Linux Kernel Bitfield Flag Vulnerability in MMC Core Retune Management

A vulnerability in the Linux kernel's MMC (MultiMediaCard) core has been addressed. The issue involved the management of claim and retune control flags, which were improperly handled as bitfields. This configuration led to unintended read-modify-write (RMW) side effects in asynchronous contexts. Specifically, the 'claimed' bit shared a word with retune flags, allowing writes to one to inadvertently overwrite the other. This could trigger false warnings about the host being unclaimed. The vulnerability affected the Linux kernel stable tree.

Impact

The vulnerability could cause incorrect handling of the MMC host's claimed status, leading to spurious warnings and potentially disrupting the expected behavior of MMC device management.

Reproduction

The vulnerability can be reproduced by concurrently updating the 'claimed' and retune flags in different contexts. This can be done by invoking the '__mmc_claim_host()' function to claim the host, while simultaneously triggering a retune operation through the 'mmc_mq_queue_rq()' function. The overlap in flag management can cause one operation to unintentionally interfere with the other, creating a conflict that manifests as a false warning about the host's claimed status.

Remediation

The vulnerability has been fixed by moving the claimed and retune flags out of the bitfield and into separate boolean variables. This change eliminates the shared-word coupling that caused the issue, allowing for safe concurrent updates. Users should upgrade to the latest version of the Linux kernel stable tree where this fix has been applied.