In usbtmc_disconnect, data is got from intf with the initial reference. There is no refcount inc operation before usbmc_free_int(data). In usbmc_free_int(data), the data may be freed. But later in usbtmc_disconnect, there is another put function of data. It could cause errors in race. My patch adds a lock to protect kref from changing in race. Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx> --- drivers/usb/class/usbtmc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c index 74d5a9c5238a..44f1fcabbb1e 100644 --- a/drivers/usb/class/usbtmc.c +++ b/drivers/usb/class/usbtmc.c @@ -2493,8 +2493,13 @@ static void usbtmc_disconnect(struct usb_interface *intf) usb_scuttle_anchored_urbs(&file_data->in_anchor); } mutex_unlock(&data->io_mutex); + + spinlock_t *dev_lock = &data->dev_lock; + + spin_lock_irq(dev_lock); usbtmc_free_int(data); kref_put(&data->kref, usbtmc_delete); + spin_unlock_irq(dev_lock); } static void usbtmc_draw_down(struct usbtmc_file_data *file_data) -- 2.25.1