Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1252043pxb; Tue, 26 Oct 2021 05:42:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzQaI7Tk0RMLppiTFKPQWxD8LkKJ9n+Oj7yyBIksPZLSDfBKXYbtHNKmStahWgdp0utXbIS X-Received: by 2002:aa7:8246:0:b0:44b:4870:1b09 with SMTP id e6-20020aa78246000000b0044b48701b09mr26174769pfn.82.1635252156790; Tue, 26 Oct 2021 05:42:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635252156; cv=none; d=google.com; s=arc-20160816; b=rce14NxLH2z6JmipB932K7uKO27byvJ4DQU5A8kIg6TdbXH4R95bqqeJ53Kr1xkdwI q0v5UliCIRj4axlHO0wtuC9YYd81pginWzmoVnEhVOM7/MAv7b9hOCDPoHYOUUUDaTmM RLh7jGV5QXQwMsterEnxaSAilUnuI0XdojGKndyJDbNXmd6jAcWvjwKbP8Hi+xavAC4F Kw/dFAKhV13DosM6y3AC7slNWTYrUb7s4HHLblQiEdo6dHQnv7D9gOU3sp3sivxEvSQt g5TbgSG2LiloUjdjrZHOzSl7jRqvjnUCzU8/QQoTrCxASAJ3DaQCiimJvSoxCl0hVFEV xq/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=Rwan3K6++TdHpIx6M/YjWci4Z33VfRdwWzvUn0jaOEU=; b=UsDH+WemwGbPv49BueeCypubPKWETJxJeXaEM+SeH78xjeB0PbxZWmavL2DRJb7Q6u 9MSX8OYoHGwXWwU7pT30OK4u/5tLhHOfRra4uEJ3BDlZLt1Q0p0w/I5u9EaziCkLdSss GFlXQ66C+jXx6LNlUMMSdFfVlaJWt6r3e24cl5R4+2IUq6LrvmaxJzYcGA4zGgRLjdrB bf+CjKGz7fVyPNzy2e+sViBAuAbOSloETbFscrbbtH8pYtuespiVb19/6m/G4ng/W7EJ Bv7TuZIl0kos5/5aI4qsnUNMWk9hp7C57XngTSLR2hO/ec0yD6Klqy1+31gP3ex6qHUZ xpUA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j9si1674667plh.39.2021.10.26.05.42.23; Tue, 26 Oct 2021 05:42:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233439AbhJZJac convert rfc822-to-8bit (ORCPT + 99 others); Tue, 26 Oct 2021 05:30:32 -0400 Received: from gloria.sntech.de ([185.11.138.130]:35628 "EHLO gloria.sntech.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233688AbhJZJab (ORCPT ); Tue, 26 Oct 2021 05:30:31 -0400 Received: from ip5f5a6e92.dynamic.kabel-deutschland.de ([95.90.110.146] helo=diego.localnet) by gloria.sntech.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mfIkT-0004nO-E1; Tue, 26 Oct 2021 11:28:01 +0200 From: Heiko =?ISO-8859-1?Q?St=FCbner?= To: Geert Uytterhoeven Cc: re@w6rz.net, linux-riscv , Paul Walmsley , Palmer Dabbelt , Albert Ou , Linux Kernel Mailing List Subject: Re: Out-of-bounds access when hartid >= NR_CPUS Date: Tue, 26 Oct 2021 11:28:00 +0200 Message-ID: <1714720.9tEa3Li8Nu@diego> In-Reply-To: References: <2328512.Zi2KH1A685@diego> MIME-Version: 1.0 Content-Transfer-Encoding: 8BIT Content-Type: text/plain; charset="iso-8859-1" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Dienstag, 26. Oktober 2021, 10:57:26 CEST schrieb Geert Uytterhoeven: > Hi Heiko, > > On Tue, Oct 26, 2021 at 10:53 AM Heiko St?bner wrote: > > Am Dienstag, 26. Oktober 2021, 08:44:31 CEST schrieb Geert Uytterhoeven: > > > On Tue, Oct 26, 2021 at 2:37 AM Ron Economos wrote: > > > > On 10/25/21 8:54 AM, Geert Uytterhoeven wrote: > > > > > When booting a kernel with CONFIG_NR_CPUS=4 on Microchip PolarFire, > > > > > the 4th CPU either fails to come online, or the system crashes. > > > > > > > > > > This happens because PolarFire has 5 CPU cores: hart 0 is an e51, > > > > > and harts 1-4 are u54s, with the latter becoming CPUs 0-3 in Linux: > > > > > - unused core has hartid 0 (sifive,e51), > > > > > - processor 0 has hartid 1 (sifive,u74-mc), > > > > > - processor 1 has hartid 2 (sifive,u74-mc), > > > > > - processor 2 has hartid 3 (sifive,u74-mc), > > > > > - processor 3 has hartid 4 (sifive,u74-mc). > > > > > > > > > > I assume the same issue is present on the SiFive fu540 and fu740 > > > > > SoCs, but I don't have access to these. The issue is not present > > > > > on StarFive JH7100, as processor 0 has hartid 1, and processor 1 has > > > > > hartid 0. > > > > > > > > > > arch/riscv/kernel/cpu_ops.c has: > > > > > > > > > > void *__cpu_up_stack_pointer[NR_CPUS] __section(".data"); > > > > > void *__cpu_up_task_pointer[NR_CPUS] __section(".data"); > > > > > > > > > > void cpu_update_secondary_bootdata(unsigned int cpuid, > > > > > struct task_struct *tidle) > > > > > { > > > > > int hartid = cpuid_to_hartid_map(cpuid); > > > > > > > > > > /* Make sure tidle is updated */ > > > > > smp_mb(); > > > > > WRITE_ONCE(__cpu_up_stack_pointer[hartid], > > > > > task_stack_page(tidle) + THREAD_SIZE); > > > > > WRITE_ONCE(__cpu_up_task_pointer[hartid], tidle); > > > > > > > > > > The above two writes cause out-of-bound accesses beyond > > > > > __cpu_up_{stack,pointer}_pointer[] if hartid >= CONFIG_NR_CPUS. > > > > > > > > > > } > > > > https://riscv.org/wp-content/uploads/2017/05/riscv-privileged-v1.10.pdf > > > says: > > > > > > Hart IDs might not necessarily be numbered contiguously in a > > > multiprocessor system, but at least one hart must have a hart > > > ID of zero. > > > > > > Which means indexing arrays by hart ID is a no-go? > > > > Isn't that also similar on aarch64? > > > > On a rk3399 you get 0-3 and 100-101 and with the paragraph above > > something like this could very well exist on some riscv cpu too I guess. > > Yes, it looks like hart IDs are similar to MPIDRs on ARM. and they have the set_cpu_logical_map construct to map hwids to a continuous list of cpu-ids. So with hartids not being necessarily continuous this looks like riscv would need a similar mechanism.