arch/x86/boot/compressed/pgtable_64.c | 11 +++++++---- drivers/firmware/efi/libstub/x86-5lvl.c | 4 ++-- 2 files changed, 9 insertions(+), 6 deletions(-)
This series addresses critical bugs in the kexec path when transitioning
from a kernel using 5-level page tables to one using 4-level page tables.
The root cause is improper handling of PGD entry value during the page level
transition. Specifically PGD entry value is masked with PAGE_MASK instead of
PTE_PFN_MASK, failing to account for high-order software bits like
_PAGE_BIT_NOPTISHADOW (bit 58).
When bit 58 (_PAGE_BIT_NOPTISHADOW) is set in the source kernel, the target
4-level kernel doesn't recognize it and fails to mask it properly, leading
to kexec failure.
Patch 1: Fixes the x86 boot compressed code path by replacing direct CR3
dereferencing with read_cr3_pa() and using PTE_PFN_MASK instead
of PAGE_MASK.
Patch 2: Applies the same fix to the EFI stub code path. (Done in a
separate patch as Fixes tag is different).
Co-developed-by: Kiryl Shutsemau <kas@kernel.org>
Signed-off-by: Kiryl Shutsemau <kas@kernel.org>
Signed-off-by: Usama Arif <usamaarif642@gmail.com>
Reported-by: Michael van der Westhuizen <rmikey@meta.com>
Reported-by: Tobias Fleig <tfleig@meta.com>
The patches are based on aaa9c3550b60d6259d6ea8b1175ade8d1242444e (next-20251022)
v1 -> v2:
- Remove patch 3 from v1 to fix kexec for source kernel in 5-level to 4-level
transition where the 4 level kernel doesnt have patch 1 and 2 (Dave Hansen)
- Add include for asm/pgtable.h to fix build for x86_64-allnoconfig (kernel test bot)
- Use native_read_cr3_pa and for both paths (Ard Biesheuvel)
Usama Arif (2):
x86/boot: Fix page table access in 5-level to 4-level paging
transition
efi/libstub: Fix page table access in 5-level to 4-level paging
transition
arch/x86/boot/compressed/pgtable_64.c | 11 +++++++----
drivers/firmware/efi/libstub/x86-5lvl.c | 4 ++--
2 files changed, 9 insertions(+), 6 deletions(-)
--
2.47.3
On Tue, Oct 28, 2025 at 10:55:55AM +0000, Usama Arif wrote:
> This series addresses critical bugs in the kexec path when transitioning
> from a kernel using 5-level page tables to one using 4-level page tables.
Out of curiosity: what is the real-life use case for this?
Judging by the Reported-by's I guess Meta is doing some kexec-ing into default
kernels which are 4-level so that they can work on any machine ...
Close?
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
On Wed, Oct 29, 2025 at 09:48:14PM +0100, Borislav Petkov wrote: > On Tue, Oct 28, 2025 at 10:55:55AM +0000, Usama Arif wrote: > > This series addresses critical bugs in the kexec path when transitioning > > from a kernel using 5-level page tables to one using 4-level page tables. > > Out of curiosity: what is the real-life use case for this? > > Judging by the Reported-by's I guess Meta is doing some kexec-ing into default > kernels which are 4-level so that they can work on any machine ... > > Close? Older kernels in our fleet run with 5-level paging disabled. The newer one enables it. Machines need to switch between kernel version from time to time for different reasons. Switching from the newer kernel to an older one triggered the issue. -- Kiryl Shutsemau / Kirill A. Shutemov
On Thu, Oct 30, 2025 at 10:23:11AM +0000, Kiryl Shutsemau wrote:
> Older kernels in our fleet run with 5-level paging disabled. The newer
> one enables it. Machines need to switch between kernel version from time
> to time for different reasons. Switching from the newer kernel to an
> older one triggered the issue.
Thx, makes sense.
--
Regards/Gruss,
Boris.
https://people.kernel.org/tglx/notes-about-netiquette
On Tue, 28 Oct 2025 at 11:57, Usama Arif <usamaarif642@gmail.com> wrote: > > This series addresses critical bugs in the kexec path when transitioning > from a kernel using 5-level page tables to one using 4-level page tables. > > The root cause is improper handling of PGD entry value during the page level > transition. Specifically PGD entry value is masked with PAGE_MASK instead of > PTE_PFN_MASK, failing to account for high-order software bits like > _PAGE_BIT_NOPTISHADOW (bit 58). > > When bit 58 (_PAGE_BIT_NOPTISHADOW) is set in the source kernel, the target > 4-level kernel doesn't recognize it and fails to mask it properly, leading > to kexec failure. > > Patch 1: Fixes the x86 boot compressed code path by replacing direct CR3 > dereferencing with read_cr3_pa() and using PTE_PFN_MASK instead > of PAGE_MASK. > > Patch 2: Applies the same fix to the EFI stub code path. (Done in a > separate patch as Fixes tag is different). > > > Co-developed-by: Kiryl Shutsemau <kas@kernel.org> > Signed-off-by: Kiryl Shutsemau <kas@kernel.org> > Signed-off-by: Usama Arif <usamaarif642@gmail.com> > Reported-by: Michael van der Westhuizen <rmikey@meta.com> > Reported-by: Tobias Fleig <tfleig@meta.com> > > The patches are based on aaa9c3550b60d6259d6ea8b1175ade8d1242444e (next-20251022) > > v1 -> v2: > - Remove patch 3 from v1 to fix kexec for source kernel in 5-level to 4-level > transition where the 4 level kernel doesnt have patch 1 and 2 (Dave Hansen) > - Add include for asm/pgtable.h to fix build for x86_64-allnoconfig (kernel test bot) > - Use native_read_cr3_pa and for both paths (Ard Biesheuvel) > > Usama Arif (2): > x86/boot: Fix page table access in 5-level to 4-level paging > transition > efi/libstub: Fix page table access in 5-level to 4-level paging > transition > Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
© 2016 - 2026 Red Hat, Inc.