[Spice-devel] [PATCH 1/2] server: Don't release SndChannel twice from worker reference
Andrew Eikum
aeikum at codeweavers.com
Fri Sep 28 08:47:25 PDT 2012
On Fri, Sep 28, 2012 at 05:27:03PM +0200, Christophe Fergeau wrote:
> On Thu, Sep 13, 2012 at 01:21:07PM -0500, Andrew Eikum wrote:
> >
> > When we release the SndChannel reference during
> > snd_disconnect_channel(), we need to set the pointer to NULL so it
> > doesn't get released again on client reconnect during
> > snd_set_playback_peer(). This can happen when a reference is held from
> > _playback_get_buffer().
>
> Isn't it addressed in a different way by
> http://cgit.freedesktop.org/spice/spice/commit/?id=8874f3b259034dd3 ?
>
Not quite. What happens is the channel object reference count doesn't
reach zero during snd_disconnect_channel() because someone is holding
the reference from _playback_get_buffer(). Since the channel object
doesn't get destroyed in snd_channel_put(), the
channel->worker->connection pointer never gets cleared. Then later,
when a client reconnects, worker->connection is still non-NULL in
snd_disconnect_channel_client() so we call snd_disconnect_channel()
again and Bad Things happen.
This patch changes that so the pointer is cleared when it's released,
even if the channel object itself isn't yet destroyed. I think that's
closer to how reference counting is supposed to work: "put" the object
back and forget about it.
Thanks,
Andrew
More information about the Spice-devel
mailing list