CVE-2025-22027

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> media: streamzap: fix race between device disconnection and urb callback<br /> <br /> Syzkaller has reported a general protection fault at function<br /> ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer<br /> dereference of dev-&gt;raw pointer, even though it is checked for NULL in<br /> the same function, which means there is a race condition. It occurs due<br /> to the incorrect order of actions in the streamzap_disconnect() function:<br /> rc_unregister_device() is called before usb_kill_urb(). The dev-&gt;raw<br /> pointer is freed and set to NULL in rc_unregister_device(), and only<br /> after that usb_kill_urb() waits for in-progress requests to finish.<br /> <br /> If rc_unregister_device() is called while streamzap_callback() handler is<br /> not finished, this can lead to accessing freed resources. Thus<br /> rc_unregister_device() should be called after usb_kill_urb().<br /> <br /> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.