On Fri, Sep 28, 2012 at 10:47:25AM -0500, Andrew Eikum wrote: > On Fri, Sep 28, 2012 at 05:27:03PM +0200, Christophe Fergeau wrote: > > On Thu, Sep 13, 2012 at 01:21:07PM -0500, Andrew Eikum wrote: > > > > > > When we release the SndChannel reference during > > > snd_disconnect_channel(), we need to set the pointer to NULL so it > > > doesn't get released again on client reconnect during > > > snd_set_playback_peer(). This can happen when a reference is held from > > > _playback_get_buffer(). > > > > Isn't it addressed in a different way by > > http://cgit.freedesktop.org/spice/spice/commit/?id=8874f3b259034dd3 ? > > > > Not quite. What happens is the channel object reference count doesn't > reach zero during snd_disconnect_channel() because someone is holding > the reference from _playback_get_buffer(). Since the channel object > doesn't get destroyed in snd_channel_put(), the > channel->worker->connection pointer never gets cleared. Then later, > when a client reconnects, worker->connection is still non-NULL in > snd_disconnect_channel_client() so we call snd_disconnect_channel() > again and Bad Things happen. Ah right, the bad thing being an extra _put, thanks for the additional explanation, ACK. Christophe
Attachment:
pgptcSE4FCNIS.pgp
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx http://lists.freedesktop.org/mailman/listinfo/spice-devel