CVE-2025-38174

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38174
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38174.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38174
Downstream
Related
Published
2025-07-04T11:15:51Z
Modified
2025-08-12T21:01:17Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Do not double dequeue a configuration request

Some of our devices crash in tbcfgrequest_dequeue():

general protection fault, probably for non-canonical address 0xdead000000000122

CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tbcfgrequestdequeue+0x2d/0xa0 Call Trace: <TASK> ? tbcfgrequestdequeue+0x2d/0xa0 tbcfgrequestwork+0x33/0x80 workerthread+0x386/0x8f0 kthread+0xed/0x110 retfromfork+0x38/0x50 retfromfork_asm+0x1b/0x30

The circumstances are unclear, however, the theory is that tbcfgrequestwork() can be scheduled twice for a request: first time via frame.callback from ringwork() and second time from tbcfgrequest(). Both times kworkers will execute tbcfgrequestdequeue(), which results in double listdel() from the ctl->request_queue (the list poison deference hints at it: 0xdead000000000122).

Do not dequeue requests that don't have TBCFGREQUEST_ACTIVE bit set.

References

Affected packages