Home

Description

In the Linux kernel, the following vulnerability has been resolved: most: usb: Fix use-after-free in hdm_disconnect hdm_disconnect() calls most_deregister_interface(), which eventually unregisters the MOST interface device with device_unregister(iface->dev). If that drops the last reference, the device core may call release_mdev() immediately while hdm_disconnect() is still executing. The old code also freed several mdev-owned allocations in hdm_disconnect() and then performed additional put_device() calls. Depending on refcount order, this could lead to use-after-free or double-free when release_mdev() ran (or when unregister paths also performed puts). Fix by moving the frees of mdev-owned allocations into release_mdev(), so they happen exactly once when the device is truly released, and by dropping the extra put_device() calls in hdm_disconnect() that are redundant after device_unregister() and most_deregister_interface(). This addresses the KASAN slab-use-after-free reported by syzbot in hdm_disconnect(). See report and stack traces in the bug link below.

PUBLISHED Reserved 2025-04-16 | Published 2025-12-04 | Updated 2025-12-04 | Assigner Linux

Product status

Default status
unaffected

97a6f772f36b7f52bcfa56a581bbd2470cffe23d (git) before 5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831
affected

97a6f772f36b7f52bcfa56a581bbd2470cffe23d (git) before 578eb18cd111addec94c43f61cd4b4429e454809
affected

97a6f772f36b7f52bcfa56a581bbd2470cffe23d (git) before 33daf469f5294b9d07c4fc98216cace9f4f34cc6
affected

97a6f772f36b7f52bcfa56a581bbd2470cffe23d (git) before 72427dc6f87523995f4e6ae35a948bb2992cabce
affected

97a6f772f36b7f52bcfa56a581bbd2470cffe23d (git) before f93a84ffb884d761a9d4e869ba29c238711e81f1
affected

97a6f772f36b7f52bcfa56a581bbd2470cffe23d (git) before 3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6
affected

97a6f772f36b7f52bcfa56a581bbd2470cffe23d (git) before 4b1270902609ef0d935ed2faa2ea6d122bd148f5
affected

Default status
affected

5.9
affected

Any version before 5.9
unaffected

5.10.246 (semver)
unaffected

5.15.196 (semver)
unaffected

6.1.158 (semver)
unaffected

6.6.115 (semver)
unaffected

6.12.56 (semver)
unaffected

6.17.6 (semver)
unaffected

6.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/5b5c478f09b1b35e7fe6fc9a1786c9bf6030e831

git.kernel.org/...c/578eb18cd111addec94c43f61cd4b4429e454809

git.kernel.org/...c/33daf469f5294b9d07c4fc98216cace9f4f34cc6

git.kernel.org/...c/72427dc6f87523995f4e6ae35a948bb2992cabce

git.kernel.org/...c/f93a84ffb884d761a9d4e869ba29c238711e81f1

git.kernel.org/...c/3a3b8e89c7201c5b3b76ac4a4069d1adde1477d6

git.kernel.org/...c/4b1270902609ef0d935ed2faa2ea6d122bd148f5

cve.org (CVE-2025-40223)

nvd.nist.gov (CVE-2025-40223)