Bug#1140542: grub-efi-riscv64: relocation overflow crash on systems with multi-range memory layout (>4GB RAM)

Mon Jun 22 12:46:48 BST 2026

Package: grub-efi-riscv64
Version: 2.12-9+deb13u2
Severity: grave
Tags: upstream

grub-efi-riscv64: relocation overflow crash on systems with multi-range memory layout (>4GB physical RAM)

-- System Information:
Hardware: SpacemiT V100-C2201 (RISC-V, SpacemiT V100 SoC)
Debian Release: 13 (trixie)
APT: APT version 3.x
Kernel: 6.12.86+deb13-riscv64 (riscv64)
Locale: (not relevant)

-- Description:

When booting the Debian riscv64 DVD installer (from
https://cdimage.debian.org/debian-cd/current/riscv64/iso-dvd/) on a
SpacemiT V100 RISC-V server (128 GB RAM), GRUB crashes immediately
with "relocation overflow" before loading any menu or kernel.

Running grubriscv64.efi from the UEFI shell produces:

  InstallProtocolInterface: 752F3136-4E16-4FDC-A22A-E5F46812F4CA 83FFF720
  CpuSetMemoryAttributes: Set memory attributes not supported yet
  relocation overflow
  Aborted. Press any key to exit

This is a known upstream bug in grub-core/kern/riscv/dl.c,
grub_arch_dl_relocate_symbols(), where R_RISCV_CALL / R_RISCV_CALL_PLT
relocation handling checks:

  if (off != (grub_int32_t) off)
    return grub_error (GRUB_ERR_BAD_MODULE, "relocation overflow");

The offset `off = sym_addr - (grub_addr_t) place` overflows int32 because
UEFI allocates GRUB's EFI image in high memory (above 4 GB) when the
physical address space contains a multi-range layout.

-- Memory layout on this machine:

The SpacemiT V100 has 128 GB RAM exposed via ACPI SRAT as two NUMA nodes
with non-contiguous ranges:

  Node 0: [mem 0x00000000-0xffffffff] (first 4 GB, with holes)
          [mem 0xc0100000000-0xc0fffffffff] (range above 768 GB)
  Node 1: [mem 0xe0000000000-0xe0fffffffff]

Because the low 4 GB region is heavily fragmented by firmware/MMIO
reservations, UEFI places the GRUB EFI image at an address such as
0xBDCCB000 (per the log above — still within 32-bit range on this
machine, but the loaded modules end up relocated far above), causing
the R_RISCV_CALL relocation offset to exceed ±2 GB.

This is documented in the upstream RISC-V initiative tracker:
  https://lf-rise.atlassian.net/wiki/spaces/HOME/pages/8586141/DI_01_01+GRUB+-+Relocation+overflow+on+RISC-V+with+multi-range+memory+layout

And the related LKML thread:
  https://lore.kernel.org/all/CAKmqyKMtAzt5saCUMd4vXYfgAQibpzQJAhtTSuSb+yeKhcYpfw@mail.gmail.com/T/

-- Impact:

The Debian riscv64 installer is completely unbootable on RISC-V
systems with large RAM (e.g., SpacemiT V100, or any system where UEFI
may allocate GRUB's image or its modules outside the ±2 GB window of
each other).

-- Steps to reproduce:

1. Download https://cdimage.debian.org/debian-cd/current/riscv64/iso-dvd/
2. Write to USB or mount the ISO
3. Boot on a SpacemiT V100 (or similar RISC-V system with >4 GB RAM
   and fragmented low memory)
4. GRUB immediately crashes with "relocation overflow"

-- Fix:

The fix requires GRUB to emit a PLT/trampoline for R_RISCV_CALL
relocations that cannot be satisfied within ±2 GB, similar to how
other architectures handle out-of-range relocations. The upstream RISC-V
RISE initiative (project DI_01_01) is tracking this fix.

A workaround may be to link GRUB as a position-independent image or
to ensure the EFI memory allocator keeps all GRUB code and modules
within a contiguous ±2 GB region, but a proper fix in dl.c is needed.

-- Additional info:

  grub-efi-riscv64:     2.12-9+deb13u2
  grub-efi-riscv64-bin: 2.12-9+deb13u2
  grub-common:          2.12-9+deb13u2
  grub2-common:         2.12-9+deb13u2

  CPU ISA: rv64imafdcvh + (extensive extensions including V, Zb*, Zk*)
  MMU: sv48
  EFI: v2.7 by SpacemiT
  BIOS: SpacemiT v1.0.0

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure. If you are not an intended recipient of this message, please delete it and any attachment from your system and notify the sender immediately by reply e-mail. Unintended recipients should not use, copy, disclose or take any action based on this message or any information contained in this message. Emails cannot be guaranteed to be secure or error free as they can be intercepted, amended, lost or destroyed, and you should take full responsibility for security checking. 

本邮件及其任何附件具有保密性质，并可能受其他保护或不允许被披露给第三方。如阁下误收到本邮件，敬请立即以回复电子邮件的方式通知发件人，并将本邮件及其任何附件从阁下系统中予以删除。如阁下并非本邮件写明之收件人，敬请切勿使用、复制、披露本邮件或其任何内容，亦请切勿依本邮件或其任何内容而采取任何行动。电子邮件无法保证是一种安全和不会出现任何差错的通信方式，可能会被拦截、修改、丢失或损坏，收件人需自行负责做好安全检查。