CVE-2025-68316
Description
In the Linux kernel, the following vulnerability has been resolved:
scsi: ufs: core: Fix invalid probe error return value
After DME Link Startup, the error return value is set to the MIPI UniPro GenericErrorCode which can be 0 (SUCCESS) or 1 (FAILURE). Upon failure during driver probe, the error code 1 is propagated back to the driver probe function which must return a negative value to indicate an error, but 1 is not negative, so the probe is considered to be successful even though it failed. Subsequently, removing the driver results in an oops because it is not in a valid state.
This happens because none of the callers of ufshcd_init() expect a non-negative error code.
Fix the return value and documentation to match actual usage.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A logic error in the Linux kernel UFS driver causes a non-negative error code (1) to be returned from DME Link Startup, making a failed probe appear successful and leading to a kernel oops on driver removal.
Root cause
In the Linux kernel UFS (Universal Flash Storage) driver, during DME Link Startup, the error return value is incorrectly set to the MIPI UniPro GenericErrorCode, which can be either 0 (SUCCESS) or 1 (FAILURE). When a failure occurs during driver probe, this error code 1 is propagated up to the probe function. However, the probe function expects a negative value on failure; returning 1 (a non-negative value) causes the kernel to treat the probe as successful even though it actually failed [1].
Exploitation context
This bug is triggered during the driver's probe sequence when DME Link Startup fails. No special attacker prerequisite is required beyond the hardware condition causing the link startup to fail. The error return value of 1 is not negated or converted to a negative errno, violating the kernel convention for probe error handling [1].
Impact
After a failed probe that is incorrectly treated as successful, the driver's internal state is not fully initialized. When the driver is later removed (e.g., via unbind or module removal), the kernel attempts to clean up a partially initialized device, resulting in a kernel oops (crash) [1]. This can lead to system instability or denial of service.
Mitigation
The fix corrects the return value and updates documentation to ensure that a negative error code is returned on failure. The patch has been applied to the Linux kernel stable tree [1]. Users should apply the updated kernel version to prevent this issue.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.