CVE-2025-38268
Publication date:
10/07/2025
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work<br />
<br />
A state check was previously added to tcpm_queue_vdm_unlocked to<br />
prevent a deadlock where the DisplayPort Alt Mode driver would be<br />
executing work and attempting to grab the tcpm_lock while the TCPM<br />
was holding the lock and attempting to unregister the altmode, blocking<br />
on the altmode driver&#39;s cancel_work_sync call.<br />
<br />
Because the state check isn&#39;t protected, there is a small window<br />
where the Alt Mode driver could determine that the TCPM is<br />
in a ready state and attempt to grab the lock while the<br />
TCPM grabs the lock and changes the TCPM state to one that<br />
causes the deadlock. The callstack is provided below:<br />
<br />
[110121.667392][ C7] Call trace:<br />
[110121.667396][ C7] __switch_to+0x174/0x338<br />
[110121.667406][ C7] __schedule+0x608/0x9f0<br />
[110121.667414][ C7] schedule+0x7c/0xe8<br />
[110121.667423][ C7] kernfs_drain+0xb0/0x114<br />
[110121.667431][ C7] __kernfs_remove+0x16c/0x20c<br />
[110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8<br />
[110121.667442][ C7] sysfs_remove_group+0x84/0xe8<br />
[110121.667450][ C7] sysfs_remove_groups+0x34/0x58<br />
[110121.667458][ C7] device_remove_groups+0x10/0x20<br />
[110121.667464][ C7] device_release_driver_internal+0x164/0x2e4<br />
[110121.667475][ C7] device_release_driver+0x18/0x28<br />
[110121.667484][ C7] bus_remove_device+0xec/0x118<br />
[110121.667491][ C7] device_del+0x1e8/0x4ac<br />
[110121.667498][ C7] device_unregister+0x18/0x38<br />
[110121.667504][ C7] typec_unregister_altmode+0x30/0x44<br />
[110121.667515][ C7] tcpm_reset_port+0xac/0x370<br />
[110121.667523][ C7] tcpm_snk_detach+0x84/0xb8<br />
[110121.667529][ C7] run_state_machine+0x4c0/0x1b68<br />
[110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4<br />
[110121.667544][ C7] kthread_worker_fn+0x10c/0x244<br />
[110121.667552][ C7] kthread+0x104/0x1d4<br />
[110121.667557][ C7] ret_from_fork+0x10/0x20<br />
<br />
[110121.667689][ C7] Workqueue: events dp_altmode_work<br />
[110121.667697][ C7] Call trace:<br />
[110121.667701][ C7] __switch_to+0x174/0x338<br />
[110121.667710][ C7] __schedule+0x608/0x9f0<br />
[110121.667717][ C7] schedule+0x7c/0xe8<br />
[110121.667725][ C7] schedule_preempt_disabled+0x24/0x40<br />
[110121.667733][ C7] __mutex_lock+0x408/0xdac<br />
[110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24<br />
[110121.667748][ C7] mutex_lock+0x40/0xec<br />
[110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4<br />
[110121.667764][ C7] typec_altmode_enter+0xdc/0x10c<br />
[110121.667769][ C7] dp_altmode_work+0x68/0x164<br />
[110121.667775][ C7] process_one_work+0x1e4/0x43c<br />
[110121.667783][ C7] worker_thread+0x25c/0x430<br />
[110121.667789][ C7] kthread+0x104/0x1d4<br />
[110121.667794][ C7] ret_from_fork+0x10/0x20<br />
<br />
Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work,<br />
which can perform the state check while holding the TCPM lock<br />
while the Alt Mode lock is no longer held. This requires a new<br />
struct to hold the vdm data, altmode_vdm_event.
Severity CVSS v4.0: Pending analysis
Last modification:
10/07/2025