Hello, If for some reason there is not enough data provided to the function bluetooth_a2dp_write() and there are left overs to handle, the ALSA module will segfault. The test at the line 1053 of audio/pcm_bluetooth.c is wrong because it compares unsigned integers and will lead to an unsigned integer overflow if bytes_left is inferior to a2dp->codesize - data->count. Here is a patch to fix this issue. Cheers, Colin DIDIER --- a/audio/pcm_bluetooth.c 2010-08-25 09:35:28.000000000 +0200 +++ b/audio/pcm_bluetooth.c 2010-08-25 09:37:47.000000000 +0200 @@ -1050,8 +1050,10 @@ } /* Check if we have any left over data from the last write */ - if (data->count > 0 && (bytes_left - data->count) >= a2dp->codesize) { - int additional_bytes_needed = a2dp->codesize - data->count; + if (data->count > 0) { + int additional_bytes_needed = a2dp->codesize - data->count; + if (additional_bytes_needed > bytes_left) + goto out; memcpy(data->buffer + data->count, buff, additional_bytes_needed); @@ -1122,6 +1124,7 @@ } } +out: /* Copy the extra to our temp buffer for the next write */ if (bytes_left > 0) { memcpy(data->buffer + data->count, buff, bytes_left); -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html