Linux Kernel RTAS MSR Handling Vulnerability Leading to Watchdog-Induced Panic

A vulnerability in the Linux kernel's handling of the Machine State Register (MSR) during Real-Time Abstraction Services (RTAS) calls has been identified. This issue arises because the RTAS, which operates in real mode with specific MSR settings, does not properly maintain the MSR[RI] bit when entering RTAS, as required by the Power Architecture Platform Reference (PAPR) guidelines. The improper MSR management can lead to a hard lockup of the CPU, causing a system panic. This vulnerability has been observed in an unreleased version of the kernel (5.14.21-150400.71.1.bz196362_2-default) on SUSE Linux Enterprise 15 SP4.

Impact

Entering RTAS without the MSR[RI] bit set can cause a CPU hard lockup, leading to an unrecoverable system panic. This behavior disrupts normal system operations and can cause significant downtime.

Reproduction

The vulnerability can be reproduced by invoking RTAS calls without the MSR[RI] bit set, which is the default behavior in the affected kernel version. This can be done by running a process that calls RTAS while the system is in real mode, such as during certain operations that involve the watchdog interrupt. The resulting CPU hard lockup and system panic will demonstrate the vulnerability.