CVE-2025-38268

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work<br /> <br /> A state check was previously added to tcpm_queue_vdm_unlocked to<br /> prevent a deadlock where the DisplayPort Alt Mode driver would be<br /> executing work and attempting to grab the tcpm_lock while the TCPM<br /> was holding the lock and attempting to unregister the altmode, blocking<br /> on the altmode driver&amp;#39;s cancel_work_sync call.<br /> <br /> Because the state check isn&amp;#39;t protected, there is a small window<br /> where the Alt Mode driver could determine that the TCPM is<br /> in a ready state and attempt to grab the lock while the<br /> TCPM grabs the lock and changes the TCPM state to one that<br /> causes the deadlock. The callstack is provided below:<br /> <br /> [110121.667392][ C7] Call trace:<br /> [110121.667396][ C7] __switch_to+0x174/0x338<br /> [110121.667406][ C7] __schedule+0x608/0x9f0<br /> [110121.667414][ C7] schedule+0x7c/0xe8<br /> [110121.667423][ C7] kernfs_drain+0xb0/0x114<br /> [110121.667431][ C7] __kernfs_remove+0x16c/0x20c<br /> [110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8<br /> [110121.667442][ C7] sysfs_remove_group+0x84/0xe8<br /> [110121.667450][ C7] sysfs_remove_groups+0x34/0x58<br /> [110121.667458][ C7] device_remove_groups+0x10/0x20<br /> [110121.667464][ C7] device_release_driver_internal+0x164/0x2e4<br /> [110121.667475][ C7] device_release_driver+0x18/0x28<br /> [110121.667484][ C7] bus_remove_device+0xec/0x118<br /> [110121.667491][ C7] device_del+0x1e8/0x4ac<br /> [110121.667498][ C7] device_unregister+0x18/0x38<br /> [110121.667504][ C7] typec_unregister_altmode+0x30/0x44<br /> [110121.667515][ C7] tcpm_reset_port+0xac/0x370<br /> [110121.667523][ C7] tcpm_snk_detach+0x84/0xb8<br /> [110121.667529][ C7] run_state_machine+0x4c0/0x1b68<br /> [110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4<br /> [110121.667544][ C7] kthread_worker_fn+0x10c/0x244<br /> [110121.667552][ C7] kthread+0x104/0x1d4<br /> [110121.667557][ C7] ret_from_fork+0x10/0x20<br /> <br /> [110121.667689][ C7] Workqueue: events dp_altmode_work<br /> [110121.667697][ C7] Call trace:<br /> [110121.667701][ C7] __switch_to+0x174/0x338<br /> [110121.667710][ C7] __schedule+0x608/0x9f0<br /> [110121.667717][ C7] schedule+0x7c/0xe8<br /> [110121.667725][ C7] schedule_preempt_disabled+0x24/0x40<br /> [110121.667733][ C7] __mutex_lock+0x408/0xdac<br /> [110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24<br /> [110121.667748][ C7] mutex_lock+0x40/0xec<br /> [110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4<br /> [110121.667764][ C7] typec_altmode_enter+0xdc/0x10c<br /> [110121.667769][ C7] dp_altmode_work+0x68/0x164<br /> [110121.667775][ C7] process_one_work+0x1e4/0x43c<br /> [110121.667783][ C7] worker_thread+0x25c/0x430<br /> [110121.667789][ C7] kthread+0x104/0x1d4<br /> [110121.667794][ C7] ret_from_fork+0x10/0x20<br /> <br /> Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work,<br /> which can perform the state check while holding the TCPM lock<br /> while the Alt Mode lock is no longer held. This requires a new<br /> struct to hold the vdm data, altmode_vdm_event.