From: sashiko-bot@kernel.org
To: fangyu.yu@linux.alibaba.com
Cc: kvm@vger.kernel.org
Subject: Re: [PATCH v3 6/9] riscv: kexec: Switch to trampoline page table before norelocate
Date: Thu, 04 Jun 2026 13:40:03 +0000 [thread overview]
Message-ID: <20260604134003.984AC1F00893@smtp.kernel.org> (raw)
In-Reply-To: <20260604132418.15725-7-fangyu.yu@linux.alibaba.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Critical] Missing `sfence.vma` after clearing `CSR_SATP` causes a fatal Instruction Page Fault on kexec.
--
commit 4cdd8f4ea42becec74890b3443cd153befa568f3
Author: Fangyu Yu <fangyu.yu@linux.alibaba.com>
riscv: kexec: Switch to trampoline page table before norelocate
This commit updates riscv_kexec_norelocate to act as a two-pass trampoline,
allowing it to drop kernel page tables while still executing from a mapped
address. It also replaces the previous stvec-based exception handoff with a
direct jump to the target entry.
> diff --git a/arch/riscv/kernel/kexec_relocate.S b/arch/riscv/kernel/kexec_relocate.S
> index af6b99f5b0fd9..8cfdf6f4032a8 100644
> --- a/arch/riscv/kernel/kexec_relocate.S
> +++ b/arch/riscv/kernel/kexec_relocate.S
[ ... ]
> @@ -198,14 +220,8 @@ SYM_CODE_START(riscv_kexec_norelocate)
> csrw CSR_SCAUSE, zero
> csrw CSR_SSCRATCH, zero
>
> - /*
> - * Switch to physical addressing
> - * This will also trigger a jump to CSR_STVEC
> - * which in this case is the address of the new
> - * kernel.
> - */
> - csrw CSR_STVEC, a2
> csrw CSR_SATP, zero
> + jr a2
>
> SYM_CODE_END(riscv_kexec_norelocate)
[Severity: Critical]
Does this sequence require an sfence.vma instruction after clearing
CSR_SATP?
According to the RISC-V Privileged Architecture specification, writes to the
satp register do not imply any synchronization. A subsequent instruction fetch
may still use the old satp value unless explicitly synchronized with an
sfence.vma instruction.
Without sfence.vma, the CPU pipeline is allowed to fetch the instruction at
a2 (the start of the new kernel) using the old satp value. Because a2 is a
physical address and is not identity-mapped in the trampoline page table,
this fetch could trigger an instruction page fault.
Since the stvec override was removed by this patch, the trap would attempt
to vector to the old kernel's default trap handler. As that handler is also
unmapped in the trampoline, this sequence appears to result in a double fault
and a system hang during kexec.
If a similar pattern is introduced for riscv_kexec_relocate_entry later in
this series, it might also need an sfence.vma to avoid a page fault when
fetching the relocation code.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260604132418.15725-1-fangyu.yu@linux.alibaba.com?part=6
next prev parent reply other threads:[~2026-06-04 13:40 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-04 13:24 [PATCH v3 0/9] riscv: kexec: Make kexec/kdump robust under VS-mode fangyu.yu
2026-06-04 13:24 ` [PATCH v3 1/9] riscv: kexec: Reset executable bit on the control code page in cleanup fangyu.yu
2026-06-04 13:24 ` [PATCH v3 2/9] riscv: kexec: Bound FDT search by source buffer size, not destination fangyu.yu
2026-06-04 13:37 ` sashiko-bot
2026-06-04 13:24 ` [PATCH v3 3/9] riscv: Add kexec trampoline text section to vmlinux.lds.S fangyu.yu
2026-06-04 13:24 ` [PATCH v3 4/9] riscv: kexec: Place norelocate trampoline into .kexec.tramp.text fangyu.yu
2026-06-04 13:24 ` [PATCH v3 5/9] riscv: kexec: Build trampoline page tables for crash kernel entry fangyu.yu
2026-06-04 13:24 ` [PATCH v3 6/9] riscv: kexec: Switch to trampoline page table before norelocate fangyu.yu
2026-06-04 13:40 ` sashiko-bot [this message]
2026-06-04 13:24 ` [PATCH v3 7/9] riscv: kexec: Always build the trampoline page table fangyu.yu
2026-06-04 13:24 ` [PATCH v3 8/9] riscv: kexec: Add the relocate-trampoline wrapper fangyu.yu
2026-06-04 13:46 ` sashiko-bot
2026-06-04 13:24 ` [PATCH v3 9/9] riscv: kexec: Route normal kexec through the trampoline page table fangyu.yu
2026-06-04 13:36 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260604134003.984AC1F00893@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=fangyu.yu@linux.alibaba.com \
--cc=kvm@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox