CVE-2025-39993

In the Linux kernel, the following vulnerability has been resolved:

media: rc: fix races with imon_disconnect()

Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in _createpipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465

CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 printaddressdescription mm/kasan/report.c:317 [inline] printreport.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasanreport+0xb1/0x1e0 mm/kasan/report.c:495 _createpipe include/linux/usb.h:1945 [inline] sendpacket+0xa2d/0xbc0 drivers/media/rc/imon.c:627 vfdwrite+0x2d9/0x550 drivers/media/rc/imon.c:991 vfswrite+0x2d7/0xdd0 fs/readwrite.c:576 ksyswrite+0x127/0x250 fs/readwrite.c:631 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

The iMON driver improperly releases the usbdevice reference in imondisconnect without coordinating with active users of the device.

Specifically, the fields usbdevintf0 and usbdevintf1 are not protected by the users counter (ictx->users). During probe, imoninitintf0 or imoninitintf1 increments the usbdevice reference count depending on the interface. However, during disconnect, usbput_dev is called unconditionally, regardless of actual usage.

As a result, if vfdwrite or other operations are still in progress after disconnect, this can lead to a use-after-free of the usbdevice pointer.

Thread 1 vfdwrite Thread 2 imondisconnect ... if usbputdev(ictx->usbdevintf0) else usbputdev(ictx->usbdevintf1) ... while sendpacket if pipe = usbsndintpipe( ictx->usbdevintf0) UAF else pipe = usbsndctrlpipe( ictx->usbdev_intf0, 0) UAF

Guard access to usbdevintf0 and usbdevintf1 after disconnect by checking ictx->disconnected in all writer paths. Add early return with -ENODEV in sendpacket(), vfdwrite(), lcdwrite() and displayopen() if the device is no longer present.

Set and read ictx->disconnected under ictx->lock to ensure memory synchronization. Acquire the lock in imon_disconnect() before setting the flag to synchronize with any ongoing operations.

Ensure writers exit early and safely after disconnect before the USB core proceeds with cleanup.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.