Linux UAS Patch Fixes USB SCSI Race CVE-2025-68331 Prevents Kernel Panic

A small but consequential Linux kernel fix landed this month to close a UAS (USB Attached SCSI) race that could crash hosts when a UAS device is unplugged while I/O is in flight — the patch changes how the UAS driver handles partial URB submissions so the kernel does not attempt to unmap already‑freed scatter‑gather (sg) entries during URB giveback, eliminating an invalid memory access that could result in a system panic.

Background​

The UAS subsystem (drivers/usb/storage/uas.c) implements the USB Attached SCSI transport used by many modern USB storage devices to deliver higher throughput and lower CPU cost than the older bulk-only transport. The UAS driver submits multiple URBs per SCSI command — typically a sense URB, a data URB (IN or OUT), and a command/status URB — and coordinates completion and error handling through a mix of USB anchoring, URB callbacks, and SCSI layer callbacks. When device removal races with in‑flight URB submission and completion, subtle ordering bugs can yield callbacks operating on memory that has already been freed. This specific defect was assigned CVE‑2025‑68331 and was published to public trackers in late December 2025. It describes a scenario where the kernel calls dma_direct_unmap_sg as part of usb_hcd_unmap_urb_for_dma, but the sg->dma_address is zero because the sg structure itself has been freed earlier in the teardown flow — a classic use‑after‑free / invalid access triggered by teardown ordering between SCSI completion helpers and USB unmap callbacks. The fix changes uas_submit_urbs error handling so that the command is preserved for later completion instead of immediately calling scsi_done in the ENODEV error path when some URBs were actually submitted successfully.

---

What went wrong: technical anatomy​

Where the race appears​

• The UAS SCSI queueing path calls uas_submit_urbs, which attempts to submit up to three URBs for a SCSI transfer: sense_urb, data_urb, and cmd_urb.
• If device removal (or another fatal error) occurs while uas_submit_urbs is still running, the function may fail with -ENODEV while some URBs have already been submitted.
• The prior error path immediately called scsi_done to finish the command. scsi_done/scsi_complete eventually frees the SCSI scatter‑gather table (sg_table) referenced by the URBs.
• Later, when the already‑submitted URBs are unlinked or complete, usb_hcd_unmap_urb_for_dma is invoked to unmap DMA scatter‑gather entries. Because the sg_table was freed earlier, the hcd unmap routine may access freed sg entries or see sg->dma_address == 0, causing an invalid memory access and an oops or panic.

Root cause summary​

The defect is a lifecycle and ordering bug: the UAS driver’s error handling on -ENODEV made the SCSI layer release resources that the USB core later assumed were still valid for unmapping. The kernel’s DMA unmap path trusts the presence and integrity of the sg entries it is asked to unmap; freeing them too soon turns that trust into a crash. The bug is not a missing bound check in DMA code but a logical race between completion and unmap teardown flows.

---

The patch and how it fixes the problem​

What the patch changes​

The upstream patch (multiple versions v1→v4 were discussed on the kernel mailing lists) modifies the error handling inside uas_submit_urbs / uas_queuecommand_lck. Instead of immediately invoking scsi_done when uas_submit_urbs returns -ENODEV, the updated logic first checks whether any of the command’s URBs were actually submitted (indicated by the command state flags COMMAND_INFLIGHT, DATA_IN_URB_INFLIGHT, DATA_OUT_URB_INFLIGHT). If submission was partially or fully successful, the patch saves the scsi command pointer to devinfo->cmnd and returns without calling scsi_done. Completion will then be handled by uas_try_complete (or uas_zap_pending after usb_kill_anchored_urbs, which runs after outstanding URB operations are finalized and after the USB core has completed any necessary unmapping. This prevents scsi_end_request from freeing the sg_table while the USB core still needs it to unmap DMA. The code-level change is intentionally tiny — a few lines added to guard the ENODEV error path and place the command into the device’s pending‑complete array — and the patch includes the typical kernel metadata (Signed-off-by, Fixes:, cc stable) to facilitate backporting.

Why this is the right fix​

• It preserves the logical semantic: if a command had URBs already handed to the USB core, the SCSI layer should not free the resources while the USB core still expects them.
• It keeps the remediation small and reviewable, lowering regression risk and easing stable‑tree backports.
• It leverages existing completion paths (uas_try_complete / uas_zap_pending) that are already designed to finalize commands after URBs are fully completed or killed, so it does not invent new synchronization primitives.

---

Who is affected​

• Linux hosts that use the in‑tree UAS driver: desktops, laptops, embedded Linux devices and servers whose kernels include the generic UAS driver in drivers/usb/storage. Many modern USB‑attached NVMe and SATA→USB bridges use UAS.
• Systems that accept untrusted or removable USB storage: kiosks, shared workstations, lab machines, test rigs, or virtual machines with USB passthrough are the highest‑risk operational contexts because they expose the local USB attach surface to potentially malformed or malicious devices.
• Virtualized environments and cloud images: Linux guests or cloud VM images running vulnerable kernels (including WSL2 or custom Azure images built on top of these kernels) may be exposed if USB passthrough is enabled or if the images include the vulnerable driver.

Notably, this is a kernel‑level, local device vector; native Windows and macOS kernels are not affected by this Linux driver CVE, but cross‑platform operational practices (untrusted USB devices) remain relevant for mixed environments.

---

Severity and exploitability​

• Public trackers and vendor advisories have assigned an Important/Medium-to-High severity depending on platform scoring; at least one supplier listed a CVSSv3 base score near 7.0 for certain Linux distributions’ mapping. The primary impact is availability — kernel oops or panic, which can produce host crashes and service outages.
• Exploitability requires local access to the USB attach surface: an attacker must present a device (or control device firmware) that triggers the problematic device removal / partial‑submission sequence. That makes remote exploitation without an additional remote-to-local stepping stone unlikely in typical datacenter configurations.
• There is no public, reliable proof‑of‑concept showing elevation to code execution at time of disclosure. However, kernel memory lifecycle bugs are sensitive: while immediate exploitation is not assured, such primitives can, in theory, be combined with other memory corruptions to increase impact. Treat the issue as operationally significant and remediate promptly rather than dismissing it as merely inconvenient.

---

Remediation — what administrators and users should do​

Immediate steps (short term)​

• If you do not require UAS support for a machine, consider unloading or blacklisting the uas module temporarily:
  • Unload: sudo modprobe -r uas
  • Blacklist (persist): add "blacklist uas" to /etc/modprobe.d/disable‑uas.conf and rebuild initramfs if required.
    These are blunt mitigations and will disable UAS‑accelerated USB storage functionality. Evaluate service impact before deploying widely.
• Restrict physical USB access on high‑security endpoints: use device allowlists (USBGuard), endpoint device control policies, or port blockers to limit the risk of an attacker plugging in a malicious or unvetted device. This is especially important for shared/public systems and for hosts that allow USB passthrough into VMs.

Patching (recommended, long term)​

1. Identify: Inventory which hosts run kernels that include the UAS driver and which systems actually load the uas module. Commands: uname -r; lsmod | grep uas; grep -R "uas" /lib/modules/$(uname -r)/*.
2. Map: Cross‑check your kernel package version against vendor/distro advisories to find the package that includes the upstream fix. Vendors tracking the CVE include Debian/Ubuntu, SUSE, Amazon Linux and others; check your distro’s security tracker.
3. Update: Apply vendor/distribution kernel updates that include the patched UAS driver and reboot. Kernel fixes require reboot to become active unless delivered as a reloadable module and reloaded safely.
4. Verify: After update, confirm the running kernel’s changelog or module source contains the fix (the patch adds the ENODEV guarded path; distribution changelogs should reference CVE‑2025‑68331 or the upstream commit).

For custom or embedded kernels​

• Merge the upstream patch into your kernel tree (the patch is small and carries a Fixes: tag and stable CC to aid backporting) and rebuild kernels or modules. Test on representative devices before rolling out to production images.

---

Detection and hunting guidance​

• Watch kernel logs (dmesg, journalctl -k) for oops/panic traces referencing UAS functions (uas_submit_urbs, uas_try_complete, uas_zap_pending) or for crash stacks that mention usb_hcd_unmap_urb_for_dma and dma_direct_unmap_sg. These traces often appear around device removal events.
• Correlate USB device detach events with SCSI errors and kernel oops timestamps. A suspect pattern is: sudden ENODEV in kernel logs from usb subsystem, followed by driver oops referencing sg unmap or invalid dma_address.
• For forensic capture, preserve dmesg and a vmcore/kdump if available; the backtrace is valuable to map a crash sample to this specific race versus unrelated USB or storage bugs.

---

Vendor and distribution state​

Multiple vendor trackers and OSV entries already index CVE‑2025‑68331 and map the upstream description to distribution advisories (Ubuntu, Debian/OSV, SUSE, Amazon Linux and others). The upstream patch was discussed on the Linux kernel mailing lists with v1→v4 revisions and included the standard stable backport metadata to speed distribution uptake. Administrators should rely on their distro vendor advisories (DSA, USN, RHSA, SUSE SUSESA entries) for package names and fixed versions, because backport timelines and package numbers vary by vendor. Be especially mindful of long‑lifecycle embedded and OEM images: vendors with custom kernels often have longer patch windows, and some appliance images may require vendor coordination to receive a backported patch.

---

Critical analysis: what’s good, and what still worries​

Strengths​

• The upstream response produced a small, surgical patch that addresses the root ordering problem without wide refactors. That low‑risk approach is ideal for stable backports and distribution updates.
• The patch leverages existing completion semantics (uas_try_complete/uas_zap_pending) so it integrates with the driver’s designed teardown flow rather than introducing ad hoc fixes.
• Multiple independent trackers and distros rapidly indexed the CVE, which helps administrators find matching vendor packages and speed remediation workflows.

Residual risks and caveats​

• Embedded devices and vendor‑maintained appliances can lag in backporting. Devices with long lifecycles that use vendor forks of the kernel remain the primary operational exposure. Administrators should contact OEMs for timelines where vendor‑supplied images are used.
• While this patch closes a crash condition, other UAS or USB teardown race variants could exist elsewhere in the codebase; operators should keep kernel‑level telemetry and fuzzing results on their radar. The class of bugs — asynchronous teardown racing with in‑flight DMA/URB operations — has appeared repeatedly across USB, SCSI and other kernel drivers.
• Claims of immediate remote code execution from this CVE are unverified. Realistically, the operational impact is availability-first, but kernel UAFs can be powerful when combined with other primitives, so treating them as high priority is prudent.

---

Quick remediation checklist (for operations teams)​

1. Inventory hosts running kernels with UAS (uname -r; lsmod | grep uas).
2. Identify which hosts actively use USB mass storage or allow USB passthrough for VMs.
3. Apply vendor kernel updates that reference CVE‑2025‑68331 or include the upstream UAS patch; reboot.
4. If patching is delayed, blacklist/unload the uas module where UAS functionality is not required.
5. Enforce USB device allowlists (USBGuard) and limit passthrough on virtualization platforms.
6. Monitor kernel logs for UAS/usb_hcd_unmap_urb_for_dma traces and capture vmcore + dmesg if a crash occurs.

---

Conclusion​

CVE‑2025‑68331 is a targeted lifecycle‑ordering fix in the Linux UAS driver that removes a race between SCSI completion and USB DMA unmapping. The upstream remedy is small, low‑risk, and straightforward to backport, but the operational risk is real: unpatched hosts that accept untrusted USB devices can experience kernel panics and outages. The correct response is rapid patching via vendor kernel updates, combined with sensible short‑term mitigations (module blacklisting, USB allowlists) where immediate patching is not possible. Keeping kernel telemetry and device‑inventory practices current reduces the chance that a malformed or malicious USB attachment can cause an avoidable outage.

---

Source: MSRC Security Update Guide - Microsoft Security Response Center