Hi Anderson,
On Tue, Dec 3, 2013 at 1:24 PM, Anderson Lizardo
<anderson.lizardo@xxxxxxxxxxxxx> wrote:
> Hi Luiz,
>
> On Tue, Dec 3, 2013 at 5:36 AM, Luiz Augusto von Dentz
> <luiz.dentz@xxxxxxxxx> wrote:
>> --- a/profiles/audio/avctp.c
>> +++ b/profiles/audio/avctp.c
>> @@ -1488,7 +1488,7 @@ static struct avctp_pending_req *pending_create(struct avctp_channel *chan,
>> tmp = g_slist_copy(chan->processed);
>>
>> /* Find first unused transaction id */
>> - for (l = tmp; l; l = l->next) {
>> + for (l = tmp; l; l = g_slist_next(l)) {
>
> Are you sure this fixes the problem? AFAIK g_list_next() will still
> access invalid memory unless the "next" pointer is saved *before* the
> current entry is freed. See e.g. remove_temp_devices() in
> src/adapter.c.
Yep, I tested and it fixes the problem. The problem is not actually
removing the item, but reassigning tmp to the head of the list which
can be NULL so doing l = l->next before deleting the node doesn't help
in this case. Anyway this is now applied but we will be changing the
logic how to check the available transaction to use bitmask operations
so we find the next transaction without looping in a list.
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
