From: Steinar H. Gunderson [mailto:sesse@xxxxxxxxxx] > Sent: 26 November 2015 00:19 There is still a problem with this code, not sure how to fix it. ... > +static void dec_usb_memory_use_count(struct usb_memory *usbm, int *count) > +{ > + struct usb_dev_state *ps = usbm->ps; > + unsigned long flags; > + > + spin_lock_irqsave(&ps->lock, flags); > + --*count; > + if (usbm->urb_use_count == 0 && usbm->vma_use_count == 0) { ... > + module_put(THIS_MODULE); > + } else { > + spin_unlock_irqrestore(&ps->lock, flags); > + } > +} ... > +static void usbdev_vm_close(struct vm_area_struct *vma) > +{ > + struct usb_memory *usbm = vma->vm_private_data; > + > + dec_usb_memory_use_count(usbm, &usbm->vma_use_count); > +} If the last reference to the module is for an mmap request (which is the only reason to reference count the module here) then the module_put() in dec_usb_memory_use_count()) returns back into freed memory. There isn't much the module can do about it either apart from using kthread_run() to call module_put_and_exit() and even that is somewhat racy (a sleep in the kthread is probably enough). The only real solution is for mmap() itself to take the reference on the module. David -- To unsubscribe from this list: send the line "unsubscribe linux-usb" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
