CVE-2025-38268

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-38268
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38268.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-38268
Downstream
Related
Published
2025-07-10T07:41:51Z
Modified
2025-10-16T02:33:31.509168Z
Summary
usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: tcpm: move tcpmqueuevdm_unlocked to asynchronous work

A state check was previously added to tcpmqueuevdmunlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpmlock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancelworksync call.

Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below:

[110121.667392][ C7] Call trace: [110121.667396][ C7] _switchto+0x174/0x338 [110121.667406][ C7] _schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfsdrain+0xb0/0x114 [110121.667431][ C7] _kernfsremove+0x16c/0x20c [110121.667436][ C7] kernfsremovebynamens+0x74/0xe8 [110121.667442][ C7] sysfsremovegroup+0x84/0xe8 [110121.667450][ C7] sysfsremovegroups+0x34/0x58 [110121.667458][ C7] deviceremovegroups+0x10/0x20 [110121.667464][ C7] devicereleasedriverinternal+0x164/0x2e4 [110121.667475][ C7] devicereleasedriver+0x18/0x28 [110121.667484][ C7] busremovedevice+0xec/0x118 [110121.667491][ C7] devicedel+0x1e8/0x4ac [110121.667498][ C7] deviceunregister+0x18/0x38 [110121.667504][ C7] typecunregisteraltmode+0x30/0x44 [110121.667515][ C7] tcpmresetport+0xac/0x370 [110121.667523][ C7] tcpmsnkdetach+0x84/0xb8 [110121.667529][ C7] runstatemachine+0x4c0/0x1b68 [110121.667536][ C7] tcpmstatemachinework+0x94/0xe4 [110121.667544][ C7] kthreadworkerfn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] retfromfork+0x10/0x20

[110121.667689][ C7] Workqueue: events dpaltmodework [110121.667697][ C7] Call trace: [110121.667701][ C7] _switchto+0x174/0x338 [110121.667710][ C7] _schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedulepreemptdisabled+0x24/0x40 [110121.667733][ C7] _mutexlock+0x408/0xdac [110121.667741][ C7] _mutexlockslowpath+0x14/0x24 [110121.667748][ C7] mutexlock+0x40/0xec [110121.667757][ C7] tcpmaltmodeenter+0x78/0xb4 [110121.667764][ C7] typecaltmodeenter+0xdc/0x10c [110121.667769][ C7] dpaltmodework+0x68/0x164 [110121.667775][ C7] processonework+0x1e4/0x43c [110121.667783][ C7] workerthread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] retfromfork+0x10/0x20

Change tcpmqueuevdmunlocked to queue for tcpmqueuevdmwork, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmodevdmevent.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cdc9946ea6377e8e214b135ccc308c5e514ba25f
Fixed
7bdd712abefbec79176ab412d8c623e755c5d0ba
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cdc9946ea6377e8e214b135ccc308c5e514ba25f
Fixed
1970d34b48cbeceb0c765984c9a6bb204c77f16a
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
cdc9946ea6377e8e214b135ccc308c5e514ba25f
Fixed
324d45e53f1a36c88bc649dc39e0c8300a41be0a

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.10
v6.12.11
v6.12.12
v6.12.13
v6.12.14
v6.12.15
v6.12.16
v6.12.17
v6.12.18
v6.12.19
v6.12.2
v6.12.20
v6.12.21
v6.12.22
v6.12.23
v6.12.24
v6.12.25
v6.12.26
v6.12.27
v6.12.28
v6.12.29
v6.12.3
v6.12.30
v6.12.31
v6.12.32
v6.12.33
v6.12.4
v6.12.5
v6.12.6
v6.12.7
v6.12.8
v6.12.9
v6.13
v6.13-rc1
v6.13-rc2
v6.13-rc3
v6.13-rc4
v6.13-rc5
v6.13-rc6
v6.13-rc7
v6.14
v6.14-rc1
v6.14-rc2
v6.14-rc3
v6.14-rc4
v6.14-rc5
v6.14-rc6
v6.14-rc7
v6.15
v6.15-rc1
v6.15-rc2
v6.15-rc3
v6.15-rc4
v6.15-rc5
v6.15-rc6
v6.15-rc7
v6.15.1
v6.15.2
v6.9
v6.9-rc6
v6.9-rc7

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.9.0
Fixed
6.12.34
Type
ECOSYSTEM
Events
Introduced
6.13.0
Fixed
6.15.3