	memset(&state_fsm, 0, sizeof(state_fsm));
+	state_fsm.tbf = (struct gprs_rlcmac_tbf *)this;
+	state_fi = osmo_fsm_inst_alloc(&tbf_ul_fsm, this, &state_fsm, LOGL_INFO, NULL);
+	OSMO_ASSERT(state_fi);
+
 	memset(&ul_ack_fsm, 0, sizeof(ul_ack_fsm));
 	ul_ack_fsm.tbf = this;
 	ul_ack_fsm.fi = osmo_fsm_inst_alloc(&tbf_ul_ack_fsm, this, &ul_ack_fsm, LOGL_INFO, NULL);
-
 }
 
 /*
diff --git a/src/tbf_ul.h b/src/tbf_ul.h
index c45db44..38784f8 100644
--- a/src/tbf_ul.h
+++ b/src/tbf_ul.h
@@ -24,6 +24,7 @@
 #ifdef __cplusplus
 extern "C" {
 #endif
+#include <tbf_fsm.h>
 #include <tbf_ul_ack_fsm.h>
 #ifdef __cplusplus
 }
@@ -103,6 +104,7 @@
 	struct rate_ctr_group *m_ul_gprs_ctrs;
 	struct rate_ctr_group *m_ul_egprs_ctrs;
 
+	struct tbf_ul_fsm_ctx state_fsm;
 	struct tbf_ul_ass_fsm_ctx ul_ack_fsm;
 
 protected:
diff --git a/src/tbf_ul_fsm.c b/src/tbf_ul_fsm.c
new file mode 100644
index 0000000..9ac7ee8
--- /dev/null
+++ b/src/tbf_ul_fsm.c
@@ -0,0 +1,375 @@
+/* tbf_ul_fsm.c
+ *
+ * Copyright (C) 2021-2022 by sysmocom - s.f.m.c. GmbH <info@sysmocom.de>
+ * Author: Pau Espin Pedrol <pespin@sysmocom.de>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#include <unistd.h>
+
+#include <talloc.h>
+
+#include <tbf_fsm.h>
+#include <gprs_rlcmac.h>
+#include <gprs_debug.h>
+#include <gprs_ms.h>
+#include <encoding.h>
+#include <bts.h>
+
+#include <bts_pch_timer.h>
+
+#define X(s) (1 << (s))
+
+const struct osmo_tdef_state_timeout tbf_ul_fsm_timeouts[32] = {
+	[TBF_ST_NEW] = {},
+	[TBF_ST_ASSIGN] = { },
+	[TBF_ST_FLOW] = { },
+	[TBF_ST_FINISHED] = {},
+	[TBF_ST_RELEASING] = {},
+};
+
+/* Transition to a state, using the T timer defined in tbf_fsm_timeouts.
+ * The actual timeout value is in turn obtained from conn->T_defs.
+ * Assumes local variable fi exists. */
+#define tbf_ul_fsm_state_chg(fi, NEXT_STATE) \
+	osmo_tdef_fsm_inst_state_chg(fi, NEXT_STATE, \
+				     tbf_ul_fsm_timeouts, \
+				     the_pcu->T_defs, \
+				     -1)
+
+static void mod_ass_type(struct tbf_ul_fsm_ctx *ctx, uint8_t t, bool set)
+{
+	const char *ch = "UNKNOWN";
+	bool prev_set = ctx->state_flags & (1 << t);
+
+	switch (t) {
+	case GPRS_RLCMAC_FLAG_CCCH:
+		ch = "CCCH";
+		break;
+	case GPRS_RLCMAC_FLAG_PACCH:
+		ch = "PACCH";
+		break;
+	default:
+		LOGPTBF(ctx->tbf, LOGL_ERROR,
+			"attempted to %sset unexpected ass. type %d - FIXME!\n",
+			set ? "" : "un", t);
+		return;
+	}
+
+	if (set && prev_set)
+		LOGPTBF(ctx->tbf, LOGL_ERROR,
+			"attempted to set ass. type %s which is already set.\n", ch);
+	else if (!set && !prev_set)
+		return;
+
+	LOGPTBF(ctx->tbf, LOGL_INFO, "%sset ass. type %s [prev CCCH:%u, PACCH:%u]\n",
+		set ? "" : "un", ch,
+		!!(ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH)),
+		!!(ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_PACCH)));
+
+	if (set) {
+		ctx->state_flags |= (1 << t);
+	} else {
+		ctx->state_flags &= GPRS_RLCMAC_FLAG_TO_MASK; /* keep to flags */
+		ctx->state_flags &= ~(1 << t);
+	}
+}
+
+
+static void st_new(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct tbf_ul_fsm_ctx *ctx = (struct tbf_ul_fsm_ctx *)fi->priv;
+	switch (event) {
+	case TBF_EV_ASSIGN_ADD_CCCH:
+		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_CCCH, true);
+		tbf_ul_fsm_state_chg(fi, TBF_ST_FLOW);
+		ul_tbf_contention_resolution_start(tbf_as_ul_tbf(ctx->tbf));
+		break;
+	case TBF_EV_ASSIGN_ADD_PACCH:
+		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_PACCH, true);
+		tbf_ul_fsm_state_chg(fi, TBF_ST_ASSIGN);
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+}
+
+static void st_assign_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state)
+{
+	struct tbf_ul_fsm_ctx *ctx = (struct tbf_ul_fsm_ctx *)fi->priv;
+	unsigned long val;
+	unsigned int sec, micro;
+
+	/* If assignment for this TBF is happening on PACCH, that means the
+	 * actual Assignment procedure (tx/rx) is happening on another TBF (eg
+	 * Ul TBF vs DL TBF). Hence we add a security timer here to free it in
+	 * case the other TBF doesn't succeed in informing (assigning) the MS
+	 * about this TBF, or simply because the scheduler takes too long to
+	 * schedule it. This timer can probably be dropped once we make the
+	 * other TBF always signal us assignment failure (we already get
+	 * assignment success through TBF_EV_ASSIGN_ACK_PACCH) */
+	if (ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_PACCH)) {
+		fi->T = -2001;
+		val = osmo_tdef_get(the_pcu->T_defs, fi->T, OSMO_TDEF_MS, -1);
+		sec = val / 1000;
+		micro = (val % 1000) * 1000;
+		LOGPTBF(ctx->tbf, LOGL_DEBUG,
+			"Starting timer X2001 [assignment (PACCH)] with %u sec. %u microsec\n",
+			sec, micro);
+		osmo_timer_schedule(&fi->timer, sec, micro);
+	}
+}
+
+static void st_assign(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct tbf_ul_fsm_ctx *ctx = (struct tbf_ul_fsm_ctx *)fi->priv;
+
+	switch (event) {
+	case TBF_EV_ASSIGN_ADD_CCCH:
+		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_CCCH, true);
+		break;
+	case TBF_EV_ASSIGN_ADD_PACCH:
+		mod_ass_type(ctx, GPRS_RLCMAC_FLAG_PACCH, true);
+		break;
+	case TBF_EV_ASSIGN_ACK_PACCH:
+		tbf_assign_control_ts(ctx->tbf);
+		if (ctx->state_flags & (1 << GPRS_RLCMAC_FLAG_CCCH)) {
+			/* We now know that the PACCH really existed */
+			LOGPTBF(ctx->tbf, LOGL_INFO,
+				"The TBF has been confirmed on the PACCH, "
+				"changed type from CCCH to PACCH\n");
+			mod_ass_type(ctx, GPRS_RLCMAC_FLAG_CCCH, false);
+			mod_ass_type(ctx, GPRS_RLCMAC_FLAG_PACCH, true);
+		}
+		tbf_ul_fsm_state_chg(fi, TBF_ST_FLOW);
+		break;
+	case TBF_EV_MAX_N3105:
+		/* We are going to release, so abort any Pkt Ul Ass pending to be scheduled: */
+		osmo_fsm_inst_dispatch(tbf_ul_ass_fi(ctx->tbf), TBF_UL_ASS_EV_ABORT, NULL);
+		ctx->T_release = 3195;
+		tbf_ul_fsm_state_chg(fi, TBF_ST_RELEASING);
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+}
+
+static void st_flow(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct tbf_ul_fsm_ctx *ctx = (struct tbf_ul_fsm_ctx *)fi->priv;
+	struct GprsMs *ms = tbf_ms(ctx->tbf);
+	struct gprs_rlcmac_dl_tbf *dl_tbf = NULL;
+
+	switch (event) {
+	case TBF_EV_FIRST_UL_DATA_RECVD:
+		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_UL_TBF);
+		/* TS 44.060 7a.2.1.1: "The contention resolution is completed on
+		 * the network side when the network receives an RLC data block that
+		 * comprises the TLLI value that identifies the mobile station and the
+		 * TFI value associated with the TBF." */
+		bts_pch_timer_stop(ms->bts, ms);
+		/* We may still have some DL-TBF waiting for assignment in PCH,
+		 * which clearly won't happen since the MS is on PDCH now. Get rid
+		 * of it, it will be re-assigned on PACCH when contention
+		 * resolution at the MS side is done (1st UL ACK/NACK sent) */
+		if ((dl_tbf = ms_dl_tbf(ms))) {
+			/* Get rid of previous finished UL TBF before providing a new one */
+			LOGPTBFDL(dl_tbf, LOGL_NOTICE,
+					"Got first UL data while DL-TBF pending, killing it\n");
+			tbf_free(dl_tbf_as_tbf(dl_tbf));
+			dl_tbf = NULL;
+		}
+		break;
+	case TBF_EV_CONTENTION_RESOLUTION_MS_SUCCESS:
+		ul_tbf_contention_resolution_success(tbf_as_ul_tbf(ctx->tbf));
+		break;
+	case TBF_EV_LAST_UL_DATA_RECVD:
+		/* All data has been sent or received, change state to FINISHED */
+		tbf_ul_fsm_state_chg(fi, TBF_ST_FINISHED);
+		break;
+	case TBF_EV_MAX_N3101:
+		ctx->T_release = 3169;
+		tbf_ul_fsm_state_chg(fi, TBF_ST_RELEASING);
+		break;
+	case TBF_EV_MAX_N3105:
+		ctx->T_release = 3195;
+		tbf_ul_fsm_state_chg(fi, TBF_ST_RELEASING);
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+}
+
+static void st_finished(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	struct tbf_ul_fsm_ctx *ctx = (struct tbf_ul_fsm_ctx *)fi->priv;
+	struct GprsMs *ms;
+	bool new_ul_tbf_requested;
+
+	switch (event) {
+	case TBF_EV_CONTENTION_RESOLUTION_MS_SUCCESS:
+		/* UL TBF: If MS only sends 1 RLCMAC UL block, it can be that we
+		 * end up in FINISHED state before sending the first UL ACK/NACK */
+		ul_tbf_contention_resolution_success(tbf_as_ul_tbf(ctx->tbf));
+		break;
+	case TBF_EV_FINAL_UL_ACK_CONFIRMED:
+		OSMO_ASSERT(tbf_direction(ctx->tbf) == GPRS_RLCMAC_UL_TBF);
+		new_ul_tbf_requested = (bool)data;
+		/* Ref the MS, otherwise it may be freed after ul_tbf is
+		 * detached when sending event below. */
+		ms = tbf_ms(ctx->tbf);
+		ms_ref(ms);
+		/* UL TBF ACKed our transmitted UL ACK/NACK with final Ack
+		 * Indicator set to '1'. We can free the TBF right away, the MS
+		 * also just released its TBF on its side. */
+		LOGPTBFUL(tbf_as_ul_tbf(ctx->tbf), LOGL_DEBUG, "[UPLINK] END\n");
+		tbf_free(ctx->tbf);
+		/* Here fi, ctx and ctx->tbf are already freed! */
+		/* TS 44.060 9.3.3.3.2: There might be LLC packets waiting in
+		 * the queue but the DL TBF assignment might have been delayed
+		 * because there was no way to reach the MS (because ul_tbf was
+		 * in packet-active mode with FINISHED state). If MS is going
+		 * back to packet-idle mode then we can assign the DL TBF on PCH
+		 * now. */
+		if (!new_ul_tbf_requested && ms_need_dl_tbf(ms))
+			ms_new_dl_tbf_assigned_on_pch(ms);
+		ms_unref(ms);
+		break;
+	case TBF_EV_MAX_N3103:
+		ctx->T_release = 3169;
+		tbf_ul_fsm_state_chg(fi, TBF_ST_RELEASING);
+		break;
+	case TBF_EV_MAX_N3105:
+		ctx->T_release = 3195;
+		tbf_ul_fsm_state_chg(fi, TBF_ST_RELEASING);
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+}
+
+static void st_releasing_on_enter(struct osmo_fsm_inst *fi, uint32_t prev_state)
+{
+	struct tbf_ul_fsm_ctx *ctx = (struct tbf_ul_fsm_ctx *)fi->priv;
+	unsigned long val;
+
+	if (!ctx->T_release)
+		return;
+
+	/* In  general we should end up here with an assigned timer in ctx->T_release. Possible values are:
+	* T3195: Wait for reuse of TFI(s) when there is no response from the MS
+	*	 (radio failure or cell change) for this TBF/MBMS radio bearer.
+	* T3169: Wait for reuse of USF and TFI(s) after the MS uplink assignment for this TBF is invalid.
+	*/
+	val = osmo_tdef_get(tbf_ms(ctx->tbf)->bts->T_defs_bts, ctx->T_release, OSMO_TDEF_S, -1);
+	fi->T = ctx->T_release;
+	LOGPTBF(ctx->tbf, LOGL_DEBUG, "starting timer T%u with %lu sec. %u microsec\n",
+		ctx->T_release, val, 0);
+	osmo_timer_schedule(&fi->timer, val, 0);
+}
+
+static void st_releasing(struct osmo_fsm_inst *fi, uint32_t event, void *data)
+{
+	OSMO_ASSERT(0);
+}
+
+static int tbf_ul_fsm_timer_cb(struct osmo_fsm_inst *fi)
+{
+	struct tbf_ul_fsm_ctx *ctx = (struct tbf_ul_fsm_ctx *)fi->priv;
+	switch (fi->T) {
+	case -2001:
+		LOGPTBF(ctx->tbf, LOGL_NOTICE, "releasing due to PACCH assignment timeout.\n");
+		/* fall-through */
+	case 3169:
+	case 3195:
+		tbf_free(ctx->tbf);
+		break;
+	default:
+		OSMO_ASSERT(0);
+	}
+	return 0;
+}
+
+static struct osmo_fsm_state tbf_ul_fsm_states[] = {
+	[TBF_ST_NEW] = {
+		.in_event_mask =
+			X(TBF_EV_ASSIGN_ADD_CCCH) |
+			X(TBF_EV_ASSIGN_ADD_PACCH),
+		.out_state_mask =
+			X(TBF_ST_ASSIGN) |
+			X(TBF_ST_FLOW) |
+			X(TBF_ST_RELEASING),
+		.name = "NEW",
+		.action = st_new,
+	},
+	[TBF_ST_ASSIGN] = {
+		.in_event_mask =
+			X(TBF_EV_ASSIGN_ADD_CCCH) |
+			X(TBF_EV_ASSIGN_ADD_PACCH) |
+			X(TBF_EV_ASSIGN_ACK_PACCH) |
+			X(TBF_EV_MAX_N3105),
+		.out_state_mask =
+			X(TBF_ST_FLOW) |
+			X(TBF_ST_FINISHED) |
+			X(TBF_ST_RELEASING),
+		.name = "ASSIGN",
+		.action = st_assign,
+		.onenter = st_assign_on_enter,
+	},
+	[TBF_ST_FLOW] = {
+		.in_event_mask =
+			X(TBF_EV_FIRST_UL_DATA_RECVD) |
+			X(TBF_EV_CONTENTION_RESOLUTION_MS_SUCCESS) |
+			X(TBF_EV_LAST_UL_DATA_RECVD) |
+			X(TBF_EV_MAX_N3101) |
+			X(TBF_EV_MAX_N3105),
+		.out_state_mask =
+			X(TBF_ST_ASSIGN) |
+			X(TBF_ST_FINISHED) |
+			X(TBF_ST_RELEASING),
+		.name = "FLOW",
+		.action = st_flow,
+	},
+	[TBF_ST_FINISHED] = {
+		.in_event_mask =
+			X(TBF_EV_CONTENTION_RESOLUTION_MS_SUCCESS) |
+			X(TBF_EV_FINAL_UL_ACK_CONFIRMED) |
+			X(TBF_EV_MAX_N3103) |
+			X(TBF_EV_MAX_N3105),
+		.out_state_mask =
+			X(TBF_ST_RELEASING),
+		.name = "FINISHED",
+		.action = st_finished,
+	},
+	[TBF_ST_RELEASING] = {
+		.in_event_mask = 0,
+		.out_state_mask =
+			0,
+		.name = "RELEASING",
+		.action = st_releasing,
+		.onenter = st_releasing_on_enter,
+	},
+};
+
+struct osmo_fsm tbf_ul_fsm = {
+	.name = "UL_TBF",
+	.states = tbf_ul_fsm_states,
+	.num_states = ARRAY_SIZE(tbf_ul_fsm_states),
+	.timer_cb = tbf_ul_fsm_timer_cb,
+	.log_subsys = DTBFUL,
+	.event_names = tbf_fsm_event_names,
+};
+
+static __attribute__((constructor)) void tbf_ul_fsm_init(void)
+{
+	OSMO_ASSERT(osmo_fsm_register(&tbf_ul_fsm) == 0);
+}