CVE-2025-38407
Publication date:
25/07/2025
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
riscv: cpu_ops_sbi: Use static array for boot_data<br />
<br />
Since commit 6b9f29b81b15 ("riscv: Enable pcpu page first chunk<br />
allocator"), if NUMA is enabled, the page percpu allocator may be used<br />
on very sparse configurations, or when requested on boot with<br />
percpu_alloc=page.<br />
<br />
In that case, percpu data gets put in the vmalloc area. However,<br />
sbi_hsm_hart_start() needs the physical address of a sbi_hart_boot_data,<br />
and simply assumes that __pa() would work. This causes the just started<br />
hart to immediately access an invalid address and hang.<br />
<br />
Fortunately, struct sbi_hart_boot_data is not too large, so we can<br />
simply allocate an array for boot_data statically, putting it in the<br />
kernel image.<br />
<br />
This fixes NUMA=y SMP boot on Sophgo SG2042.<br />
<br />
To reproduce on QEMU: Set CONFIG_NUMA=y and CONFIG_DEBUG_VIRTUAL=y, then<br />
run with:<br />
<br />
qemu-system-riscv64 -M virt -smp 2 -nographic \<br />
-kernel arch/riscv/boot/Image \<br />
-append "percpu_alloc=page"<br />
<br />
Kernel output:<br />
<br />
[ 0.000000] Booting Linux on hartid 0<br />
[ 0.000000] Linux version 6.16.0-rc1 (dram@sakuya) (riscv64-unknown-linux-gnu-gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #11 SMP Tue Jun 24 14:56:22 CST 2025<br />
...<br />
[ 0.000000] percpu: 28 4K pages/cpu s85784 r8192 d20712<br />
...<br />
[ 0.083192] smp: Bringing up secondary CPUs ...<br />
[ 0.086722] ------------[ cut here ]------------<br />
[ 0.086849] virt_to_phys used for non-linear address: (____ptrval____) (0xff2000000001d080)<br />
[ 0.088001] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/physaddr.c:14 __virt_to_phys+0xae/0xe8<br />
[ 0.088376] Modules linked in:<br />
[ 0.088656] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc1 #11 NONE<br />
[ 0.088833] Hardware name: riscv-virtio,qemu (DT)<br />
[ 0.088948] epc : __virt_to_phys+0xae/0xe8<br />
[ 0.089001] ra : __virt_to_phys+0xae/0xe8<br />
[ 0.089037] epc : ffffffff80021eaa ra : ffffffff80021eaa sp : ff2000000004bbc0<br />
[ 0.089057] gp : ffffffff817f49c0 tp : ff60000001d60000 t0 : 5f6f745f74726976<br />
[ 0.089076] t1 : 0000000000000076 t2 : 705f6f745f747269 s0 : ff2000000004bbe0<br />
[ 0.089095] s1 : ff2000000001d080 a0 : 0000000000000000 a1 : 0000000000000000<br />
[ 0.089113] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000<br />
[ 0.089131] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000000000000<br />
[ 0.089155] s2 : ffffffff8130dc00 s3 : 0000000000000001 s4 : 0000000000000001<br />
[ 0.089174] s5 : ffffffff8185eff8 s6 : ff2000007f1eb000 s7 : ffffffff8002a2ec<br />
[ 0.089193] s8 : 0000000000000001 s9 : 0000000000000001 s10: 0000000000000000<br />
[ 0.089211] s11: 0000000000000000 t3 : ffffffff8180a9f7 t4 : ffffffff8180a9f7<br />
[ 0.089960] t5 : ffffffff8180a9f8 t6 : ff2000000004b9d8<br />
[ 0.089984] status: 0000000200000120 badaddr: ffffffff80021eaa cause: 0000000000000003<br />
[ 0.090101] [] __virt_to_phys+0xae/0xe8<br />
[ 0.090228] [] sbi_cpu_start+0x6e/0xe8<br />
[ 0.090247] [] __cpu_up+0x1e/0x8c<br />
[ 0.090260] [] bringup_cpu+0x42/0x258<br />
[ 0.090277] [] cpuhp_invoke_callback+0xe0/0x40c<br />
[ 0.090292] [] __cpuhp_invoke_callback_range+0x68/0xfc<br />
[ 0.090320] [] _cpu_up+0x11a/0x244<br />
[ 0.090334] [] cpu_up+0x52/0x90<br />
[ 0.090384] [] bringup_nonboot_cpus+0x78/0x118<br />
[ 0.090411] [] smp_init+0x34/0xb8<br />
[ 0.090425] [] kernel_init_freeable+0x148/0x2e4<br />
[ 0.090442] [] kernel_init+0x1e/0x14c<br />
[ 0.090455] [] ret_from_fork_kernel+0xe/0xf0<br />
[ 0.090471] [] ret_from_fork_kernel_asm+0x16/0x18<br />
[ 0.090560] ---[ end trace 0000000000000000 ]---<br />
[ 1.179875] CPU1: failed to come online<br />
[ 1.190324] smp: Brought up 1 node, 1 CPU
Severity CVSS v4.0: Pending analysis
Last modification:
25/07/2025