{"id":"CVE-2025-38174","summary":"thunderbolt: Do not double dequeue a configuration request","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Do not double dequeue a configuration request\n\nSome of our devices crash in tb_cfg_request_dequeue():\n\n general protection fault, probably for non-canonical address 0xdead000000000122\n\n CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65\n RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0\n Call Trace:\n \u003cTASK\u003e\n ? tb_cfg_request_dequeue+0x2d/0xa0\n tb_cfg_request_work+0x33/0x80\n worker_thread+0x386/0x8f0\n kthread+0xed/0x110\n ret_from_fork+0x38/0x50\n ret_from_fork_asm+0x1b/0x30\n\nThe circumstances are unclear, however, the theory is that\ntb_cfg_request_work() can be scheduled twice for a request:\nfirst time via frame.callback from ring_work() and second\ntime from tb_cfg_request().  Both times kworkers will execute\ntb_cfg_request_dequeue(), which results in double list_del()\nfrom the ctl-\u003erequest_queue (the list poison deference hints\nat it: 0xdead000000000122).\n\nDo not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE\nbit set.","modified":"2026-04-16T00:06:22.889633758Z","published":"2025-07-04T10:39:55.732Z","related":["SUSE-SU-2025:02853-1","SUSE-SU-2025:02923-1","SUSE-SU-2025:02969-1","SUSE-SU-2025:02996-1","SUSE-SU-2025:02997-1","SUSE-SU-2025:03011-1","SUSE-SU-2025:03023-1","SUSE-SU-2025:03204-1","SUSE-SU-2025:20577-1","SUSE-SU-2025:20586-1","SUSE-SU-2025:20601-1","SUSE-SU-2025:20602-1","SUSE-SU-2025:21074-1","SUSE-SU-2025:21139-1","SUSE-SU-2025:21179-1","openSUSE-SU-2025:20081-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38174.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0771bcbe2f6e5d5f263cf466efe571d2754a46da"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0a3011d47dbc92a33621861c423cb64833d7fe57"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0f73628e9da1ee39daf5f188190cdbaee5e0c98c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2f62eda4d974c26bc595425eafd429067541f2c9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5a057f261539720165d03d85024da2b52e67f63d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/85286e634ebbaf9c0fb1cdf580add2f33fc7628c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cdb4feab2f39e75a66239e3a112beced279612a8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e49e994cd83705f7ca30eda1e304abddfd96a37a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/eb2d5e794fb966b3ef8bde99eb8561446a53509f"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/38xxx/CVE-2025-38174.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-38174"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"16603153666d22df544ae9f9b3764fd18da28eeb"},{"fixed":"e49e994cd83705f7ca30eda1e304abddfd96a37a"},{"fixed":"0a3011d47dbc92a33621861c423cb64833d7fe57"},{"fixed":"2f62eda4d974c26bc595425eafd429067541f2c9"},{"fixed":"85286e634ebbaf9c0fb1cdf580add2f33fc7628c"},{"fixed":"5a057f261539720165d03d85024da2b52e67f63d"},{"fixed":"eb2d5e794fb966b3ef8bde99eb8561446a53509f"},{"fixed":"0771bcbe2f6e5d5f263cf466efe571d2754a46da"},{"fixed":"cdb4feab2f39e75a66239e3a112beced279612a8"},{"fixed":"0f73628e9da1ee39daf5f188190cdbaee5e0c98c"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-38174.json"}}],"schema_version":"1.7.5"}