On December 16, 2025, the Linux kernel’s maintainers disclosed and patched a race condition in the SCSI subsystem that could cause UFS-based storage to fail during system boot on certain embedded and appliance platforms. The fix—a single initialization check in the scsi_host_busy function—is small but crucial; without it, affected devices may not load their storage drivers at all, leaving your root filesystem or critical data partitions invisible.
The Technical Breakdown: A Race Condition Between Probe and Tag Initialization
At the heart of this issue is a recent change to the kernel’s block multi-queue (blk-mq) layer. In commit 995412e23bb2, developers replaced a traditional spinlock (tags->lock) with Sleepable Read-Copy Update (SRCU) to protect tag iterators. SRCU improves scalability by allowing concurrent readers without heavy locking, but it assumes the tagset structure is fully initialized before any iteration begins.
The problem arose because scsi_host_busy—a function that checks how many commands a SCSI host is currently handling—can be called very early during device driver probe, before the SCSI host’s tagset has been set up. When that happened on platforms like certain Rockchip UFS implementations, the kernel dove into __srcu_read_lock on an uninitialized tagset, producing a nasty stack trace and often aborting the probe. The observed call stack typically included:
__srcu_read_lock
blk_mq_tagset_busy_iter
scsi_host_busy
ufshcd_print_host_state
ufshcd_link_startup
ufshcd_init
...
The fix, merged upstream and backported to stable trees, adds a simple guard: before scsi_host_busy attempts to iterate over tags, it now checks that tag_set->ops has been assigned by scsi_mq_setup_tags. If not, it bails out early, avoiding the SRCU access on an incomplete structure. This relies on the serialization guarantee that, for a given SCSI host, tagset setup completes before scsi_host_busy is legitimately called—a guarantee that holds true in the affected UFS driver paths.
What It Means for You: Broken Storage and Boot Failures
This bug is not a remote code execution vulnerability, but it is a severe reliability issue. If you manage systems that rely on UFS storage—commonly found in embedded devices, single-board computers, some tablets, and high-end Android handsets—you could face one of these scenarios:
- Complete boot failure: If the bootloader and kernel reside on a UFS device, a failed probe during early init leaves you with no root filesystem. The system either panics or drops into an emergency shell.
- Missing secondary storage: On systems where UFS is not the primary boot medium but holds critical data or logs, you might boot but find the device missing entirely. Applications that depend on that storage will malfunction or crash.
- Silent data loss risks: In some edge cases, the race condition might not stop the entire probe but could corrupt ongoing operations, leading to undetected file system damage.
The primary victims are embedded/device engineers and fleet administrators running Linux kernels that incorporated the blk-mq refactor without the follow-up guard. Distributions like Debian, Ubuntu, and Yocto-based embedded builds are affected if they ship a kernel between the SRCU change and this fix. Cloud providers using hardware with UFS root devices (rare, but possible in some edge or IoT solutions) might also see boot-time hangs in their virtualized images.
How We Got Here: A Timeline of a Concurrency Refactor Side Effect
Understanding the chain of events clarifies why such a tiny oversight had big consequences:
- Commits introducing SRCU in blk-mq (circa kernel 6.x merges): Developers sought to remove heavy locks from the tag iteration path. The new SRCU-based iterator was faster and cleaner, but it implicitly demanded that the tagset be fully initialized before use.
- Regression surfaces in UFS probe paths (reported by Rockchip platform maintainers): On certain SoCs, the UFS driver’s probe sequence called
scsi_host_busybefore the SCSI mid-layer had finished setting up the tagset. The exact interleaving depended on hardware timing and device tree configurations, making the bug intermittent but reproducible in lab environments. - CVE-2025-68224 assigned (December 16, 2025): The kernel security team recognized that the resulting stack traces and potential device initialization failures warranted a CVE to ensure distribution vendors took notice. The advisory was published with a severity of “Medium” by Microsoft’s MSRC (likely because the Windows subsystem for Linux or Azure Linux images might be impacted).
- Upstream fix lands (Concurrent with disclosure): A minimal patch was applied to
scsi_host_busyto check tagset initialization. Stable kernel maintainers began backporting it to still-supported long-term branches.
What to Do Now: Detection, Patching, and Verification
If you are responsible for any Linux systems that might use UFS storage, act now:
-
Determine if you are vulnerable
- Check your kernel version:uname -r
- Look for UFS modules or built-in support:lsmod | grep -i ufs,grep CONFIG_SCSI_UFS /boot/config-$(uname -r)
- Search logs for the telltale stack trace:journalctl -b | grep -i "__srcu_read_lock"or look for messages containingufshcd_initfailing right after a scsi_host_busy trace. If you see these, your system is likely affected. -
Patch your kernel
- For distribution users: Monitor your distro’s security advisories for CVE-2025-68224. Kernel updates for Debian, Ubuntu, Fedora, and others will include the fix. Install the update and reboot.
- For embedded/device builders: Backport the one-line change to your kernel tree, rebuild, and reflash. The patch is trivial:
c if (!shost->tag_set.ops) return;
(placed at the top ofscsi_host_busyindrivers/scsi/scsi_lib.c). Ensure you test on all hardware variants, as probe ordering can differ. -
Verify the fix
- After booting the new kernel, confirm that UFS devices appear correctly:lsblkshould show your storage, anddmesg | grep ufsshould show successful probe messages with no stack traces.
- Monitor system stability for a few days, paying attention to storage-related error rates (iostat,smartctlif applicable).
If immediate patching is impossible, short-term workarounds are limited. You might attempt to blacklist the UFS driver and load it manually after boot in a custom initramfs, but this is fragile and not recommended. The only reliable mitigation is the patched kernel.
Outlook: Why Small Concurrency Changes Deserve Scrutiny
CVE-2025-68224 is a textbook example of how switching synchronization primitives can unravel implicit ordering assumptions. The Linux kernel’s move toward SRCU for performance gains is commendable, but it demands that all iteration entry points are audited for initialization safety. We can expect more such targeted fixes as SRCU adoption expands into other subsystems. For system administrators and embedded developers, the lesson is clear: concurrency refactors in core infrastructure always carry risk, no matter how innocent they look. Keep your kernels up-to-date, watch for similar CVE advisories, and when integrating hardware-specific drivers, validate probe sequences under heavy load and varied timing conditions.
Meanwhile, the kernel’s approach of shipping minimal, surgical fixes remains the best defense against regression bugs—fast to backport, easy to verify, and unlikely to introduce new faults. This one line of code may have prevented countless hours of debugging for you; now it’s your turn to deploy it.