From: Greg KH <gregkh@linuxfoundation.org>
To: Jinjie Ruan <ruanjinjie@huawei.com>
Cc: dennis@kernel.org, tj@kernel.org, cl@linux.com,
mpe@ellerman.id.au, benh@kernel.crashing.org, paulus@samba.org,
christophe.leroy@csgroup.eu, mahesh@linux.ibm.com,
linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH v5.10 v2 RESEND] powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt.
Date: Tue, 13 Aug 2024 14:48:14 +0200 [thread overview]
Message-ID: <2024081306-pointless-pacemaker-32b2@gregkh> (raw)
In-Reply-To: <20240813113344.1837556-1-ruanjinjie@huawei.com>
On Tue, Aug 13, 2024 at 11:33:44AM +0000, Jinjie Ruan wrote:
> From: Mahesh Salgaonkar <mahesh@linux.ibm.com>
>
> [ Upstream commit 0db880fc865ffb522141ced4bfa66c12ab1fbb70 ]
>
> nmi_enter()/nmi_exit() touches per cpu variables which can lead to kernel
> crash when invoked during real mode interrupt handling (e.g. early HMI/MCE
> interrupt handler) if percpu allocation comes from vmalloc area.
>
> Early HMI/MCE handlers are called through DEFINE_INTERRUPT_HANDLER_NMI()
> wrapper which invokes nmi_enter/nmi_exit calls. We don't see any issue when
> percpu allocation is from the embedded first chunk. However with
> CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK enabled there are chances where percpu
> allocation can come from the vmalloc area.
>
> With kernel command line "percpu_alloc=page" we can force percpu allocation
> to come from vmalloc area and can see kernel crash in machine_check_early:
>
> [ 1.215714] NIP [c000000000e49eb4] rcu_nmi_enter+0x24/0x110
> [ 1.215717] LR [c0000000000461a0] machine_check_early+0xf0/0x2c0
> [ 1.215719] --- interrupt: 200
> [ 1.215720] [c000000fffd73180] [0000000000000000] 0x0 (unreliable)
> [ 1.215722] [c000000fffd731b0] [0000000000000000] 0x0
> [ 1.215724] [c000000fffd73210] [c000000000008364] machine_check_early_common+0x134/0x1f8
>
> Fix this by avoiding use of nmi_enter()/nmi_exit() in real mode if percpu
> first chunk is not embedded.
>
> CVE-2024-42126
> Cc: stable@vger.kernel.org#5.10.x
> Cc: gregkh@linuxfoundation.org
> Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
> Tested-by: Shirisha Ganta <shirisha@linux.ibm.com>
> Signed-off-by: Mahesh Salgaonkar <mahesh@linux.ibm.com>
> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
> Link: https://msgid.link/20240410043006.81577-1-mahesh@linux.ibm.com
> [ Conflicts in arch/powerpc/include/asm/interrupt.h
> because machine_check_early() and machine_check_exception()
> has been refactored. ]
> Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
> ---
> v2:
> - Also fix for CONFIG_PPC_BOOK3S_64 not enabled.
> - Add Upstream.
> - Cc stable@vger.kernel.org.
> ---
Both now queued up, thanks.
greg k-h
prev parent reply other threads:[~2024-08-13 12:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-08-13 11:33 [PATCH v5.10 v2 RESEND] powerpc: Avoid nmi_enter/nmi_exit in real mode interrupt Jinjie Ruan
2024-08-13 12:48 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024081306-pointless-pacemaker-32b2@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=benh@kernel.crashing.org \
--cc=christophe.leroy@csgroup.eu \
--cc=cl@linux.com \
--cc=dennis@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mahesh@linux.ibm.com \
--cc=mpe@ellerman.id.au \
--cc=paulus@samba.org \
--cc=ruanjinjie@huawei.com \
--cc=stable@vger.kernel.org \
--cc=tj@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.