{"id":"CVE-2025-38268","summary":"usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work\n\nA state check was previously added to tcpm_queue_vdm_unlocked to\nprevent a deadlock where the DisplayPort Alt Mode driver would be\nexecuting work and attempting to grab the tcpm_lock while the TCPM\nwas holding the lock and attempting to unregister the altmode, blocking\non the altmode driver's cancel_work_sync call.\n\nBecause the state check isn't protected, there is a small window\nwhere the Alt Mode driver could determine that the TCPM is\nin a ready state and attempt to grab the lock while the\nTCPM grabs the lock and changes the TCPM state to one that\ncauses the deadlock. The callstack is provided below:\n\n[110121.667392][    C7] Call trace:\n[110121.667396][    C7]  __switch_to+0x174/0x338\n[110121.667406][    C7]  __schedule+0x608/0x9f0\n[110121.667414][    C7]  schedule+0x7c/0xe8\n[110121.667423][    C7]  kernfs_drain+0xb0/0x114\n[110121.667431][    C7]  __kernfs_remove+0x16c/0x20c\n[110121.667436][    C7]  kernfs_remove_by_name_ns+0x74/0xe8\n[110121.667442][    C7]  sysfs_remove_group+0x84/0xe8\n[110121.667450][    C7]  sysfs_remove_groups+0x34/0x58\n[110121.667458][    C7]  device_remove_groups+0x10/0x20\n[110121.667464][    C7]  device_release_driver_internal+0x164/0x2e4\n[110121.667475][    C7]  device_release_driver+0x18/0x28\n[110121.667484][    C7]  bus_remove_device+0xec/0x118\n[110121.667491][    C7]  device_del+0x1e8/0x4ac\n[110121.667498][    C7]  device_unregister+0x18/0x38\n[110121.667504][    C7]  typec_unregister_altmode+0x30/0x44\n[110121.667515][    C7]  tcpm_reset_port+0xac/0x370\n[110121.667523][    C7]  tcpm_snk_detach+0x84/0xb8\n[110121.667529][    C7]  run_state_machine+0x4c0/0x1b68\n[110121.667536][    C7]  tcpm_state_machine_work+0x94/0xe4\n[110121.667544][    C7]  kthread_worker_fn+0x10c/0x244\n[110121.667552][    C7]  kthread+0x104/0x1d4\n[110121.667557][    C7]  ret_from_fork+0x10/0x20\n\n[110121.667689][    C7] Workqueue: events dp_altmode_work\n[110121.667697][    C7] Call trace:\n[110121.667701][    C7]  __switch_to+0x174/0x338\n[110121.667710][    C7]  __schedule+0x608/0x9f0\n[110121.667717][    C7]  schedule+0x7c/0xe8\n[110121.667725][    C7]  schedule_preempt_disabled+0x24/0x40\n[110121.667733][    C7]  __mutex_lock+0x408/0xdac\n[110121.667741][    C7]  __mutex_lock_slowpath+0x14/0x24\n[110121.667748][    C7]  mutex_lock+0x40/0xec\n[110121.667757][    C7]  tcpm_altmode_enter+0x78/0xb4\n[110121.667764][    C7]  typec_altmode_enter+0xdc/0x10c\n[110121.667769][    C7]  dp_altmode_work+0x68/0x164\n[110121.667775][    C7]  process_one_work+0x1e4/0x43c\n[110121.667783][    C7]  worker_thread+0x25c/0x430\n[110121.667789][    C7]  kthread+0x104/0x1d4\n[110121.667794][    C7]  ret_from_fork+0x10/0x20\n\nChange tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work,\nwhich can perform the state check while holding the TCPM lock\nwhile the Alt Mode lock is no longer held. This requires a new\nstruct to hold the vdm data, altmode_vdm_event.","modified":"2026-04-02T12:47:53.786195Z","published":"2025-07-10T07:41:51.217Z","related":["SUSE-SU-2025:02853-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38268.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1970d34b48cbeceb0c765984c9a6bb204c77f16a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/324d45e53f1a36c88bc649dc39e0c8300a41be0a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7bdd712abefbec79176ab412d8c623e755c5d0ba"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38268.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38268"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cdc9946ea6377e8e214b135ccc308c5e514ba25f"},{"fixed":"7bdd712abefbec79176ab412d8c623e755c5d0ba"},{"fixed":"1970d34b48cbeceb0c765984c9a6bb204c77f16a"},{"fixed":"324d45e53f1a36c88bc649dc39e0c8300a41be0a"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-38268.json"}}],"schema_version":"1.7.5"}