Re: [REGRESSION] x86_32 boot hang in 6.19-rc7 caused by b505f1944535 ("x86/kfence: avoid writing L1TF-vulnerable PTEs")

Next message: Joel Fernandes: "[PATCH v2 4/5] gpu: nova-core: use checked arithmetic in BinFirmware::data"
Previous message: Alex Deucher: "Re: [PATCH 1/1] drm/amdgpu: Fix TLB flush failures after hibernation resume"
In reply to: Andrew Cooper: "Re: [REGRESSION] x86_32 boot hang in 6.19-rc7 caused by b505f1944535 (&quot;x86/kfence: avoid writing L1TF-vulnerable PTEs&quot;)"
Next in thread: Andrew Morton: "Re: [REGRESSION] x86_32 boot hang in 6.19-rc7 caused by b505f1944535 (&quot;x86/kfence: avoid writing L1TF-vulnerable PTEs&quot;)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dave Hansen

Date: Mon Jan 26 2026 - 15:25:47 EST

On 1/26/26 11:54, Borislav Petkov wrote:
> [ 0.173437] rcu: srcu_init: Setting srcu_struct sizes based on contention.
> [ 0.175172] ------------[ cut here ]------------
> [ 0.176066] kernel BUG at arch/x86/mm/physaddr.c:70!

Take a look at kfence_init_pool_early(). It's riddled with __pa() which
calls down to __phys_addr() => slow_virt_to_phys().

The plain !present PTE is fine, but the inverted one trips up
slow_virt_to_phys(), I bet. The slow_virt_to_phys() only gets called on
when highmem is enabled (not when the memory is highmem) which is why
this is blowing up on 32-bit only.

The easiest hack/fix would be to just turn off kfence on 32-bit. I guess
the better fix would be to make kfence do its __pa() before it mucks
with the PTEs. The other option would be to either comprehend or ignore
those inverted PTEs.

Ugh.