usb_sg_cancel in drivers/usb/core/message.c in the Linux kernel before 5.6.8 has a use-after-free because a transfer occurs without a reference, aka CID-056ad39ee925. CREATE(Triage):(User=admin) CVE-2020-12464 (https://nvd.nist.gov/vuln/detail/CVE-2020-12464)