In usbtmc_disconnect, data is got from intf with the initial reference. There is no refcount inc operation before usbmc_free_int(data). In usbmc_free_int(data), the data may be freed. But later in usbtmc_disconnect, there is another put function of data. I think it is better to add necessary checks to avoid the data being put twice. It could cause errors in race. Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx> --- drivers/usb/class/usbtmc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c index 74d5a9c5238a..e0438cb46386 100644 --- a/drivers/usb/class/usbtmc.c +++ b/drivers/usb/class/usbtmc.c @@ -2494,7 +2494,9 @@ static void usbtmc_disconnect(struct usb_interface *intf) } mutex_unlock(&data->io_mutex); usbtmc_free_int(data); - kref_put(&data->kref, usbtmc_delete); + + if (data->iin_ep_present && data->iin_urb) + kref_put(&data->kref, usbtmc_delete); } static void usbtmc_draw_down(struct usbtmc_file_data *file_data) -- 2.25.1
