Acknowledged
Created: Jul 7, 2025
Updated: Jul 8, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]thunderbolt: Do not double dequeue a configuration request[EOL][EOL]Some of our devices crash in tb_cfg_request_dequeue():[EOL][EOL] general protection fault, probably for non-canonical address 0xdead000000000122[EOL][EOL] CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65[EOL] RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0[EOL] Call Trace:[EOL] <TASK>[EOL] ? tb_cfg_request_dequeue+0x2d/0xa0[EOL] tb_cfg_request_work+0x33/0x80[EOL] worker_thread+0x386/0x8f0[EOL] kthread+0xed/0x110[EOL] ret_from_fork+0x38/0x50[EOL] ret_from_fork_asm+0x1b/0x30[EOL][EOL]The circumstances are unclear, however, the theory is that[EOL]tb_cfg_request_work() can be scheduled twice for a request:[EOL]first time via frame.callback from ring_work() and second[EOL]time from tb_cfg_request(). Both times kworkers will execute[EOL]tb_cfg_request_dequeue(), which results in double list_del()[EOL]from the ctl->request_queue (the list poison deference hints[EOL]at it: 0xdead000000000122).[EOL][EOL]Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE[EOL]bit set.
CREATE(Triage):(User=admin) [CVE-2025-38174 (https://nvd.nist.gov/vuln/detail/CVE-2025-38174)
