CVE-2023-53169

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> x86/resctrl: Clear staged_config[] before and after it is used<br /> <br /> As a temporary storage, staged_config[] in rdt_domain should be cleared<br /> before and after it is used. The stale value in staged_config[] could<br /> cause an MSR access error.<br /> <br /> Here is a reproducer on a system with 16 usable CLOSIDs for a 15-way L3<br /> Cache (MBA should be disabled if the number of CLOSIDs for MB is less than<br /> 16.) :<br /> mount -t resctrl resctrl -o cdp /sys/fs/resctrl<br /> mkdir /sys/fs/resctrl/p{1..7}<br /> umount /sys/fs/resctrl/<br /> mount -t resctrl resctrl /sys/fs/resctrl<br /> mkdir /sys/fs/resctrl/p{1..8}<br /> <br /> An error occurs when creating resource group named p8:<br /> unchecked MSR access error: WRMSR to 0xca0 (tried to write 0x00000000000007ff) at rIP: 0xffffffff82249142 (cat_wrmsr+0x32/0x60)<br /> Call Trace:<br /> <br /> __flush_smp_call_function_queue+0x11d/0x170<br /> __sysvec_call_function+0x24/0xd0<br /> sysvec_call_function+0x89/0xc0<br /> <br /> <br /> asm_sysvec_call_function+0x16/0x20<br /> <br /> When creating a new resource control group, hardware will be configured<br /> by the following process:<br /> rdtgroup_mkdir()<br /> rdtgroup_mkdir_ctrl_mon()<br /> rdtgroup_init_alloc()<br /> resctrl_arch_update_domains()<br /> <br /> resctrl_arch_update_domains() iterates and updates all resctrl_conf_type<br /> whose have_new_ctrl is true. Since staged_config[] holds the same values as<br /> when CDP was enabled, it will continue to update the CDP_CODE and CDP_DATA<br /> configurations. When group p8 is created, get_config_index() called in<br /> resctrl_arch_update_domains() will return 16 and 17 as the CLOSIDs for<br /> CDP_CODE and CDP_DATA, which will be translated to an invalid register -<br /> 0xca0 in this scenario.<br /> <br /> Fix it by clearing staged_config[] before and after it is used.<br /> <br /> [reinette: re-order commit tags]