In the Linux kernel, the following vulnerability has been resolved:
powerpc: Avoid nmienter/nmiexit in real mode interrupt.
nmienter()/nmiexit() touches per cpu variables which can lead to kernel crash when invoked during real mode interrupt handling (e.g. early HMI/MCE interrupt handler) if percpu allocation comes from vmalloc area.
Early HMI/MCE handlers are called through DEFINEINTERRUPTHANDLERNMI() wrapper which invokes nmienter/nmiexit calls. We don't see any issue when percpu allocation is from the embedded first chunk. However with CONFIGNEEDPERCPUPAGEFIRST_CHUNK enabled there are chances where percpu allocation can come from the vmalloc area.
With kernel command line "percpualloc=page" we can force percpu allocation to come from vmalloc area and can see kernel crash in machinecheck_early:
[ 1.215714] NIP [c000000000e49eb4] rcunmienter+0x24/0x110 [ 1.215717] LR [c0000000000461a0] machinecheckearly+0xf0/0x2c0 [ 1.215719] --- interrupt: 200 [ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable) [ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0 [ 1.215724] [c000000fffd73210] [c000000000008364] machinecheckearly_common+0x134/0x1f8
Fix this by avoiding use of nmienter()/nmiexit() in real mode if percpu first chunk is not embedded.