Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1744908pxb; Thu, 28 Oct 2021 09:15:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx21RYNmJUPV6FM1tJ1DfRjo8pklEtD7u61GhEXqCbmw7XkbLEsVwsQpA8CFw8ahZ/cmSwh X-Received: by 2002:a62:5804:0:b0:44b:b75b:ec8f with SMTP id m4-20020a625804000000b0044bb75bec8fmr5321503pfb.63.1635437754848; Thu, 28 Oct 2021 09:15:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635437754; cv=none; d=google.com; s=arc-20160816; b=rQ/m1vGr75l7Egd+Df63QyLFOOEYWGG0PlkQpbxsaz3HIaONz7aFVybxj6Sm+MSs0B j0ymHTRG4wZB7HzFLAs2P87g5ky68pqwI4GgrYw7XMjO5Q9Satnte/qRynCvH+sk5zag GtNAMajF/TalGzfE2wiY/1VexAG3DtVycgBOC/5E+Yr22aCi9uzG0xP8ZxZN0YOl/Wif Hk7WWYV/sKr5oqwoNKiTY3G8XhHXedvVKRrR5RUUX+ePHltOopG0gkZidYjzKfuhBcxw f/r0Me06vUGlvlpjgh+bwo8wslaswMf5JRS2WSOZtXeFZr/LboJaJIG2qjHFhrf/yAVk 1dCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=XPgYXHmOWjmbj2ETHj+R8rdHpkJDGBqBXlk2tkjoxKk=; b=nQQB/aVjfsfCtOsSdFTLw6iTSKn3akXJVu555yXSGJwWVyXGc1H5k8Os8Rdc6dPS1k +jFdeKlSiRMKbPIO86CbjawZqGjC2PclX2Q6Ao2mkW+JBdA6iGYmNTNs7b39INWY3bgy YQoxjIikK45JklQzrUxxkJEv7kNAq8UjYPzwDR3agmUgEVHQYhq8G1KOiERE1pwoP4qy 8RYnpkjczxDkiTrM2+Qu5QVsIMJeABOLLjgNXZtn/sXIaJol//poCocPWesHKL47SEJ4 Oo3uQ251uwsLl/2/CmIyC404Y0dj2MZRIlYpzuUTEAufRTEcoMcYHe+P129UnPbigTIq +ZAQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p3si718429pfo.354.2021.10.28.09.15.18; Thu, 28 Oct 2021 09:15:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230174AbhJ1QOw convert rfc822-to-8bit (ORCPT + 99 others); Thu, 28 Oct 2021 12:14:52 -0400 Received: from gloria.sntech.de ([185.11.138.130]:46890 "EHLO gloria.sntech.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229764AbhJ1QOv (ORCPT ); Thu, 28 Oct 2021 12:14:51 -0400 Received: from ip5f5a6e92.dynamic.kabel-deutschland.de ([95.90.110.146] helo=diego.localnet) by gloria.sntech.de with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mg80m-0004W7-6v; Thu, 28 Oct 2021 18:12:16 +0200 From: Heiko =?ISO-8859-1?Q?St=FCbner?= To: atishp@atishpatra.org, Palmer Dabbelt Cc: geert@linux-m68k.org, re@w6rz.net, linux-riscv@lists.infradead.org, Paul Walmsley , aou@eecs.berkeley.edu, linux-kernel@vger.kernel.org Subject: Re: Out-of-bounds access when hartid >= NR_CPUS Date: Thu, 28 Oct 2021 18:12:14 +0200 Message-ID: <1733048.UrJg72UHvK@diego> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8BIT Content-Type: text/plain; charset="iso-8859-1" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Donnerstag, 28. Oktober 2021, 17:09:44 CEST schrieb Palmer Dabbelt: > On Wed, 27 Oct 2021 16:34:15 PDT (-0700), atishp@atishpatra.org wrote: > > On Tue, Oct 26, 2021 at 2:34 AM Heiko St?bner wrote: > >> > >> Am Dienstag, 26. Oktober 2021, 10:57:26 CEST schrieb Geert Uytterhoeven: > >> > Hi Heiko, > >> > > >> > On Tue, Oct 26, 2021 at 10:53 AM Heiko St?bner wrote: > >> > > Am Dienstag, 26. Oktober 2021, 08:44:31 CEST schrieb Geert Uytterhoeven: > >> > > > On Tue, Oct 26, 2021 at 2:37 AM Ron Economos wrote: > >> > > > > On 10/25/21 8:54 AM, Geert Uytterhoeven wrote: > >> > > > > > When booting a kernel with CONFIG_NR_CPUS=4 on Microchip PolarFire, > >> > > > > > the 4th CPU either fails to come online, or the system crashes. > >> > > > > > > >> > > > > > This happens because PolarFire has 5 CPU cores: hart 0 is an e51, > >> > > > > > and harts 1-4 are u54s, with the latter becoming CPUs 0-3 in Linux: > >> > > > > > - unused core has hartid 0 (sifive,e51), > >> > > > > > - processor 0 has hartid 1 (sifive,u74-mc), > >> > > > > > - processor 1 has hartid 2 (sifive,u74-mc), > >> > > > > > - processor 2 has hartid 3 (sifive,u74-mc), > >> > > > > > - processor 3 has hartid 4 (sifive,u74-mc). > >> > > > > > > >> > > > > > I assume the same issue is present on the SiFive fu540 and fu740 > >> > > > > > SoCs, but I don't have access to these. The issue is not present > >> > > > > > on StarFive JH7100, as processor 0 has hartid 1, and processor 1 has > >> > > > > > hartid 0. > >> > > > > > > >> > > > > > arch/riscv/kernel/cpu_ops.c has: > >> > > > > > > >> > > > > > void *__cpu_up_stack_pointer[NR_CPUS] __section(".data"); > >> > > > > > void *__cpu_up_task_pointer[NR_CPUS] __section(".data"); > >> > > > > > > >> > > > > > void cpu_update_secondary_bootdata(unsigned int cpuid, > >> > > > > > struct task_struct *tidle) > >> > > > > > { > >> > > > > > int hartid = cpuid_to_hartid_map(cpuid); > >> > > > > > > >> > > > > > /* Make sure tidle is updated */ > >> > > > > > smp_mb(); > >> > > > > > WRITE_ONCE(__cpu_up_stack_pointer[hartid], > >> > > > > > task_stack_page(tidle) + THREAD_SIZE); > >> > > > > > WRITE_ONCE(__cpu_up_task_pointer[hartid], tidle); > >> > > > > > > >> > > > > > The above two writes cause out-of-bound accesses beyond > >> > > > > > __cpu_up_{stack,pointer}_pointer[] if hartid >= CONFIG_NR_CPUS. > >> > > > > > > >> > > > > > } > >> > > >> > > > https://riscv.org/wp-content/uploads/2017/05/riscv-privileged-v1.10.pdf > >> > > > says: > >> > > > > >> > > > Hart IDs might not necessarily be numbered contiguously in a > >> > > > multiprocessor system, but at least one hart must have a hart > >> > > > ID of zero. > >> > > > > >> > > > Which means indexing arrays by hart ID is a no-go? > >> > > > >> > > Isn't that also similar on aarch64? > >> > > > >> > > On a rk3399 you get 0-3 and 100-101 and with the paragraph above > >> > > something like this could very well exist on some riscv cpu too I guess. > >> > > >> > Yes, it looks like hart IDs are similar to MPIDRs on ARM. > >> > >> and they have the set_cpu_logical_map construct to map hwids > >> to a continuous list of cpu-ids. > >> > >> So with hartids not being necessarily continuous this looks like > >> riscv would need a similar mechanism. > >> > > > > RISC-V already has a similar mechanism cpuid_to_hartid_map. Logical > > cpu ids are continuous > > while hartid can be sparse. > > > > The issue here is that __cpu_up_stack/task_pointer are per hart but > > array size depends on the NR_CPUs > > which represents the logical CPU. > > > > That's why, having a maximum number of hartids defined in config will > > be helpful. > > I don't understand why we'd have both: if we can't find a CPU number for > a hart, then all we can do is just leave it offline. Wouldn't it be > simpler to just rely on NR_CPUS? We'll need to fix the crashes on > overflows either way. I'd think so. The mhartid register is xlen big and as the spec says they don't have to be contiguously, so it looks like hw-designers could adopt really "creative" numbering. So having a NR_HARTS won't really help, because there could be huge gaps in numbering at some point.