With breakpoints I captured that during the same call chain to process the received LAPD message, we first free the SAP instance and a bit later we try to send a RNR over it.
lapd_core.c:1604 - This will trigger the SAP release
lapd_core.c:1683 - This tries to send a RNR
Breakpoint 1, lapd_sap_free (sap=0x822f1b8) at input/lapd.c:271
warning: Source file is more recent than executable.
271 {
(gdb) bt
#0 lapd_sap_free (sap=0x822f1b8) at input/lapd.c:271
#1 0xb7f09200 in send_dlsap (dp=0xbfffe640, lctx=0x822f1ec) at input/lapd.c:659
#2 0xb7f69448 in send_dl_l3 (msg=0x0, op=3 '\003', prim=3 '\003', lctx=0x822f1ec) at lapd_core.c:375
#3 send_dl_simple (lctx=0x822f1ec, op=3 '\003', prim=3 '\003') at lapd_core.c:382
#4 lapd_rel_req (dp=0xbfffe72c, lctx=0x822f1ec) at lapd_core.c:2095
#5 0xb7f6e51a in lapd_recv_dlsap (dp=dp@entry=0xbfffe72c, lctx=lctx@entry=0x822f1ec) at lapd_core.c:2247
#6 0xb7f0a6e9 in lapd_sap_stop (li=0x822f098, tei=1 '\001', sapi=62 '>') at input/lapd.c:551
#7 0x08084eb3 in start_sabm_in_line (line=0x822f688, start=start@entry=0, sapi=sapi@entry=-1) at bts_nokia_site.c:119
#8 0x08086035 in abis_nm_rcvmsg_fom (mb=mb@entry=0x825ff38) at bts_nokia_site.c:1595
#9 0x0808672f in abis_nokia_rcvmsg (msg=0x825ff38) at bts_nokia_site.c:1694
#10 0xb7efeca4 in e1inp_rx_ts (ts=ts@entry=0x8230758, msg=msg@entry=0x825ff38, tei=tei@entry=1 '\001', sapi=sapi@entry=62 '>')
at e1_input.c:598
#11 0xb7eff28a in e1inp_dlsap_up (dp=0xbffff290, tei=1 '\001', sapi=62 '>', rx_cbdata=0x8230758) at e1_input.c:681
#12 0xb7f0913e in send_dlsap (dp=0xbffff290, lctx=0xbffff324) at input/lapd.c:666
#13 0xb7f6df86 in send_dl_l3 (msg=0x825ff38, lctx=0xbffff324, op=2 '\002', prim=1 '\001') at lapd_core.c:375
#14 lapd_rx_i (lctx=0xbffff324, msg=0x825ff38) at lapd_core.c:1604
#15 lapd_ph_data_ind (msg=msg@entry=0x825ff38, lctx=lctx@entry=0xbffff324) at lapd_core.c:1708
#16 0xb7f09b65 in lapd_receive (li=0x822f098, msg=msg@entry=0x825ff38, error=error@entry=0xbffff3ac) at input/lapd.c:491
#17 0xb7eff39b in e1inp_rx_ts_lapd (e1i_ts=e1i_ts@entry=0x8230758, msg=msg@entry=0x825ff38) at e1_input.c:642
#18 0xb7f038c7 in handle_ts1_read (bfd=0x8230cc4) at input/dahdi.c:193
#19 dahdi_fd_cb (bfd=0x8230cc4, what=1) at input/dahdi.c:496
#20 0xb7f21baf in osmo_fd_disp_fds (_eset=0xbffff570, _wset=0xbffff4f0, _rset=0xbffff470) at select.c:223
#21 osmo_select_main (polling=polling@entry=0) at select.c:263
#22 0x0804f72c in main (argc=4, argv=0xbffff704) at osmo_bsc_main.c:952
(gdb) b lapd_send_rnr
Breakpoint 2 at 0xb7f6a690: file lapd_core.c, line 468.
(gdb) c
Continuing.
<0014> input/lapd.c:274 LAPD Freeing SAP for SAPI=62 / TEI=1 (dl=0x822f1c8, sap=0x822f1b8)
<0014> lapd_core.c:310 Resetting LAPDm instance
<0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_IDLE (dl=0x822f1c8)
<0014> lapd_core.c:237 new state LAPD_STATE_IDLE -> LAPD_STATE_NULL (dl=0x822f1c8)
<0014> lapd_core.c:1681 we are busy, send RNR2 (dl=0x822f1c8)
Breakpoint 2, lapd_send_rnr (lctx=lctx@entry=0xbffff324, f_bit=f_bit@entry=0 '\000', cmd=cmd@entry=0 '\000') at lapd_core.c:468
468 {
(gdb) bt
#0 lapd_send_rnr (lctx=lctx@entry=0xbffff324, f_bit=f_bit@entry=0 '\000', cmd=cmd@entry=0 '\000') at lapd_core.c:468
#1 0xb7f6d3bf in lapd_rx_i (lctx=0xbffff324, msg=0x825ff38) at lapd_core.c:1683
#2 lapd_ph_data_ind (msg=msg@entry=0x825ff38, lctx=lctx@entry=0xbffff324) at lapd_core.c:1708
#3 0xb7f09b65 in lapd_receive (li=0x822f098, msg=msg@entry=0x825ff38, error=error@entry=0xbffff3ac) at input/lapd.c:491
#4 0xb7eff39b in e1inp_rx_ts_lapd (e1i_ts=e1i_ts@entry=0x8230758, msg=msg@entry=0x825ff38) at e1_input.c:642
#5 0xb7f038c7 in handle_ts1_read (bfd=0x8230cc4) at input/dahdi.c:193
#6 dahdi_fd_cb (bfd=0x8230cc4, what=1) at input/dahdi.c:496
#7 0xb7f21baf in osmo_fd_disp_fds (_eset=0xbffff570, _wset=0xbffff4f0, _rset=0xbffff470) at select.c:223
#8 osmo_select_main (polling=polling@entry=0) at select.c:263
#9 0x0804f72c in main (argc=4, argv=0xbffff704) at osmo_bsc_main.c:952