Am Donnerstag, den 01.08.2019, 14:47 -0400 schrieb Alan Stern: > > I think this must be caused by an unbalanced refcount. That is, > something must drop one more reference to the device than it takes. > That would explain why the invalid access occurs inside a single > bus_remove_device() call, between the klist_del() and > device_release_driver(). > > The kernel log indicates that the device was probed by rndis_wlan, > rndis_host, and cdc_acm, all of which got errors because of the > device's bogus descriptors. Probably one of them is messing up the > refcount. Hi, you made me look at cdc-acm. I suspect cae2bc768d176bfbdad7035bbcc3cdc973eb7984 ("usb: cdc-acm: Decrement tty port's refcount if probe() fail") is buggy decrementing the refcount on the interface in destroy() even before the refcount is increased. Unfortunately I cannot tell from the bug report how many and which interfaces the emulated test device has. Hence it is unclear to me, when exactly probe() would fail cdc-acm. If you agree. I am attaching a putative fix. Regards Oliver