On Tue, Mar 23, 2021 at 02:28:54AM -0700, Lv Yunlong wrote: > In usbtmc_disconnect, data is got from intf with the initial reference. > There is no refcount inc operation before usbmc_free_int(data). In > usbmc_free_int(data), the data may be freed. > > But later in usbtmc_disconnect, there is another put function of data. > It could cause errors in race. > > My patch adds a lock to protect kref from changing in race. > > Signed-off-by: Lv Yunlong <lyl2019@xxxxxxxxxxxxxxxx> > --- > drivers/usb/class/usbtmc.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c > index 74d5a9c5238a..44f1fcabbb1e 100644 > --- a/drivers/usb/class/usbtmc.c > +++ b/drivers/usb/class/usbtmc.c > @@ -2493,8 +2493,13 @@ static void usbtmc_disconnect(struct usb_interface *intf) > usb_scuttle_anchored_urbs(&file_data->in_anchor); > } > mutex_unlock(&data->io_mutex); > + > + spinlock_t *dev_lock = &data->dev_lock; > + > + spin_lock_irq(dev_lock); > usbtmc_free_int(data); > kref_put(&data->kref, usbtmc_delete); > + spin_unlock_irq(dev_lock); > } > > static void usbtmc_draw_down(struct usbtmc_file_data *file_data) > -- > 2.25.1 You obviously did not even build this patch, let alone test it :( Please do not waste maintainer's time by not doing the proper steps when submitting patches. thanks, greg k-h