Re: [PATCH v3 8/9] riscv: kexec: Add the relocate-trampoline wrapper

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Missing `sfence.vma` after `csrw CSR_SATP, zero` allows unsynchronized execution to use the old trampoline page table, causing page faults during kexec.
- [High] Incorrect physical address calculation for `riscv_kexec_cc_buffer_pa` using PC-relative `la` under `CONFIG_XIP_KERNEL`.
--

commit 6b76f586f13ebcc7aa4fa66a977acaa2bac3a894
Author: Fangyu Yu <fangyu.yu@linux.alibaba.com>
riscv: kexec: Add the relocate-trampoline wrapper

This patch adds the riscv_kexec_relocate_entry wrapper to the kexec
trampoline text section. It performs the transition to the trampoline PGD,
drops the MMU, and jumps to the physical address of the control code buffer.

> diff --git a/arch/riscv/kernel/kexec_relocate.S b/arch/riscv/kernel/kexec_relocate.S
> index 8cfdf6f4032a8..6c624560c9ac0 100644
> --- a/arch/riscv/kernel/kexec_relocate.S
> +++ b/arch/riscv/kernel/kexec_relocate.S

[ ... ]

> @@ -225,6 +225,42 @@ SYM_CODE_START(riscv_kexec_norelocate)
>  
>  SYM_CODE_END(riscv_kexec_norelocate)
>  
> +.extern riscv_kexec_relocate_entry_pa
> +.extern riscv_kexec_cc_buffer_pa
> +.section ".kexec.tramp.text", "ax"
> +SYM_CODE_START(riscv_kexec_relocate_entry)

[ ... ]

> +1:
> +	/*
> +	 * Now executing at the PA of this wrapper with the trampoline pgd
> +	 * installed (identity-mapped). Drop the MMU; PC stays valid because
> +	 * it is already a PA.
> +	 */
> +	csrw	CSR_SATP, zero

[Severity: High]
Does dropping the MMU here require an sfence.vma instruction to synchronize
the pipeline?

Without it, the hardware might defer the translation mode switch and use the
old trampoline page table for subsequent instructions.

Since the trampoline page table only identity-maps the single trampoline
.text page, the immediate memory read from the unmapped .bss region could
trigger a Load Page Fault.

It looks like riscv_kexec_norelocate might have a similar issue where it
executes a jump to the crash kernel without an sfence.vma, which could cause
a nested Instruction Page Fault.

> +
> +	/* Jump to the PA of control_code_buffer to run the relocate body. */
> +	la	t0, riscv_kexec_cc_buffer_pa
> +	REG_L	t0, 0(t0)

[Severity: High]
Will this PC-relative physical address calculation work correctly under
CONFIG_XIP_KERNEL?

The la instruction expands to a PC-relative offset based strictly on virtual
addresses.

Under CONFIG_XIP_KERNEL, .text executes from ROM and .bss resides in RAM,
so their virtual offset does not match their physical distance.

When executed with the MMU off, adding this virtual offset to the physical
ROM PC might yield an invalid physical address, causing the REG_L
instruction to crash the kexec transition.

> +	jr	t0
> +SYM_CODE_END(riscv_kexec_relocate_entry)

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260604132418.15725-1-fangyu.yu@linux.alibaba.com?part=8