APPLIED: [SRU][J/N/P][PATCH 0/1] CVE-2025-39993

Stefan Bader stefan.bader at canonical.com
Fri Nov 14 08:51:41 UTC 2025 

On 13/11/2025 14:10, Alessio Faina wrote:
> https://ubuntu.com/security/CVE-2025-39993
> 
> 
> [ Impact ]
> 
> While using a SoundGraph iMON MultiMedia IR/Display, a kernel crash can
> occur when the device is in use and it's being disconnected.
> 
> The iMON driver improperly releases the usb_device reference in
> imon_disconnect without coordinating with active users of the
> device.
> 
> Specifically, the fields usbdev_intf0 and usbdev_intf1 are not
> protected by the users counter (ictx->users). During probe,
> imon_init_intf0 or imon_init_intf1 increments the usb_device
> reference count depending on the interface. However, during
> disconnect, usb_put_dev is called unconditionally, regardless of
> actual usage.
> 
> This fix tries to prevent a kernel crash in these situations.
> 
> [ Fix ]
> 
> * Backport commit 76369d3f937bd7a8d6be2320d1f9cb4bedca4ef4 from upstream
> 
> Questing: not affected
> Plucky:   backported from upstream
> Noble:    backported from upstream
> Jammy:    backported from upstream
> Focal:    fixed separately
> Bionic:   fixed separately
> Xenial:   fixed separately
> Trusty:   won't fix
> 
> [ Test Case ]
> 
> Compile and boot tested; cannot be directly tested as specific hardware
> is needed.
> 
> [ Regression potential ]
> 
> Adding a new check if the device has been disconnected shouldn't have
> any regression potential on the original code flow.
> 
> 
> Larshin Sergey (1):
>    media: rc: fix races with imon_disconnect()
> 
>   drivers/media/rc/imon.c | 27 ++++++++++++++++++++-------
>   1 file changed, 20 insertions(+), 7 deletions(-)
> 


Applied to plucky,noble,jammy:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251114/6e03bc31/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251114/6e03bc31/attachment-0001.sig>

More information about the kernel-team mailing list