ACK/Cmnt: [SRU][J/N/P][PATCH 0/1] CVE-2025-39993

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Thu Nov 13 14:14:05 UTC 2025 

On Thu, 13 Nov 2025 at 14:12, Alessio Faina <alessio.faina at canonical.com> wrote:
>
> https://ubuntu.com/security/CVE-2025-39993
>
>
> [ Impact ]
>
> While using a SoundGraph iMON MultiMedia IR/Display, a kernel crash can
> occur when the device is in use and it's being disconnected.
>
> The iMON driver improperly releases the usb_device reference in
> imon_disconnect without coordinating with active users of the
> device.
>
> Specifically, the fields usbdev_intf0 and usbdev_intf1 are not
> protected by the users counter (ictx->users). During probe,
> imon_init_intf0 or imon_init_intf1 increments the usb_device
> reference count depending on the interface. However, during
> disconnect, usb_put_dev is called unconditionally, regardless of
> actual usage.
>
> This fix tries to prevent a kernel crash in these situations.
>
> [ Fix ]
>
> * Backport commit 76369d3f937bd7a8d6be2320d1f9cb4bedca4ef4 from upstream
>
> Questing: not affected
> Plucky:   backported from upstream
> Noble:    backported from upstream
> Jammy:    backported from upstream
> Focal:    fixed separately
> Bionic:   fixed separately
> Xenial:   fixed separately
> Trusty:   won't fix
>
> [ Test Case ]
>
> Compile and boot tested; cannot be directly tested as specific hardware
> is needed.
>
> [ Regression potential ]
>
> Adding a new check if the device has been disconnected shouldn't have
> any regression potential on the original code flow.
>
>
> Larshin Sergey (1):
>   media: rc: fix races with imon_disconnect()
>
>  drivers/media/rc/imon.c | 27 ++++++++++++++++++++-------
>  1 file changed, 20 insertions(+), 7 deletions(-)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

The patch looks good.

Notice that the fix commit:
    fa0f61cc1d828 media: rc: fix races with imon_disconnect()
has been backported to the following upstream stable trees:
    - linux-6.12.y --> fd5d3e6b149ec media: rc: fix races with imon_disconnect()
    - linux-6.6.y   --> 71da40648741d media: rc: fix races with
imon_disconnect()
    - linux-6.1.y   --> 71096a6161a25 media: rc: fix races with
imon_disconnect()
    - linux-5.15.y --> 71c52b073922d media: rc: fix races with imon_disconnect()

This means that instead of backporting from mainline, it is possible
to cherry pick from the stable trees.

Acked-by: Massimiliano Pellizzer <massimiliano.pellizzer at canonical.com>

-- 
Massimiliano Pellizzer

More information about the kernel-team mailing list