ghsa-mg8g-g7c5-2wpm
Vulnerability from github
Published
2025-07-10 09:32
Modified
2025-07-10 09:32
Details

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work

A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpm_lock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancel_work_sync call.

Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below:

[110121.667392][ C7] Call trace: [110121.667396][ C7] __switch_to+0x174/0x338 [110121.667406][ C7] __schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfs_drain+0xb0/0x114 [110121.667431][ C7] __kernfs_remove+0x16c/0x20c [110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8 [110121.667442][ C7] sysfs_remove_group+0x84/0xe8 [110121.667450][ C7] sysfs_remove_groups+0x34/0x58 [110121.667458][ C7] device_remove_groups+0x10/0x20 [110121.667464][ C7] device_release_driver_internal+0x164/0x2e4 [110121.667475][ C7] device_release_driver+0x18/0x28 [110121.667484][ C7] bus_remove_device+0xec/0x118 [110121.667491][ C7] device_del+0x1e8/0x4ac [110121.667498][ C7] device_unregister+0x18/0x38 [110121.667504][ C7] typec_unregister_altmode+0x30/0x44 [110121.667515][ C7] tcpm_reset_port+0xac/0x370 [110121.667523][ C7] tcpm_snk_detach+0x84/0xb8 [110121.667529][ C7] run_state_machine+0x4c0/0x1b68 [110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4 [110121.667544][ C7] kthread_worker_fn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] ret_from_fork+0x10/0x20

[110121.667689][ C7] Workqueue: events dp_altmode_work [110121.667697][ C7] Call trace: [110121.667701][ C7] __switch_to+0x174/0x338 [110121.667710][ C7] __schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedule_preempt_disabled+0x24/0x40 [110121.667733][ C7] __mutex_lock+0x408/0xdac [110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24 [110121.667748][ C7] mutex_lock+0x40/0xec [110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4 [110121.667764][ C7] typec_altmode_enter+0xdc/0x10c [110121.667769][ C7] dp_altmode_work+0x68/0x164 [110121.667775][ C7] process_one_work+0x1e4/0x43c [110121.667783][ C7] worker_thread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] ret_from_fork+0x10/0x20

Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmode_vdm_event.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38268"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-10T08:15:24Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work\n\nA state check was previously added to tcpm_queue_vdm_unlocked to\nprevent a deadlock where the DisplayPort Alt Mode driver would be\nexecuting work and attempting to grab the tcpm_lock while the TCPM\nwas holding the lock and attempting to unregister the altmode, blocking\non the altmode driver\u0027s cancel_work_sync call.\n\nBecause the state check isn\u0027t protected, there is a small window\nwhere the Alt Mode driver could determine that the TCPM is\nin a ready state and attempt to grab the lock while the\nTCPM grabs the lock and changes the TCPM state to one that\ncauses the deadlock. The callstack is provided below:\n\n[110121.667392][    C7] Call trace:\n[110121.667396][    C7]  __switch_to+0x174/0x338\n[110121.667406][    C7]  __schedule+0x608/0x9f0\n[110121.667414][    C7]  schedule+0x7c/0xe8\n[110121.667423][    C7]  kernfs_drain+0xb0/0x114\n[110121.667431][    C7]  __kernfs_remove+0x16c/0x20c\n[110121.667436][    C7]  kernfs_remove_by_name_ns+0x74/0xe8\n[110121.667442][    C7]  sysfs_remove_group+0x84/0xe8\n[110121.667450][    C7]  sysfs_remove_groups+0x34/0x58\n[110121.667458][    C7]  device_remove_groups+0x10/0x20\n[110121.667464][    C7]  device_release_driver_internal+0x164/0x2e4\n[110121.667475][    C7]  device_release_driver+0x18/0x28\n[110121.667484][    C7]  bus_remove_device+0xec/0x118\n[110121.667491][    C7]  device_del+0x1e8/0x4ac\n[110121.667498][    C7]  device_unregister+0x18/0x38\n[110121.667504][    C7]  typec_unregister_altmode+0x30/0x44\n[110121.667515][    C7]  tcpm_reset_port+0xac/0x370\n[110121.667523][    C7]  tcpm_snk_detach+0x84/0xb8\n[110121.667529][    C7]  run_state_machine+0x4c0/0x1b68\n[110121.667536][    C7]  tcpm_state_machine_work+0x94/0xe4\n[110121.667544][    C7]  kthread_worker_fn+0x10c/0x244\n[110121.667552][    C7]  kthread+0x104/0x1d4\n[110121.667557][    C7]  ret_from_fork+0x10/0x20\n\n[110121.667689][    C7] Workqueue: events dp_altmode_work\n[110121.667697][    C7] Call trace:\n[110121.667701][    C7]  __switch_to+0x174/0x338\n[110121.667710][    C7]  __schedule+0x608/0x9f0\n[110121.667717][    C7]  schedule+0x7c/0xe8\n[110121.667725][    C7]  schedule_preempt_disabled+0x24/0x40\n[110121.667733][    C7]  __mutex_lock+0x408/0xdac\n[110121.667741][    C7]  __mutex_lock_slowpath+0x14/0x24\n[110121.667748][    C7]  mutex_lock+0x40/0xec\n[110121.667757][    C7]  tcpm_altmode_enter+0x78/0xb4\n[110121.667764][    C7]  typec_altmode_enter+0xdc/0x10c\n[110121.667769][    C7]  dp_altmode_work+0x68/0x164\n[110121.667775][    C7]  process_one_work+0x1e4/0x43c\n[110121.667783][    C7]  worker_thread+0x25c/0x430\n[110121.667789][    C7]  kthread+0x104/0x1d4\n[110121.667794][    C7]  ret_from_fork+0x10/0x20\n\nChange tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work,\nwhich can perform the state check while holding the TCPM lock\nwhile the Alt Mode lock is no longer held. This requires a new\nstruct to hold the vdm data, altmode_vdm_event.",
  "id": "GHSA-mg8g-g7c5-2wpm",
  "modified": "2025-07-10T09:32:28Z",
  "published": "2025-07-10T09:32:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38268"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1970d34b48cbeceb0c765984c9a6bb204c77f16a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/324d45e53f1a36c88bc649dc39e0c8300a41be0a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7bdd712abefbec79176ab412d8c623e755c5d0ba"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.