Crash on module unload
proski at gnu.org
Wed Aug 6 00:08:31 BST 2003
I reported this problem in the past, but now I have enough information for
somebody with understanding of the code to fix it.
Linux 2.6.0-test2-bk5 (and older versions) would "oops" if I do following:
It's not essential in which order the modules are loaded, but it's
essential that yenta_socket is removed before ds. If ds is removed first,
everything is fine and yenta_socket can be removed.
There is one TI bridge with one socket supported by yenta_socket. There
is no card in it. It is possible to substitute yenta_socket with plx9052
- the symptoms don't change.
The oops is caused by access to freed memory. Namely,
pcmcia_remove_socket() calls "kfree(client)" and then
pcmcia_bus_remove_socket() calls pcmcia_deregister_client() with the
argument equal to "client".
In other words, the problem is with calling pcmcia_bus_remove_socket()
If ds is unloaded first, pcmcia_bus_remove_socket() is called during
module unload. The client handle is valid at this point. When
yenta_socket is unloaded, it calls class_device_unregister(), which calls
pcmcia_remove_socket(). The later frees the handle.
If yenta_socket is unloaded first, class_device_unregister() calls two
remove methods. First it calls pcmcia_remove_socket(), which is the
remove method for the "pcmcia_socket" class interface. The it calls
pcmcia_bus_remove_socket(), which is the remove method for the
"pcmcia_bus_interface" class interface.
Unfortunately, I don't understand the code enough to suggest a fix.
Possible solution would be to force calling pcmcia_bus_remove_socket()
before pcmcia_remove_socket(). I guess it's the right thing to do (first
unregister the socket with ds, then with pcmcia_core), but I don't know if
it's possible to do it by the means of sysfs or we should use more brutal
More information about the linux-pcmcia