lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6adad05f-bd56-4f32-a2d5-611656863acb@citrix.com>
Date: Mon, 26 Jan 2026 20:22:51 +0000
From: Andrew Cooper <andrew.cooper3@...rix.com>
To: Borislav Petkov <bp@...en8.de>,
 Ryusuke Konishi <konishi.ryusuke@...il.com>
Cc: Andrew Cooper <andrew.cooper3@...rix.com>,
 Andrew Morton <akpm@...ux-foundation.org>, Marco Elver <elver@...gle.com>,
 LKML <linux-kernel@...r.kernel.org>, Alexander Potapenko
 <glider@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>,
 Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
 Dave Hansen <dave.hansen@...ux.intel.com>, X86 ML <x86@...nel.org>,
 "H. Peter Anvin" <hpa@...or.com>, Jann Horn <jannh@...gle.com>,
 kasan-dev@...glegroups.com
Subject: Re: [REGRESSION] x86_32 boot hang in 6.19-rc7 caused by b505f1944535
 ("x86/kfence: avoid writing L1TF-vulnerable PTEs")

On 26/01/2026 7:54 pm, Borislav Petkov wrote:
> On Tue, Jan 27, 2026 at 04:07:04AM +0900, Ryusuke Konishi wrote:
>> Hi All,
>>
>> I am reporting a boot regression in v6.19-rc7 on an x86_32
>> environment. The kernel hangs immediately after "Booting the kernel"
>> and does not produce any early console output.
>>
>> A git bisect identified the following commit as the first bad commit:
>> b505f1944535 ("x86/kfence: avoid writing L1TF-vulnerable PTEs")
> I can confirm the same - my 32-bit laptop experiences the same. The guest
> splat looks like this:
>
> [    0.173437] rcu: srcu_init: Setting srcu_struct sizes based on contention.
> [    0.175172] ------------[ cut here ]------------
> [    0.176066] kernel BUG at arch/x86/mm/physaddr.c:70!
> [    0.177037] Oops: invalid opcode: 0000 [#1] SMP
> [    0.177914] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.19.0-rc7+ #1 PREEMPT(full) 
> [    0.179509] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> [    0.181363] EIP: __phys_addr+0x78/0x90
> [    0.182089] Code: 89 c8 5b 5d c3 2e 8d 74 26 00 0f 0b 8d b6 00 00 00 00 89 45 f8 e8 08 a4 1d 00 84 c0 8b 55 f8 74 b0 0f 0b 8d b4 26 00 00 00 00 <0f> 0b 8d b6 00 00 00 00 0f 0b 66 90 8d 74 26 00 2e 8d b4 26 00 00
> [    0.185723] EAX: ce383000 EBX: 00031c7c ECX: 31c7c000 EDX: 034ec000
> [    0.186972] ESI: c1ed3eec EDI: f21fd101 EBP: c2055f78 ESP: c2055f70
> [    0.188182] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00210086
> [    0.189503] CR0: 80050033 CR2: ffd98000 CR3: 029cf000 CR4: 00000090
> [    0.191045] Call Trace:
> [    0.191518]  kfence_init+0x3a/0x94
> [    0.192177]  start_kernel+0x4ea/0x62c
> [    0.192894]  i386_start_kernel+0x65/0x68
> [    0.193653]  startup_32_smp+0x151/0x154
> [    0.194397] Modules linked in:
> [    0.194987] ---[ end trace 0000000000000000 ]---
> [    0.195879] EIP: __phys_addr+0x78/0x90
> [    0.196610] Code: 89 c8 5b 5d c3 2e 8d 74 26 00 0f 0b 8d b6 00 00 00 00 89 45 f8 e8 08 a4 1d 00 84 c0 8b 55 f8 74 b0 0f 0b 8d b4 26 00 00 00 00 <0f> 0b 8d b6 00 00 00 00 0f 0b 66 90 8d 74 26 00 2e 8d b4 26 00 00
> [    0.200231] EAX: ce383000 EBX: 00031c7c ECX: 31c7c000 EDX: 034ec000
> [    0.201452] ESI: c1ed3eec EDI: f21fd101 EBP: c2055f78 ESP: c2055f70
> [    0.202693] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 EFLAGS: 00210086
> [    0.204011] CR0: 80050033 CR2: ffd98000 CR3: 029cf000 CR4: 00000090
> [    0.205235] Kernel panic - not syncing: Attempted to kill the idle task!
> [    0.206897] ---[ end Kernel panic - not syncing: Attempted to: kill the idle task! ]---

Ok, we're hitting a BUG, not a TLB flushing problem.  That's:

BUG_ON(slow_virt_to_phys((void *)x) != phys_addr);

so it's obviously to do with the inverted pte.  pgtable-2level.h has

/* No inverted PFNs on 2 level page tables */

and that was definitely an oversight on my behalf.  Sorry.

Does this help?

diff --git a/arch/x86/include/asm/kfence.h b/arch/x86/include/asm/kfence.h
index acf9ffa1a171..310e0193d731 100644
--- a/arch/x86/include/asm/kfence.h
+++ b/arch/x86/include/asm/kfence.h
@@ -42,7 +42,7 @@ static inline bool kfence_protect_page(unsigned long addr, bool protect)
 {
        unsigned int level;
        pte_t *pte = lookup_address(addr, &level);
-       pteval_t val;
+       pteval_t val, new;
 
        if (WARN_ON(!pte || level != PG_LEVEL_4K))
                return false;
@@ -61,7 +61,8 @@ static inline bool kfence_protect_page(unsigned long addr, bool protect)
         * L1TF-vulnerable PTE (not present, without the high address bits
         * set).
         */
-       set_pte(pte, __pte(~val));
+       new = val ^ _PAGE_PRESENT;
+       set_pte(pte, __pte(flip_protnone_guard(val, new, PTE_PFN_MASK)));
 
        /*
         * If the page was protected (non-present) and we're making it



Only compile tested.  flip_protnone_guard() seems the helper which is a
nop on 2-level paging.

~Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ