pa_module_free is called from more than one place, not all of these places correctly removed the module from the modules_pending_unload array, potentially causing a dangling pointer in that array. Signed-off-by: David Henningsson <david.henningsson at canonical.com> --- This was found while investigating Pierre's latest comment in https://bugs.freedesktop.org/show_bug.cgi?id=90108 Pierre, can you see if this solves the problem for you? src/pulsecore/module.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/pulsecore/module.c b/src/pulsecore/module.c index 1d4187e..a83a706 100644 --- a/src/pulsecore/module.c +++ b/src/pulsecore/module.c @@ -248,6 +248,8 @@ static void pa_module_free(pa_module *m) { lt_dlclose(m->dl); + pa_hashmap_remove(m->core->modules_pending_unload, m); + pa_log_info("Unloaded \"%s\" (index: #%u).", m->name, m->index); pa_subscription_post(m->core, PA_SUBSCRIPTION_EVENT_MODULE|PA_SUBSCRIPTION_EVENT_REMOVE, m->index); @@ -264,8 +266,6 @@ void pa_module_unload(pa_core *c, pa_module *m, bool force) { if (m->core->disallow_module_loading && !force) return; - pa_hashmap_remove(c->modules_pending_unload, m); - if (!(m = pa_idxset_remove_by_data(c->modules, m, NULL))) return; @@ -323,6 +323,7 @@ void pa_module_unload_all(pa_core *c) { c->mainloop->defer_free(c->module_defer_unload_event); c->module_defer_unload_event = NULL; } + pa_assert(pa_idxset_isempty(c->modules_pending_unload)); } static void defer_cb(pa_mainloop_api*api, pa_defer_event *e, void *userdata) { -- 1.9.1