On Fri, Sep 28, 2012 at 05:27:03PM +0200, Christophe Fergeau wrote: > On Thu, Sep 13, 2012 at 01:21:07PM -0500, Andrew Eikum wrote: > > > > When we release the SndChannel reference during > > snd_disconnect_channel(), we need to set the pointer to NULL so it > > doesn't get released again on client reconnect during > > snd_set_playback_peer(). This can happen when a reference is held from > > _playback_get_buffer(). > > Isn't it addressed in a different way by > http://cgit.freedesktop.org/spice/spice/commit/?id=8874f3b259034dd3 ? > Not quite. What happens is the channel object reference count doesn't reach zero during snd_disconnect_channel() because someone is holding the reference from _playback_get_buffer(). Since the channel object doesn't get destroyed in snd_channel_put(), the channel->worker->connection pointer never gets cleared. Then later, when a client reconnects, worker->connection is still non-NULL in snd_disconnect_channel_client() so we call snd_disconnect_channel() again and Bad Things happen. This patch changes that so the pointer is cleared when it's released, even if the channel object itself isn't yet destroyed. I think that's closer to how reference counting is supposed to work: "put" the object back and forget about it. Thanks, Andrew _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel