[SRU][J/N/P][PATCH 0/1] CVE-2025-39993
Alessio Faina
alessio.faina at canonical.com
Thu Nov 13 13:10:47 UTC 2025
https://ubuntu.com/security/CVE-2025-39993
[ Impact ]
While using a SoundGraph iMON MultiMedia IR/Display, a kernel crash can
occur when the device is in use and it's being disconnected.
The iMON driver improperly releases the usb_device reference in
imon_disconnect without coordinating with active users of the
device.
Specifically, the fields usbdev_intf0 and usbdev_intf1 are not
protected by the users counter (ictx->users). During probe,
imon_init_intf0 or imon_init_intf1 increments the usb_device
reference count depending on the interface. However, during
disconnect, usb_put_dev is called unconditionally, regardless of
actual usage.
This fix tries to prevent a kernel crash in these situations.
[ Fix ]
* Backport commit 76369d3f937bd7a8d6be2320d1f9cb4bedca4ef4 from upstream
Questing: not affected
Plucky: backported from upstream
Noble: backported from upstream
Jammy: backported from upstream
Focal: fixed separately
Bionic: fixed separately
Xenial: fixed separately
Trusty: won't fix
[ Test Case ]
Compile and boot tested; cannot be directly tested as specific hardware
is needed.
[ Regression potential ]
Adding a new check if the device has been disconnected shouldn't have
any regression potential on the original code flow.
Larshin Sergey (1):
media: rc: fix races with imon_disconnect()
drivers/media/rc/imon.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
--
2.43.0
More information about the kernel-team
mailing list