CVE-2025-38268 in Linuxinfo

Summary

by MITRE • 07/10/2025

In the Linux kernel, the following vulnerability has been resolved:

usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work

A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpm_lock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancel_work_sync call.

Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below:

[110121.667392][ C7] Call trace:
[110121.667396][ C7] __switch_to+0x174/0x338
[110121.667406][ C7] __schedule+0x608/0x9f0
[110121.667414][ C7] schedule+0x7c/0xe8
[110121.667423][ C7] kernfs_drain+0xb0/0x114
[110121.667431][ C7] __kernfs_remove+0x16c/0x20c
[110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8
[110121.667442][ C7] sysfs_remove_group+0x84/0xe8
[110121.667450][ C7] sysfs_remove_groups+0x34/0x58
[110121.667458][ C7] device_remove_groups+0x10/0x20
[110121.667464][ C7] device_release_driver_internal+0x164/0x2e4
[110121.667475][ C7] device_release_driver+0x18/0x28
[110121.667484][ C7] bus_remove_device+0xec/0x118
[110121.667491][ C7] device_del+0x1e8/0x4ac
[110121.667498][ C7] device_unregister+0x18/0x38
[110121.667504][ C7] typec_unregister_altmode+0x30/0x44
[110121.667515][ C7] tcpm_reset_port+0xac/0x370
[110121.667523][ C7] tcpm_snk_detach+0x84/0xb8
[110121.667529][ C7] run_state_machine+0x4c0/0x1b68
[110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4
[110121.667544][ C7] kthread_worker_fn+0x10c/0x244
[110121.667552][ C7] kthread+0x104/0x1d4
[110121.667557][ C7] ret_from_fork+0x10/0x20

[110121.667689][ C7] Workqueue: events dp_altmode_work
[110121.667697][ C7] Call trace:
[110121.667701][ C7] __switch_to+0x174/0x338
[110121.667710][ C7] __schedule+0x608/0x9f0
[110121.667717][ C7] schedule+0x7c/0xe8
[110121.667725][ C7] schedule_preempt_disabled+0x24/0x40
[110121.667733][ C7] __mutex_lock+0x408/0xdac
[110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24
[110121.667748][ C7] mutex_lock+0x40/0xec
[110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4
[110121.667764][ C7] typec_altmode_enter+0xdc/0x10c
[110121.667769][ C7] dp_altmode_work+0x68/0x164
[110121.667775][ C7] process_one_work+0x1e4/0x43c
[110121.667783][ C7] worker_thread+0x25c/0x430
[110121.667789][ C7] kthread+0x104/0x1d4
[110121.667794][ C7] ret_from_fork+0x10/0x20

Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmode_vdm_event.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 12/07/2025

The vulnerability identified as CVE-2025-38268 resides within the Linux kernel's USB Type-C implementation, specifically within the Thunderbolt Control Protocol Manager (TCPM) subsystem. This issue affects the handling of DisplayPort Alternate Mode operations and stems from a race condition that can lead to deadlock scenarios during device state transitions. The vulnerability manifests when the DisplayPort Alt Mode driver attempts to execute work items while the TCPM is in the process of unregistering an alternate mode, creating a circular dependency where each component waits for the other to release locks. The root cause lies in the insufficient protection of a state check within the tcpm_queue_vdm_unlocked function, which creates a temporal window where competing threads can access the system in conflicting states, ultimately resulting in system hang or crash conditions.

The technical flaw occurs due to improper synchronization mechanisms during the transition between different TCPM states. When the TCPM attempts to unregister an alternate mode, it holds the tcpm_lock while calling cancel_work_sync on the altmode driver. Concurrently, the altmode driver may be executing work items and attempting to acquire the same tcpm_lock, creating a classic deadlock scenario. The call stack demonstrates this race condition through the sequence where device_release_driver_internal leads to typec_unregister_altmode, which calls tcpm_reset_port, eventually reaching tcpm_snk_detach, and then to run_state_machine and tcpm_state_machine_work. Meanwhile, the dp_altmode_work is executing and attempting to acquire the tcpm_lock through tcpm_altmode_enter, creating the deadlock condition. This vulnerability aligns with CWE-362, which describes a race condition in concurrent execution, and specifically relates to improper locking mechanisms that allow multiple threads to access shared resources simultaneously without proper mutual exclusion.

The operational impact of this vulnerability extends to systems utilizing USB Type-C ports with DisplayPort Alternate Mode functionality, particularly those supporting modern device connections such as external displays, docks, and high-speed peripherals. Systems that frequently connect and disconnect USB Type-C devices, especially those requiring rapid state transitions, are at higher risk of experiencing system freezes or crashes. The vulnerability can be exploited through normal device operations, making it particularly concerning for embedded systems, servers, and desktop environments where USB Type-C connectivity is prevalent. Attackers could potentially leverage this vulnerability to cause denial of service conditions, effectively rendering systems unusable until reboot occurs, or in some cases, cause data corruption through the system instability.

The fix implemented addresses the vulnerability by moving the tcpm_queue_vdm_unlocked function to utilize asynchronous work queuing through tcpm_queue_vdm_work. This change ensures that the state check occurs while holding the TCPM lock, preventing the race condition that previously allowed the deadlock scenario. The solution requires the creation of a new data structure, altmode_vdm_event, to properly manage the VDM (Vendor Defined Message) data during the transition. This approach aligns with the ATT&CK technique T1499.004, which involves system compromise through denial of service mechanisms, by preventing the specific deadlock condition that leads to system instability. The mitigation strategy follows best practices for concurrent programming by ensuring proper lock ordering and reducing the window of opportunity for race conditions to occur. The change effectively separates the state checking and locking operations from the work execution, allowing the system to maintain proper synchronization without creating circular dependency conditions that could lead to system-wide failures.

Responsible

Linux

Reservation

04/16/2025

Disclosure

07/10/2025

Moderation

accepted

CPE

ready

EPSS

0.00117

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!