Crash on module unload

Pavel Roskin proski at
Wed Aug 6 00:08:31 BST 2003


I reported this problem in the past, but now I have enough information for
somebody with understanding of the code to fix it.

Linux 2.6.0-test2-bk5 (and older versions) would "oops" if I do following:

modprobe ds
modprobe yenta_socket
rmmod yenta_socket

It's not essential in which order the modules are loaded, but it's
essential that yenta_socket is removed before ds.  If ds is removed first,
everything is fine and yenta_socket can be removed.

There is one TI bridge with one socket supported by yenta_socket.  There
is no card in it.  It is possible to substitute yenta_socket with plx9052
- the symptoms don't change.

The oops is caused by access to freed memory.  Namely,
pcmcia_remove_socket() calls "kfree(client)" and then
pcmcia_bus_remove_socket() calls pcmcia_deregister_client() with the
argument equal to "client".

In other words, the problem is with calling pcmcia_bus_remove_socket()
after pcmcia_remove_socket().

If ds is unloaded first, pcmcia_bus_remove_socket() is called during
module unload.  The client handle is valid at this point.  When
yenta_socket is unloaded, it calls class_device_unregister(), which calls
pcmcia_remove_socket().  The later frees the handle.

If yenta_socket is unloaded first, class_device_unregister() calls two
remove methods.  First it calls pcmcia_remove_socket(), which is the
remove method for the "pcmcia_socket" class interface.  The it calls
pcmcia_bus_remove_socket(), which is the remove method for the
"pcmcia_bus_interface" class interface.

Unfortunately, I don't understand the code enough to suggest a fix.
Possible solution would be to force calling pcmcia_bus_remove_socket()
before pcmcia_remove_socket().  I guess it's the right thing to do (first
unregister the socket with ds, then with pcmcia_core), but I don't know if
it's possible to do it by the means of sysfs or we should use more brutal

Pavel Roskin

More information about the linux-pcmcia mailing list