CVE-2025-38268
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-38268
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38268.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-38268
- Downstream
- Related
- Published
- 2025-07-10T07:41:51Z
- Modified
- 2025-10-22T13:21:26.245485Z
- Summary
- usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
usb: typec: tcpm: move tcpmqueuevdm_unlocked to asynchronous work
A state check was previously added to tcpmqueuevdmunlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpmlock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancelworksync call.
Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below:
[110121.667392][ C7] Call trace: [110121.667396][ C7] _switchto+0x174/0x338 [110121.667406][ C7] _schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfsdrain+0xb0/0x114 [110121.667431][ C7] _kernfsremove+0x16c/0x20c [110121.667436][ C7] kernfsremovebynamens+0x74/0xe8 [110121.667442][ C7] sysfsremovegroup+0x84/0xe8 [110121.667450][ C7] sysfsremovegroups+0x34/0x58 [110121.667458][ C7] deviceremovegroups+0x10/0x20 [110121.667464][ C7] devicereleasedriverinternal+0x164/0x2e4 [110121.667475][ C7] devicereleasedriver+0x18/0x28 [110121.667484][ C7] busremovedevice+0xec/0x118 [110121.667491][ C7] devicedel+0x1e8/0x4ac [110121.667498][ C7] deviceunregister+0x18/0x38 [110121.667504][ C7] typecunregisteraltmode+0x30/0x44 [110121.667515][ C7] tcpmresetport+0xac/0x370 [110121.667523][ C7] tcpmsnkdetach+0x84/0xb8 [110121.667529][ C7] runstatemachine+0x4c0/0x1b68 [110121.667536][ C7] tcpmstatemachinework+0x94/0xe4 [110121.667544][ C7] kthreadworkerfn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] retfromfork+0x10/0x20
[110121.667689][ C7] Workqueue: events dpaltmodework [110121.667697][ C7] Call trace: [110121.667701][ C7] _switchto+0x174/0x338 [110121.667710][ C7] _schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedulepreemptdisabled+0x24/0x40 [110121.667733][ C7] _mutexlock+0x408/0xdac [110121.667741][ C7] _mutexlockslowpath+0x14/0x24 [110121.667748][ C7] mutexlock+0x40/0xec [110121.667757][ C7] tcpmaltmodeenter+0x78/0xb4 [110121.667764][ C7] typecaltmodeenter+0xdc/0x10c [110121.667769][ C7] dpaltmodework+0x68/0x164 [110121.667775][ C7] processonework+0x1e4/0x43c [110121.667783][ C7] workerthread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] retfromfork+0x10/0x20
Change tcpmqueuevdmunlocked to queue for tcpmqueuevdmwork, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmodevdmevent.
- References
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcdc9946ea6377e8e214b135ccc308c5e514ba25fFixed7bdd712abefbec79176ab412d8c623e755c5d0ba
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcdc9946ea6377e8e214b135ccc308c5e514ba25fFixed1970d34b48cbeceb0c765984c9a6bb204c77f16a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introducedcdc9946ea6377e8e214b135ccc308c5e514ba25fFixed324d45e53f1a36c88bc649dc39e0c8300a41be0a
Affected versions
v6.*
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.9
v6.9-rc6
v6.9-rc7
Database specific
vanir_signatures
[
{
"id": "CVE-2025-38268-112390df",
"deprecated": false,
"digest": {
"line_hashes": [
"188714974399472649811643878239418208300",
"339100150949879133279189037474905092032",
"208357371886638143949914132070837251529",
"59856373665842340914125993990476923124",
"152506496020623967541644024174437727703",
"332647661678506769251941288365847835980",
"198735665838011341426735186396377926829",
"155918162942787667292195418432176072456",
"157209072900391278560902895812720934622",
"84621057074487987538040960165172435840",
"94081284965112904485733435417326025147",
"108795789762663448443467999271746228485",
"12488957672553073425187009815635510838",
"159797731996757440296900564534105670792",
"120222832383548645146904551757711820628",
"327034844309720912874929832847614291183",
"98807440126849957025798854537276049008",
"106132921460057212032994653520116806475",
"194641970952728088500617118686484369055",
"145150298152895871305525791317513413906",
"186625083624686272348229459789562228107",
"91958162602348874955518408288360273610",
"61462879598972197567367560896283548818",
"262154208216523489652901932577044293368",
"210745471063487111252716775529271135072",
"3645404133930275257194440240863196124",
"316775995987508006758909091327679079733",
"262763346080023036891653720000864528579",
"205643479059138624957301318261594240284",
"238299788033877547893018100292050384936",
"89265048342676354127010357499529868394",
"298311285395621032458390534271038685571",
"81648211770074669265364064108137850242",
"142620387568853367014241400702510950181",
"220887281305769907390953864883302203466",
"215483706757983784909452937384288736654",
"229460581345708622974005456495027886757",
"307909067293468237979768430400028237650",
"163800297833627596462029872617071404699",
"168778151669815339076770087719697938160",
"91164059374008543715693436392486122003",
"298027641964114220768431963682903550069",
"274521780201577821351303044648599764743",
"15628819340171256357469265253329357240",
"155622838909121060744222435111693620318",
"40584477670304766020842351246082808164"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@324d45e53f1a36c88bc649dc39e0c8300a41be0a"
},
{
"id": "CVE-2025-38268-184956dc",
"deprecated": false,
"digest": {
"length": 369.0,
"function_hash": "3458496040845954952027043384577853590"
},
"signature_version": "v1",
"target": {
"function": "tcpm_altmode_enter",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@324d45e53f1a36c88bc649dc39e0c8300a41be0a"
},
{
"id": "CVE-2025-38268-192a0ef7",
"deprecated": false,
"digest": {
"length": 347.0,
"function_hash": "42951959000915067615889295492825777524"
},
"signature_version": "v1",
"target": {
"function": "tcpm_cable_altmode_exit",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bdd712abefbec79176ab412d8c623e755c5d0ba"
},
{
"id": "CVE-2025-38268-19cb81f5",
"deprecated": false,
"digest": {
"length": 389.0,
"function_hash": "45049186387711262498202603876754471163"
},
"signature_version": "v1",
"target": {
"function": "tcpm_cable_altmode_enter",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@324d45e53f1a36c88bc649dc39e0c8300a41be0a"
},
{
"id": "CVE-2025-38268-331aede0",
"deprecated": false,
"digest": {
"length": 327.0,
"function_hash": "248368808974962781852901328475084289247"
},
"signature_version": "v1",
"target": {
"function": "tcpm_altmode_exit",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@324d45e53f1a36c88bc649dc39e0c8300a41be0a"
},
{
"id": "CVE-2025-38268-478f0f16",
"deprecated": false,
"digest": {
"length": 369.0,
"function_hash": "3458496040845954952027043384577853590"
},
"signature_version": "v1",
"target": {
"function": "tcpm_altmode_enter",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1970d34b48cbeceb0c765984c9a6bb204c77f16a"
},
{
"id": "CVE-2025-38268-4817aa02",
"deprecated": false,
"digest": {
"length": 369.0,
"function_hash": "3458496040845954952027043384577853590"
},
"signature_version": "v1",
"target": {
"function": "tcpm_altmode_enter",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bdd712abefbec79176ab412d8c623e755c5d0ba"
},
{
"id": "CVE-2025-38268-641f1367",
"deprecated": false,
"digest": {
"length": 389.0,
"function_hash": "45049186387711262498202603876754471163"
},
"signature_version": "v1",
"target": {
"function": "tcpm_cable_altmode_enter",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bdd712abefbec79176ab412d8c623e755c5d0ba"
},
{
"id": "CVE-2025-38268-66451abb",
"deprecated": false,
"digest": {
"length": 347.0,
"function_hash": "42951959000915067615889295492825777524"
},
"signature_version": "v1",
"target": {
"function": "tcpm_cable_altmode_exit",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1970d34b48cbeceb0c765984c9a6bb204c77f16a"
},
{
"id": "CVE-2025-38268-694db688",
"deprecated": false,
"digest": {
"length": 349.0,
"function_hash": "271347715165109890809665064211332280237"
},
"signature_version": "v1",
"target": {
"function": "tcpm_queue_vdm_unlocked",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1970d34b48cbeceb0c765984c9a6bb204c77f16a"
},
{
"id": "CVE-2025-38268-6f4f9aef",
"deprecated": false,
"digest": {
"length": 220.0,
"function_hash": "233860842650471722478607153255091653952"
},
"signature_version": "v1",
"target": {
"function": "tcpm_cable_altmode_vdm",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bdd712abefbec79176ab412d8c623e755c5d0ba"
},
{
"id": "CVE-2025-38268-7ff01d3b",
"deprecated": false,
"digest": {
"length": 220.0,
"function_hash": "233860842650471722478607153255091653952"
},
"signature_version": "v1",
"target": {
"function": "tcpm_cable_altmode_vdm",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@324d45e53f1a36c88bc649dc39e0c8300a41be0a"
},
{
"id": "CVE-2025-38268-8298e22b",
"deprecated": false,
"digest": {
"line_hashes": [
"188714974399472649811643878239418208300",
"339100150949879133279189037474905092032",
"208357371886638143949914132070837251529",
"59856373665842340914125993990476923124",
"152506496020623967541644024174437727703",
"332647661678506769251941288365847835980",
"198735665838011341426735186396377926829",
"155918162942787667292195418432176072456",
"157209072900391278560902895812720934622",
"84621057074487987538040960165172435840",
"94081284965112904485733435417326025147",
"108795789762663448443467999271746228485",
"12488957672553073425187009815635510838",
"159797731996757440296900564534105670792",
"120222832383548645146904551757711820628",
"327034844309720912874929832847614291183",
"98807440126849957025798854537276049008",
"106132921460057212032994653520116806475",
"194641970952728088500617118686484369055",
"145150298152895871305525791317513413906",
"186625083624686272348229459789562228107",
"91958162602348874955518408288360273610",
"61462879598972197567367560896283548818",
"262154208216523489652901932577044293368",
"210745471063487111252716775529271135072",
"3645404133930275257194440240863196124",
"316775995987508006758909091327679079733",
"262763346080023036891653720000864528579",
"205643479059138624957301318261594240284",
"238299788033877547893018100292050384936",
"89265048342676354127010357499529868394",
"298311285395621032458390534271038685571",
"81648211770074669265364064108137850242",
"142620387568853367014241400702510950181",
"220887281305769907390953864883302203466",
"215483706757983784909452937384288736654",
"229460581345708622974005456495027886757",
"307909067293468237979768430400028237650",
"163800297833627596462029872617071404699",
"168778151669815339076770087719697938160",
"91164059374008543715693436392486122003",
"298027641964114220768431963682903550069",
"274521780201577821351303044648599764743",
"15628819340171256357469265253329357240",
"155622838909121060744222435111693620318",
"40584477670304766020842351246082808164"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1970d34b48cbeceb0c765984c9a6bb204c77f16a"
},
{
"id": "CVE-2025-38268-a062e4ca",
"deprecated": false,
"digest": {
"length": 349.0,
"function_hash": "271347715165109890809665064211332280237"
},
"signature_version": "v1",
"target": {
"function": "tcpm_queue_vdm_unlocked",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bdd712abefbec79176ab412d8c623e755c5d0ba"
},
{
"id": "CVE-2025-38268-b75609e7",
"deprecated": false,
"digest": {
"length": 347.0,
"function_hash": "42951959000915067615889295492825777524"
},
"signature_version": "v1",
"target": {
"function": "tcpm_cable_altmode_exit",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@324d45e53f1a36c88bc649dc39e0c8300a41be0a"
},
{
"id": "CVE-2025-38268-c4189418",
"deprecated": false,
"digest": {
"length": 200.0,
"function_hash": "124997145244104140091618318934526891299"
},
"signature_version": "v1",
"target": {
"function": "tcpm_altmode_vdm",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@324d45e53f1a36c88bc649dc39e0c8300a41be0a"
},
{
"id": "CVE-2025-38268-cc01ee5d",
"deprecated": false,
"digest": {
"length": 200.0,
"function_hash": "124997145244104140091618318934526891299"
},
"signature_version": "v1",
"target": {
"function": "tcpm_altmode_vdm",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bdd712abefbec79176ab412d8c623e755c5d0ba"
},
{
"id": "CVE-2025-38268-d375d625",
"deprecated": false,
"digest": {
"length": 389.0,
"function_hash": "45049186387711262498202603876754471163"
},
"signature_version": "v1",
"target": {
"function": "tcpm_cable_altmode_enter",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1970d34b48cbeceb0c765984c9a6bb204c77f16a"
},
{
"id": "CVE-2025-38268-d7dc8ef7",
"deprecated": false,
"digest": {
"length": 349.0,
"function_hash": "271347715165109890809665064211332280237"
},
"signature_version": "v1",
"target": {
"function": "tcpm_queue_vdm_unlocked",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@324d45e53f1a36c88bc649dc39e0c8300a41be0a"
},
{
"id": "CVE-2025-38268-d948f3f4",
"deprecated": false,
"digest": {
"length": 220.0,
"function_hash": "233860842650471722478607153255091653952"
},
"signature_version": "v1",
"target": {
"function": "tcpm_cable_altmode_vdm",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1970d34b48cbeceb0c765984c9a6bb204c77f16a"
},
{
"id": "CVE-2025-38268-df242bbe",
"deprecated": false,
"digest": {
"length": 200.0,
"function_hash": "124997145244104140091618318934526891299"
},
"signature_version": "v1",
"target": {
"function": "tcpm_altmode_vdm",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1970d34b48cbeceb0c765984c9a6bb204c77f16a"
},
{
"id": "CVE-2025-38268-f161216c",
"deprecated": false,
"digest": {
"length": 327.0,
"function_hash": "248368808974962781852901328475084289247"
},
"signature_version": "v1",
"target": {
"function": "tcpm_altmode_exit",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bdd712abefbec79176ab412d8c623e755c5d0ba"
},
{
"id": "CVE-2025-38268-f48f82dd",
"deprecated": false,
"digest": {
"line_hashes": [
"188714974399472649811643878239418208300",
"339100150949879133279189037474905092032",
"208357371886638143949914132070837251529",
"59856373665842340914125993990476923124",
"152506496020623967541644024174437727703",
"332647661678506769251941288365847835980",
"198735665838011341426735186396377926829",
"155918162942787667292195418432176072456",
"157209072900391278560902895812720934622",
"84621057074487987538040960165172435840",
"94081284965112904485733435417326025147",
"108795789762663448443467999271746228485",
"12488957672553073425187009815635510838",
"159797731996757440296900564534105670792",
"120222832383548645146904551757711820628",
"327034844309720912874929832847614291183",
"98807440126849957025798854537276049008",
"106132921460057212032994653520116806475",
"194641970952728088500617118686484369055",
"145150298152895871305525791317513413906",
"186625083624686272348229459789562228107",
"91958162602348874955518408288360273610",
"61462879598972197567367560896283548818",
"262154208216523489652901932577044293368",
"210745471063487111252716775529271135072",
"3645404133930275257194440240863196124",
"316775995987508006758909091327679079733",
"262763346080023036891653720000864528579",
"205643479059138624957301318261594240284",
"238299788033877547893018100292050384936",
"89265048342676354127010357499529868394",
"298311285395621032458390534271038685571",
"81648211770074669265364064108137850242",
"142620387568853367014241400702510950181",
"220887281305769907390953864883302203466",
"215483706757983784909452937384288736654",
"229460581345708622974005456495027886757",
"307909067293468237979768430400028237650",
"163800297833627596462029872617071404699",
"168778151669815339076770087719697938160",
"91164059374008543715693436392486122003",
"298027641964114220768431963682903550069",
"274521780201577821351303044648599764743",
"15628819340171256357469265253329357240",
"155622838909121060744222435111693620318",
"40584477670304766020842351246082808164"
],
"threshold": 0.9
},
"signature_version": "v1",
"target": {
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Line",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7bdd712abefbec79176ab412d8c623e755c5d0ba"
},
{
"id": "CVE-2025-38268-f80864fb",
"deprecated": false,
"digest": {
"length": 327.0,
"function_hash": "248368808974962781852901328475084289247"
},
"signature_version": "v1",
"target": {
"function": "tcpm_altmode_exit",
"file": "drivers/usb/typec/tcpm/tcpm.c"
},
"signature_type": "Function",
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@1970d34b48cbeceb0c765984c9a6bb204c77f16a"
}
]