On Sun, Aug 01, 2021 at 04:32:15PM +0800, nil Yi wrote: > Hi, there is a dangling pointer in ictx->rx_urb_intf1 in function > imon_init_intf1 in v5.14-rc3 > in function imon_init_intf1: > 2322: ictx->rx_urb_intf1 = rx_urb; > ... > 2362: usb_free_urb(rx_urb); > leave a dangling pointer here, I'm not sure whether it can be > triggered somewhere. I think this error path would lead to a double free. So you have an imon device with two interfaces, and the probe on the second interface fails. Now when the driver is removed from the first interface, we get a double free. I think. Sean
