ghsa-qq4v-pr8w-v8hg
Vulnerability from github
Published
2025-07-25 15:30
Modified
2025-07-25 15:30
Details

In the Linux kernel, the following vulnerability has been resolved:

riscv: cpu_ops_sbi: Use static array for boot_data

Since commit 6b9f29b81b15 ("riscv: Enable pcpu page first chunk allocator"), if NUMA is enabled, the page percpu allocator may be used on very sparse configurations, or when requested on boot with percpu_alloc=page.

In that case, percpu data gets put in the vmalloc area. However, sbi_hsm_hart_start() needs the physical address of a sbi_hart_boot_data, and simply assumes that __pa() would work. This causes the just started hart to immediately access an invalid address and hang.

Fortunately, struct sbi_hart_boot_data is not too large, so we can simply allocate an array for boot_data statically, putting it in the kernel image.

This fixes NUMA=y SMP boot on Sophgo SG2042.

To reproduce on QEMU: Set CONFIG_NUMA=y and CONFIG_DEBUG_VIRTUAL=y, then run with:

qemu-system-riscv64 -M virt -smp 2 -nographic \ -kernel arch/riscv/boot/Image \ -append "percpu_alloc=page"

Kernel output:

[ 0.000000] Booting Linux on hartid 0 [ 0.000000] Linux version 6.16.0-rc1 (dram@sakuya) (riscv64-unknown-linux-gnu-gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #11 SMP Tue Jun 24 14:56:22 CST 2025 ... [ 0.000000] percpu: 28 4K pages/cpu s85784 r8192 d20712 ... [ 0.083192] smp: Bringing up secondary CPUs ... [ 0.086722] ------------[ cut here ]------------ [ 0.086849] virt_to_phys used for non-linear address: (_ptrval_) (0xff2000000001d080) [ 0.088001] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/physaddr.c:14 __virt_to_phys+0xae/0xe8 [ 0.088376] Modules linked in: [ 0.088656] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc1 #11 NONE [ 0.088833] Hardware name: riscv-virtio,qemu (DT) [ 0.088948] epc : __virt_to_phys+0xae/0xe8 [ 0.089001] ra : __virt_to_phys+0xae/0xe8 [ 0.089037] epc : ffffffff80021eaa ra : ffffffff80021eaa sp : ff2000000004bbc0 [ 0.089057] gp : ffffffff817f49c0 tp : ff60000001d60000 t0 : 5f6f745f74726976 [ 0.089076] t1 : 0000000000000076 t2 : 705f6f745f747269 s0 : ff2000000004bbe0 [ 0.089095] s1 : ff2000000001d080 a0 : 0000000000000000 a1 : 0000000000000000 [ 0.089113] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 [ 0.089131] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000000000000 [ 0.089155] s2 : ffffffff8130dc00 s3 : 0000000000000001 s4 : 0000000000000001 [ 0.089174] s5 : ffffffff8185eff8 s6 : ff2000007f1eb000 s7 : ffffffff8002a2ec [ 0.089193] s8 : 0000000000000001 s9 : 0000000000000001 s10: 0000000000000000 [ 0.089211] s11: 0000000000000000 t3 : ffffffff8180a9f7 t4 : ffffffff8180a9f7 [ 0.089960] t5 : ffffffff8180a9f8 t6 : ff2000000004b9d8 [ 0.089984] status: 0000000200000120 badaddr: ffffffff80021eaa cause: 0000000000000003 [ 0.090101] [] __virt_to_phys+0xae/0xe8 [ 0.090228] [] sbi_cpu_start+0x6e/0xe8 [ 0.090247] [] __cpu_up+0x1e/0x8c [ 0.090260] [] bringup_cpu+0x42/0x258 [ 0.090277] [] cpuhp_invoke_callback+0xe0/0x40c [ 0.090292] [] __cpuhp_invoke_callback_range+0x68/0xfc [ 0.090320] [] _cpu_up+0x11a/0x244 [ 0.090334] [] cpu_up+0x52/0x90 [ 0.090384] [] bringup_nonboot_cpus+0x78/0x118 [ 0.090411] [] smp_init+0x34/0xb8 [ 0.090425] [] kernel_init_freeable+0x148/0x2e4 [ 0.090442] [] kernel_init+0x1e/0x14c [ 0.090455] [] ret_from_fork_kernel+0xe/0xf0 [ 0.090471] [] ret_from_fork_kernel_asm+0x16/0x18 [ 0.090560] ---[ end trace 0000000000000000 ]--- [ 1.179875] CPU1: failed to come online [ 1.190324] smp: Brought up 1 node, 1 CPU

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-38407"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-25T14:15:32Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: cpu_ops_sbi: Use static array for boot_data\n\nSince commit 6b9f29b81b15 (\"riscv: Enable pcpu page first chunk\nallocator\"), if NUMA is enabled, the page percpu allocator may be used\non very sparse configurations, or when requested on boot with\npercpu_alloc=page.\n\nIn that case, percpu data gets put in the vmalloc area. However,\nsbi_hsm_hart_start() needs the physical address of a sbi_hart_boot_data,\nand simply assumes that __pa() would work. This causes the just started\nhart to immediately access an invalid address and hang.\n\nFortunately, struct sbi_hart_boot_data is not too large, so we can\nsimply allocate an array for boot_data statically, putting it in the\nkernel image.\n\nThis fixes NUMA=y SMP boot on Sophgo SG2042.\n\nTo reproduce on QEMU: Set CONFIG_NUMA=y and CONFIG_DEBUG_VIRTUAL=y, then\nrun with:\n\n  qemu-system-riscv64 -M virt -smp 2 -nographic \\\n    -kernel arch/riscv/boot/Image \\\n    -append \"percpu_alloc=page\"\n\nKernel output:\n\n[    0.000000] Booting Linux on hartid 0\n[    0.000000] Linux version 6.16.0-rc1 (dram@sakuya) (riscv64-unknown-linux-gnu-gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #11 SMP Tue Jun 24 14:56:22 CST 2025\n...\n[    0.000000] percpu: 28 4K pages/cpu s85784 r8192 d20712\n...\n[    0.083192] smp: Bringing up secondary CPUs ...\n[    0.086722] ------------[ cut here ]------------\n[    0.086849] virt_to_phys used for non-linear address: (____ptrval____) (0xff2000000001d080)\n[    0.088001] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/physaddr.c:14 __virt_to_phys+0xae/0xe8\n[    0.088376] Modules linked in:\n[    0.088656] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc1 #11 NONE\n[    0.088833] Hardware name: riscv-virtio,qemu (DT)\n[    0.088948] epc : __virt_to_phys+0xae/0xe8\n[    0.089001]  ra : __virt_to_phys+0xae/0xe8\n[    0.089037] epc : ffffffff80021eaa ra : ffffffff80021eaa sp : ff2000000004bbc0\n[    0.089057]  gp : ffffffff817f49c0 tp : ff60000001d60000 t0 : 5f6f745f74726976\n[    0.089076]  t1 : 0000000000000076 t2 : 705f6f745f747269 s0 : ff2000000004bbe0\n[    0.089095]  s1 : ff2000000001d080 a0 : 0000000000000000 a1 : 0000000000000000\n[    0.089113]  a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000\n[    0.089131]  a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000000000000\n[    0.089155]  s2 : ffffffff8130dc00 s3 : 0000000000000001 s4 : 0000000000000001\n[    0.089174]  s5 : ffffffff8185eff8 s6 : ff2000007f1eb000 s7 : ffffffff8002a2ec\n[    0.089193]  s8 : 0000000000000001 s9 : 0000000000000001 s10: 0000000000000000\n[    0.089211]  s11: 0000000000000000 t3 : ffffffff8180a9f7 t4 : ffffffff8180a9f7\n[    0.089960]  t5 : ffffffff8180a9f8 t6 : ff2000000004b9d8\n[    0.089984] status: 0000000200000120 badaddr: ffffffff80021eaa cause: 0000000000000003\n[    0.090101] [\u003cffffffff80021eaa\u003e] __virt_to_phys+0xae/0xe8\n[    0.090228] [\u003cffffffff8001d796\u003e] sbi_cpu_start+0x6e/0xe8\n[    0.090247] [\u003cffffffff8001a5da\u003e] __cpu_up+0x1e/0x8c\n[    0.090260] [\u003cffffffff8002a32e\u003e] bringup_cpu+0x42/0x258\n[    0.090277] [\u003cffffffff8002914c\u003e] cpuhp_invoke_callback+0xe0/0x40c\n[    0.090292] [\u003cffffffff800294e0\u003e] __cpuhp_invoke_callback_range+0x68/0xfc\n[    0.090320] [\u003cffffffff8002a96a\u003e] _cpu_up+0x11a/0x244\n[    0.090334] [\u003cffffffff8002aae6\u003e] cpu_up+0x52/0x90\n[    0.090384] [\u003cffffffff80c09350\u003e] bringup_nonboot_cpus+0x78/0x118\n[    0.090411] [\u003cffffffff80c11060\u003e] smp_init+0x34/0xb8\n[    0.090425] [\u003cffffffff80c01220\u003e] kernel_init_freeable+0x148/0x2e4\n[    0.090442] [\u003cffffffff80b83802\u003e] kernel_init+0x1e/0x14c\n[    0.090455] [\u003cffffffff800124ca\u003e] ret_from_fork_kernel+0xe/0xf0\n[    0.090471] [\u003cffffffff80b8d9c2\u003e] ret_from_fork_kernel_asm+0x16/0x18\n[    0.090560] ---[ end trace 0000000000000000 ]---\n[    1.179875] CPU1: failed to come online\n[    1.190324] smp: Brought up 1 node, 1 CPU",
  "id": "GHSA-qq4v-pr8w-v8hg",
  "modified": "2025-07-25T15:30:53Z",
  "published": "2025-07-25T15:30:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-38407"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/02c725cd55eb5052b88eeaa3f60a391ef4dcaec5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b29be967ae456fc09c320d91d52278cf721be1e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f5fe094f35a37adea40b2fd52c99bb1333be9b07"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.