1. Patchew
  2. linux
  3. View series

[PATCH v5] MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow

Maciej W. Rozycki posted 1 patch 3 days, 4 hours ago 
arch/mips/mm/tlb-r4k.c |   18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
[PATCH v5] MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow
Posted by Maciej W. Rozycki 3 days, 4 hours ago 
From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>

Owing to Config4.MMUSizeExt and VTLB/FTLB MMU features later MIPSr2+ 
cores can have more than 64 TLB entries.  Therefore allocate an array 
for uniquification instead of placing too small an array on the stack.

Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init")
Co-developed-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Cc: stable@vger.kernel.org # v6.17+: 9f048fa48740: MIPS: mm: Prevent a TLB shutdown on initial uniquification
Cc: stable@vger.kernel.org # v6.17+
---
 Verified with Malta/74Kf and Malta/interAptiv for initial and secondary 
CPU bootstrap.  The PM path hasn't been covered, but is expected to be 
the same as secondary CPU bootstrap.

 NB Malta/interAptiv has issues later on in SMP boot (boots fine UP) and 
hangs with repeated:

irq 23: nobody cared (try booting with the "irqpoll" option)
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.18.0-rc1-dirty #2 NONE

messages (for the CP0 timer interrupt AFAICT; GIC timer is supposed to 
be used instead).  This will have to be bisected.

Changes from v4:

- Mark `r4k_tlb_uniquify' `__ref' so as to silence `modpost'.

Changes from v3:

- Rearrange tags including stable backport ones so as to pick the original 
  change together with this fix only.

Changes from v2:

- Use the bootmem allocator for early calls (CPU #0 bootstrap).

- Update the change description; mark for stable backporting.
---
 arch/mips/mm/tlb-r4k.c |   18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

linux-mips-tlb-r4k-uniquify-tlbsize.diff
Index: linux-macro/arch/mips/mm/tlb-r4k.c
===================================================================
--- linux-macro.orig/arch/mips/mm/tlb-r4k.c
+++ linux-macro/arch/mips/mm/tlb-r4k.c
@@ -12,6 +12,7 @@
 #include <linux/init.h>
 #include <linux/sched.h>
 #include <linux/smp.h>
+#include <linux/memblock.h>
 #include <linux/mm.h>
 #include <linux/hugetlb.h>
 #include <linux/export.h>
@@ -522,17 +523,26 @@ static int r4k_vpn_cmp(const void *a, co
  * Initialise all TLB entries with unique values that do not clash with
  * what we have been handed over and what we'll be using ourselves.
  */
-static void r4k_tlb_uniquify(void)
+static void __ref r4k_tlb_uniquify(void)
 {
-	unsigned long tlb_vpns[1 << MIPS_CONF1_TLBS_SIZE];
 	int tlbsize = current_cpu_data.tlbsize;
+	bool use_slab = slab_is_available();
 	int start = num_wired_entries();
+	phys_addr_t tlb_vpn_size;
+	unsigned long *tlb_vpns;
 	unsigned long vpn_mask;
 	int cnt, ent, idx, i;
 
 	vpn_mask = GENMASK(cpu_vmbits - 1, 13);
 	vpn_mask |= IS_ENABLED(CONFIG_64BIT) ? 3ULL << 62 : 1 << 31;
 
+	tlb_vpn_size = tlbsize * sizeof(*tlb_vpns);
+	tlb_vpns = (use_slab ?
+		    kmalloc(tlb_vpn_size, GFP_KERNEL) :
+		    memblock_alloc_raw(tlb_vpn_size, sizeof(*tlb_vpns)));
+	if (WARN_ON(!tlb_vpns))
+		return; /* Pray local_flush_tlb_all() is good enough. */
+
 	htw_stop();
 
 	for (i = start, cnt = 0; i < tlbsize; i++, cnt++) {
@@ -585,6 +595,10 @@ static void r4k_tlb_uniquify(void)
 	tlbw_use_hazard();
 	htw_start();
 	flush_micro_tlb();
+	if (use_slab)
+		kfree(tlb_vpns);
+	else
+		memblock_free(tlb_vpns, tlb_vpn_size);
 }
 
 /*
Re: [PATCH v5] MIPS: mm: kmalloc tlb_vpn array to avoid stack overflow
Posted by Thomas Bogendoerfer 2 days, 8 hours ago 
On Fri, Nov 28, 2025 at 04:53:46PM +0000, Maciej W. Rozycki wrote:
> From: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
> 
> Owing to Config4.MMUSizeExt and VTLB/FTLB MMU features later MIPSr2+ 
> cores can have more than 64 TLB entries.  Therefore allocate an array 
> for uniquification instead of placing too small an array on the stack.
> 
> Fixes: 35ad7e181541 ("MIPS: mm: tlb-r4k: Uniquify TLB entries on init")
> Co-developed-by: Maciej W. Rozycki <macro@orcam.me.uk>
> Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
> Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
> Cc: stable@vger.kernel.org # v6.17+: 9f048fa48740: MIPS: mm: Prevent a TLB shutdown on initial uniquification
> Cc: stable@vger.kernel.org # v6.17+
> ---
>  Verified with Malta/74Kf and Malta/interAptiv for initial and secondary 
> CPU bootstrap.  The PM path hasn't been covered, but is expected to be 
> the same as secondary CPU bootstrap.
> 
>  NB Malta/interAptiv has issues later on in SMP boot (boots fine UP) and 
> hangs with repeated:
> 
> irq 23: nobody cared (try booting with the "irqpoll" option)
> CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.18.0-rc1-dirty #2 NONE
> 
> messages (for the CP0 timer interrupt AFAICT; GIC timer is supposed to 
> be used instead).  This will have to be bisected.
> 
> Changes from v4:
> 
> - Mark `r4k_tlb_uniquify' `__ref' so as to silence `modpost'.
> 
> Changes from v3:
> 
> - Rearrange tags including stable backport ones so as to pick the original 
>   change together with this fix only.
> 
> Changes from v2:
> 
> - Use the bootmem allocator for early calls (CPU #0 bootstrap).
> 
> - Update the change description; mark for stable backporting.
> ---
>  arch/mips/mm/tlb-r4k.c |   18 ++++++++++++++++--
>  1 file changed, 16 insertions(+), 2 deletions(-)

applied to mips-fixes.

Thomas.

-- 
Crap can work. Given enough thrust pigs will fly, but it's not necessarily a
good idea.                                                [ RFC1925, 2.3 ]

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.