CVE-2025-38174

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> thunderbolt: Do not double dequeue a configuration request<br /> <br /> Some of our devices crash in tb_cfg_request_dequeue():<br /> <br /> general protection fault, probably for non-canonical address 0xdead000000000122<br /> <br /> CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65<br /> RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0<br /> Call Trace:<br /> <br /> ? tb_cfg_request_dequeue+0x2d/0xa0<br /> tb_cfg_request_work+0x33/0x80<br /> worker_thread+0x386/0x8f0<br /> kthread+0xed/0x110<br /> ret_from_fork+0x38/0x50<br /> ret_from_fork_asm+0x1b/0x30<br /> <br /> The circumstances are unclear, however, the theory is that<br /> tb_cfg_request_work() can be scheduled twice for a request:<br /> first time via frame.callback from ring_work() and second<br /> time from tb_cfg_request(). Both times kworkers will execute<br /> tb_cfg_request_dequeue(), which results in double list_del()<br /> from the ctl-&gt;request_queue (the list poison deference hints<br /> at it: 0xdead000000000122).<br /> <br /> Do not dequeue requests that don&amp;#39;t have TB_CFG_REQUEST_ACTIVE<br /> bit set.