CVE-2025-39993

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: rc: fix races with imon_disconnect()<br /> <br /> Syzbot reports a KASAN issue as below:<br /> BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]<br /> BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627<br /> Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465<br /> <br /> CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:317 [inline]<br /> print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433<br /> kasan_report+0xb1/0x1e0 mm/kasan/report.c:495<br /> __create_pipe include/linux/usb.h:1945 [inline]<br /> send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627<br /> vfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991<br /> vfs_write+0x2d7/0xdd0 fs/read_write.c:576<br /> ksys_write+0x127/0x250 fs/read_write.c:631<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> The iMON driver improperly releases the usb_device reference in<br /> imon_disconnect without coordinating with active users of the<br /> device.<br /> <br /> Specifically, the fields usbdev_intf0 and usbdev_intf1 are not<br /> protected by the users counter (ictx-&gt;users). During probe,<br /> imon_init_intf0 or imon_init_intf1 increments the usb_device<br /> reference count depending on the interface. However, during<br /> disconnect, usb_put_dev is called unconditionally, regardless of<br /> actual usage.<br /> <br /> As a result, if vfd_write or other operations are still in<br /> progress after disconnect, this can lead to a use-after-free of<br /> the usb_device pointer.<br /> <br /> Thread 1 vfd_write Thread 2 imon_disconnect<br /> ...<br /> if<br /> usb_put_dev(ictx-&gt;usbdev_intf0)<br /> else<br /> usb_put_dev(ictx-&gt;usbdev_intf1)<br /> ...<br /> while<br /> send_packet<br /> if<br /> pipe = usb_sndintpipe(<br /> ictx-&gt;usbdev_intf0) UAF<br /> else<br /> pipe = usb_sndctrlpipe(<br /> ictx-&gt;usbdev_intf0, 0) UAF<br /> <br /> Guard access to usbdev_intf0 and usbdev_intf1 after disconnect by<br /> checking ictx-&gt;disconnected in all writer paths. Add early return<br /> with -ENODEV in send_packet(), vfd_write(), lcd_write() and<br /> display_open() if the device is no longer present.<br /> <br /> Set and read ictx-&gt;disconnected under ictx-&gt;lock to ensure memory<br /> synchronization. Acquire the lock in imon_disconnect() before setting<br /> the flag to synchronize with any ongoing operations.<br /> <br /> Ensure writers exit early and safely after disconnect before the USB<br /> core proceeds with cleanup.<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.