A kernel crash can be triggered from unprivileged userspace during core dump on a POWER system with a certain configuration due to a missing processor feature check and an erroneous use of transactional memory (TM) instructions in the core dump path leading to a denial of service.
An upstream fix:
*** Bug 1558150 has been marked as a duplicate of this bug. ***
*** Bug 1558152 has been marked as a duplicate of this bug. ***
A certain configuration of POWER system needed to hit the flaw can be:
- The case that kernel was compiled with CONFIG_PPC_TRANSACTIONAL_MEM enabled and ran on a CPU without transactional memory (TM) feature available, thus rendering the execution of TM instructions that are treated by the CPU as illegal instructions. (see this quote in the upstream commit)
- In case of POWER host and KVM guest the core dump code unconditionally tries to use transactional memory (TM) instructions to flush TM state back to the thread structure. As qemu currently disables TM by default in guests, this causes an illegal instruction in the guest kernel and hence the crash.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2018:1318 https://access.redhat.com/errata/RHSA-2018:1318