From dcc2c1c69442553f098c0bd4490b05a83671421a Mon Sep 17 00:00:00 2001
From: Carlo Galiotto <carlo@srs.io>
Date: Mon, 25 Oct 2021 15:22:06 +0200
Subject: [PATCH] rrc,nr: defer rem_user after msg3 timer expires

This commits is to fix the issue of user removal from rrc_nr
after msg3 timer expires.
The issue was caused because the rrc_nr is accessing the ue object
after it gets removed from the users list in rrc_nr.
This commits defers the removal of the users, so there won't be any
access to invalid memory locations.

Fixes #3545

Signed-off-by: Carlo Galiotto <carlo@srs.io>
---
 srsenb/src/stack/rrc/rrc_nr.cc | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/srsenb/src/stack/rrc/rrc_nr.cc b/srsenb/src/stack/rrc/rrc_nr.cc
index b133ba333..3009508a9 100644
--- a/srsenb/src/stack/rrc/rrc_nr.cc
+++ b/srsenb/src/stack/rrc/rrc_nr.cc
@@ -619,10 +619,12 @@ void rrc_nr::ue::activity_timer_expired(const activity_timeout_type_t type)
     case UE_INACTIVITY_TIMEOUT:
       // TODO: Add action to be executed
       break;
-    case MSG3_RX_TIMEOUT:
+    case MSG3_RX_TIMEOUT: {
       // MSG3 timeout, no need to notify NGAP or LTE stack. Just remove UE
-      parent->rem_user(rnti);
+      uint32_t rnti_to_rem = rnti;
+      parent->task_sched.defer_task([this, rnti_to_rem]() { parent->rem_user(rnti_to_rem); });
       break;
+    }
     default:
       // Unhandled activity timeout, just remove UE and log an error
       parent->rem_user(rnti);