[PATCH] spl: fix stack placement in spl_relocate_stack_gd()

Ronald Wahl rwahl at gmx.de
Sat Feb 7 16:33:30 CET 2026 

From: Ronald Wahl <ronald.wahl at legrand.com>

Currently when CONFIG_SPL_STACK_R and CONFIG_SPL_SYS_MALLOC_SIMPLE is
enabled then spl_relocate_stack_gd() will setup a layout where the stack
lays inside the heap and grows down to heap start. Also the global data
is part of the heap. This can lead to corruption of stack and global
data. The current layout is:

                    0x0 +-------------+
                        .             .
                        .             .
        gd->malloc_base +- - - - - - -+
                        |             |\
                        | HEAP/STACK  | \
                        |             |  } SPL_STACK_R_MALLOC_SIMPLE_LEN
      gd->start_addr_sp +- - - - - - -+ /  (gd->malloc_limit)
                        | GLOBAL DATA |/
CONFIG_SPL_STACK_R_ADDR +-------------+

The above broken layout was actually introduced with commit adc421e4cee8
("arm: move gd handling outside of C code").

This commit changes the layout so that the stack is below the heap and
the global data. It is now similar to the one before relocation:

                     0x0+-------------+
                        .             .
                        .             .
                        +- - - - - - -+
                        |             |
                        |    STACK    |
                        |             |
      gd->start_addr_sp +-------------+
                        | GLOBAL DATA |
        gd->malloc_base +-------------+
                        |             |\
                        |    HEAP     | } SPL_STACK_R_MALLOC_SIMPLE_LEN
                        |             |/  (gd->malloc_limit)
CONFIG_SPL_STACK_R_ADDR +-------------+

Fixes: adc421e4cee8 ("arm: move gd handling outside of C code")
Cc: Tom Rini <trini at konsulko.com>
Cc: Anshul Dalal <anshuld at ti.com>
Cc: Leo Yu-Chi Liang <ycliang at andestech.com>
Cc: Dhruva Gole <d-gole at ti.com>
Cc: Simon Glass <sjg at chromium.org>
Cc: Albert ARIBAUD <albert.u.boot at aribaud.net>
Signed-off-by: Ronald Wahl <ronald.wahl at legrand.com>
---
 common/spl/spl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/spl/spl.c b/common/spl/spl.c
index fd915d9564b..8256fa97862 100644
--- a/common/spl/spl.c
+++ b/common/spl/spl.c
@@ -954,7 +954,7 @@ ulong spl_relocate_stack_gd(void)
 	}
 #endif
 	/* Get stack position: use 8-byte alignment for ABI compliance */
-	ptr = CONFIG_SPL_STACK_R_ADDR - roundup(sizeof(gd_t),16);
+	ptr -= roundup(sizeof(gd_t), 16);
 	gd->start_addr_sp = ptr;
 	new_gd = (gd_t *)ptr;
 	memcpy(new_gd, (void *)gd, sizeof(gd_t));
-- 
2.53.0

More information about the U-Boot mailing list