{"id":"CVE-2025-39993","summary":"media: rc: fix races with imon_disconnect()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: rc: fix races with imon_disconnect()\n\nSyzbot reports a KASAN issue as below:\nBUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline]\nBUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nRead of size 4 at addr ffff8880256fb000 by task syz-executor314/4465\n\nCPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014\nCall Trace:\n \u003cTASK\u003e\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nprint_address_description mm/kasan/report.c:317 [inline]\nprint_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433\nkasan_report+0xb1/0x1e0 mm/kasan/report.c:495\n__create_pipe include/linux/usb.h:1945 [inline]\nsend_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627\nvfd_write+0x2d9/0x550 drivers/media/rc/imon.c:991\nvfs_write+0x2d7/0xdd0 fs/read_write.c:576\nksys_write+0x127/0x250 fs/read_write.c:631\ndo_syscall_x64 arch/x86/entry/common.c:50 [inline]\ndo_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe iMON driver improperly releases the usb_device reference in\nimon_disconnect without coordinating with active users of the\ndevice.\n\nSpecifically, the fields usbdev_intf0 and usbdev_intf1 are not\nprotected by the users counter (ictx-\u003eusers). During probe,\nimon_init_intf0 or imon_init_intf1 increments the usb_device\nreference count depending on the interface. However, during\ndisconnect, usb_put_dev is called unconditionally, regardless of\nactual usage.\n\nAs a result, if vfd_write or other operations are still in\nprogress after disconnect, this can lead to a use-after-free of\nthe usb_device pointer.\n\nThread 1 vfd_write                      Thread 2 imon_disconnect\n                                        ...\n                                        if\n                                          usb_put_dev(ictx-\u003eusbdev_intf0)\n                                        else\n                                          usb_put_dev(ictx-\u003eusbdev_intf1)\n...\nwhile\n  send_packet\n    if\n      pipe = usb_sndintpipe(\n        ictx-\u003eusbdev_intf0) UAF\n    else\n      pipe = usb_sndctrlpipe(\n        ictx-\u003eusbdev_intf0, 0) UAF\n\nGuard access to usbdev_intf0 and usbdev_intf1 after disconnect by\nchecking ictx-\u003edisconnected in all writer paths. Add early return\nwith -ENODEV in send_packet(), vfd_write(), lcd_write() and\ndisplay_open() if the device is no longer present.\n\nSet and read ictx-\u003edisconnected under ictx-\u003elock to ensure memory\nsynchronization. Acquire the lock in imon_disconnect() before setting\nthe flag to synchronize with any ongoing operations.\n\nEnsure writers exit early and safely after disconnect before the USB\ncore proceeds with cleanup.\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller.","modified":"2026-04-16T04:33:29.938802562Z","published":"2025-10-15T07:58:18.621Z","related":["ALSA-2026:0443","ALSA-2026:0444","SUSE-SU-2025:21040-1","SUSE-SU-2025:21052-1","SUSE-SU-2025:21056-1","SUSE-SU-2025:21064-1","SUSE-SU-2025:21080-1","SUSE-SU-2025:21147-1","SUSE-SU-2025:21180-1","SUSE-SU-2025:4057-1","SUSE-SU-2025:4128-1","SUSE-SU-2025:4132-1","SUSE-SU-2025:4140-1","SUSE-SU-2025:4141-1","SUSE-SU-2025:4301-1","openSUSE-SU-2025:15671-1","openSUSE-SU-2025:20091-1","openSUSE-SU-2026:10301-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39993.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2e7fd93b9cc565b839bc55a6662475718963e156"},{"type":"WEB","url":"https://git.kernel.org/stable/c/71096a6161a25e84acddb89a9d77f138502d26ab"},{"type":"WEB","url":"https://git.kernel.org/stable/c/71c52b073922d05e79e6de7fc7f5f38f927929a4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/71da40648741d15b302700b68973fe8b382aef3c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9348976003e39754af344949579e824a0a210fc4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b03fac6e2a38331faf8510b480becfa90cea1c9f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/d9f6ce99624a41c3bcb29a8d7d79b800665229dd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fa0f61cc1d828178aa921475a9b786e7fbb65ccb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/39xxx/CVE-2025-39993.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-39993"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"21677cfc562a27e099719d413287bc8d1d24deb7"},{"fixed":"9348976003e39754af344949579e824a0a210fc4"},{"fixed":"b03fac6e2a38331faf8510b480becfa90cea1c9f"},{"fixed":"71c52b073922d05e79e6de7fc7f5f38f927929a4"},{"fixed":"71096a6161a25e84acddb89a9d77f138502d26ab"},{"fixed":"71da40648741d15b302700b68973fe8b382aef3c"},{"fixed":"fd5d3e6b149ec8cce045d86a2b5e3664d6b32ba5"},{"fixed":"d9f6ce99624a41c3bcb29a8d7d79b800665229dd"},{"fixed":"2e7fd93b9cc565b839bc55a6662475718963e156"},{"fixed":"fa0f61cc1d828178aa921475a9b786e7fbb65ccb"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39993.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.6.35"},{"fixed":"5.4.301"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.246"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.195"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.156"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.110"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.51"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.16.11"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.17.0"},{"fixed":"6.17.1"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-39993.json"}}],"schema_version":"1.7.5"}