Description
In the Linux kernel, the following vulnerability has been resolved: smb: client: split cached_fid bitfields to avoid shared-byte RMW races is_open, has_lease and on_list are stored in the same bitfield byte in struct cached_fid but are updated in different code paths that may run concurrently. Bitfield assignments generate byte read–modify–write operations (e.g. `orb $mask, addr` on x86_64), so updating one flag can restore stale values of the others. A possible interleaving is: CPU1: load old byte (has_lease=1, on_list=1) CPU2: clear both flags (store 0) CPU1: RMW store (old | IS_OPEN) -> reintroduces cleared bits To avoid this class of races, convert these flags to separate bool fields.
Product status
ebe98f1447bbccf8228335c62d86af02a0ed23f7 (git) before 569fecc56bfe4df66f05734d67daef887746656b
ebe98f1447bbccf8228335c62d86af02a0ed23f7 (git) before 4386f6af8aaedd0c5ad6f659b40cadcc8f423828
ebe98f1447bbccf8228335c62d86af02a0ed23f7 (git) before 3eaa22d688311c708b73f3c68bc6d0c8e3f0f77a
ebe98f1447bbccf8228335c62d86af02a0ed23f7 (git) before c4b9edd55987384a1f201d3d07ff71e448d79c1b
ebe98f1447bbccf8228335c62d86af02a0ed23f7 (git) before 4cfa4c37dcbcfd70866e856200ed8a2894cac578
ebe98f1447bbccf8228335c62d86af02a0ed23f7 (git) before ec306600d5ba7148c9dbf8f5a8f1f5c1a044a241
6.1
Any version before 6.1
6.1.164 (semver)
6.6.125 (semver)
6.12.72 (semver)
6.18.11 (semver)
6.19.1 (semver)
7.0-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/569fecc56bfe4df66f05734d67daef887746656b
git.kernel.org/...c/4386f6af8aaedd0c5ad6f659b40cadcc8f423828
git.kernel.org/...c/3eaa22d688311c708b73f3c68bc6d0c8e3f0f77a
git.kernel.org/...c/c4b9edd55987384a1f201d3d07ff71e448d79c1b
git.kernel.org/...c/4cfa4c37dcbcfd70866e856200ed8a2894cac578
git.kernel.org/...c/ec306600d5ba7148c9dbf8f5a8f1f5c1a044a241