CVE-2025-38268

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: tcpm: move tcpmqueuevdm_unlocked to asynchronous work

A state check was previously added to tcpmqueuevdmunlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpmlock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancelworksync call.

Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below:

[110121.667392][ C7] Call trace: [110121.667396][ C7] _switchto+0x174/0x338 [110121.667406][ C7] _schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfsdrain+0xb0/0x114 [110121.667431][ C7] _kernfsremove+0x16c/0x20c [110121.667436][ C7] kernfsremovebynamens+0x74/0xe8 [110121.667442][ C7] sysfsremovegroup+0x84/0xe8 [110121.667450][ C7] sysfsremovegroups+0x34/0x58 [110121.667458][ C7] deviceremovegroups+0x10/0x20 [110121.667464][ C7] devicereleasedriverinternal+0x164/0x2e4 [110121.667475][ C7] devicereleasedriver+0x18/0x28 [110121.667484][ C7] busremovedevice+0xec/0x118 [110121.667491][ C7] devicedel+0x1e8/0x4ac [110121.667498][ C7] deviceunregister+0x18/0x38 [110121.667504][ C7] typecunregisteraltmode+0x30/0x44 [110121.667515][ C7] tcpmresetport+0xac/0x370 [110121.667523][ C7] tcpmsnkdetach+0x84/0xb8 [110121.667529][ C7] runstatemachine+0x4c0/0x1b68 [110121.667536][ C7] tcpmstatemachinework+0x94/0xe4 [110121.667544][ C7] kthreadworkerfn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] retfromfork+0x10/0x20

[110121.667689][ C7] Workqueue: events dpaltmodework [110121.667697][ C7] Call trace: [110121.667701][ C7] _switchto+0x174/0x338 [110121.667710][ C7] _schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedulepreemptdisabled+0x24/0x40 [110121.667733][ C7] _mutexlock+0x408/0xdac [110121.667741][ C7] _mutexlockslowpath+0x14/0x24 [110121.667748][ C7] mutexlock+0x40/0xec [110121.667757][ C7] tcpmaltmodeenter+0x78/0xb4 [110121.667764][ C7] typecaltmodeenter+0xdc/0x10c [110121.667769][ C7] dpaltmodework+0x68/0x164 [110121.667775][ C7] processonework+0x1e4/0x43c [110121.667783][ C7] workerthread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] retfromfork+0x10/0x20

Change tcpmqueuevdmunlocked to queue for tcpmqueuevdmwork, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmodevdmevent.