Linux Kernel USB UAS Device Removal During Data Transfer Causes System Panic Vulnerability

A vulnerability in the Linux kernel's USB UAS (USB Attached SCSI) driver can lead to a system panic. This issue occurs when a UAS device is unplugged during data transfer, causing an invalid memory access during the URB (USB Request Block) callback handling. The problem arises because the 'dma_address' field in the scatter-gather (sg) data structure is zero, and the structure has already been freed, leading to a crash. The vulnerability affects several versions of the Linux kernel.

Impact

Unplugging a UAS device during data transfer can cause a system panic, leading to a crash.

Reproduction

To reproduce this vulnerability, connect a UAS device to a system running an affected version of the Linux kernel. Initiate a data transfer to the UAS device, and while the transfer is ongoing, unplug the device. This will trigger a system panic due to the invalid memory access in the UAS driver.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.