CVE-2025-40223

In the Linux kernel, the following vulnerability has been resolved:

most: usb: Fix use-after-free in hdm_disconnect

hdmdisconnect() calls mostderegisterinterface(), which eventually unregisters the MOST interface device with deviceunregister(iface->dev). If that drops the last reference, the device core may call releasemdev() immediately while hdmdisconnect() is still executing.

The old code also freed several mdev-owned allocations in hdmdisconnect() and then performed additional putdevice() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts).

Fix by moving the frees of mdev-owned allocations into releasemdev(), so they happen exactly once when the device is truly released, and by dropping the extra putdevice() calls in hdmdisconnect() that are redundant after deviceunregister() and mostderegisterinterface().

This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.