Xen project Mailing List

[PATCH 0/3] x86/pvh: fix unbootable VMs again (PVH + KASAN)

To: Thomas Gleixner <tglx@xxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>, x86@xxxxxxxxxx, "H. Peter Anvin" <hpa@xxxxxxxxx>, Juergen Gross <jgross@xxxxxxxx>, Alexey Dobriyan <adobriyan@xxxxxxxxx>, Boris Ostrovsky <boris.ostrovsky@xxxxxxxxxx>

From: Mauricio Faria de Oliveira <mfo@xxxxxxxxxx>

Date: Wed, 22 Apr 2026 17:07:44 -0300

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=20170329 header.d=igalia.com header.i="@igalia.com" header.h="Cc:To:Content-Transfer-Encoding:Content-Type:MIME-Version:Message-Id:Date:Subject:From"

Cc: kernel-dev@xxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxxx, Mauricio Faria de Oliveira <mfo@xxxxxxxxxx>

Delivery-date: Thu, 23 Apr 2026 06:21:31 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

The issue of unbootable VMs with CONFIG_PVH due to CONFIG_KASAN is back. Booting directly from vmlinux (instead of bzImage) now fails with gcc-14/15 (but works with gcc-12/13) if CONFIG_KASAN_GENERIC is set, on Ubuntu 25.10. The PVH code is required/supposed not to hit the KASAN memory access check in the kernel entry point as KASAN has not yet been setup, or an exception is hit and the boot fails. This was previously described and addressed with __builtin_mem{cmp,set}(): - commit 661362e3dcab ("xen, pvh: fix unbootable VMs (PVH + KASAN - AMD_MEM_ENCRYPT)") - commit 416a33c9afce ("x86/cpu: fix unbootable VMs by inlining memcmp() in hypervisor_cpuid_base()") - commit fbe5a6dfe492 ("xen, pvh: fix unbootable VMs by inlining memset() in xen_prepare_pvh()") However, even with __builtin the compiler may decide to use the out of line function instead of the inline implementation. So, that does not really fix the issue unconditionally, as it's being seen (details below). In order to address this, it's required to switch to inline implementations that do not depend on the compiler. There's such a memset in <asm/string.h> and memcmp in 'boot/string.c', now exposed in <asm/string.h> too. Use them instead of builtins in PVH entry. Testing: - Booting from vmlinux (fixed) and bzImage (still works) using allnoconfig + CONFIG_PVH + CONFIG_KASAN with gcc-12/13/14/15. - Building allyesconfig (check for issues with <asm/string.h>). Details/Debugging: - Only CONFIG_PVH (works): make allnoconfig ./scripts/config \ -e 64BIT -e HYPERVISOR_GUEST -e PVH \ -e SERIAL_8250 -e SERIAL_8250_CONSOLE make olddefconfig make -j$(nproc) vmlinux qemu-system-x86_64 \ -accel kvm -nodefaults -nographic -serial stdio \ -kernel vmlinux -append 'console=ttyS0' ... SeaBIOS (version ...) Booting from ROM... Linux version ... ... <Ctrl-C> - With CONFIG_KASAN (fails) ./scripts/config -e KASAN make olddefconfig make -j$(nproc) vmlinux qemu-system-x86_64 \ -accel kvm -nodefaults -nographic -serial stdio \ -kernel vmlinux -append 'console=ttyS0' ... SeaBIOS (version ...) Booting from ROM... <QEMU reboot loop, flashing the text above> - Debugging: Enable debug info and rebuild. QEMU: enable and wait for GDB, stop rebooting, remain running. qemu-system-x86_64 \ -s -S -no-reboot -no-shutdown \ <other options> gdb vmlinux (gdb) target remote localhost:1234 ... (gdb) c ... Thread 2 received signal SIGQUIT, Quit. ... (gdb) info threads Id Target Id Frame 1 Thread 1.1 (CPU#0 [running]) bytes_is_nonzero ( start=0xfffffbfff031eebe <error: Cannot access memory at address 0xfffffbfff031eebe>, size=1) at .../linux/mm/kasan/generic.c:98 * 2 Thread 1.2 (CPU#1 [halted ]) 0x00000000000fd0a9 in ?? () ... (gdb) thr 1 ... (gdb) bt #0 bytes_is_nonzero (start=0xfffffbfff031eebe <error: Cannot access memory at address 0xfffffbfff031eebe>, size=1) at .../linux/mm/kasan/generic.c:98 #1 memory_is_nonzero (start=0xfffffbfff031eebe, end=0xfffffbfff031eebf) at .../linux/mm/kasan/generic.c:115 #2 memory_is_poisoned_n (addr=0xffffffff818f75f0, size=8) at .../linux/mm/kasan/generic.c:140 #3 memory_is_poisoned (addr=0xffffffff818f75f0, size=8) at .../linux/mm/kasan/generic.c:172 #4 check_region_inline (addr=0xffffffff818f75f0, size=8, write=false, ret_ip=18446744071585002062) at .../linux/mm/kasan/generic.c:191 #5 kasan_check_range (addr=addr@entry=0xffffffff818f75f0, size=size@entry=8, write=write@entry=false, ret_ip=18446744071585002062) at .../linux/mm/kasan/generic.c:200 #6 0xffffffff813eb283 in __asan_loadN (addr=addr@entry=0xffffffff818f75f0, size=size@entry=8) at .../linux/mm/kasan/generic.c:278 #7 0xffffffff815df24e in memcmp (cs=cs@entry=0xffffffff818f75f0, ct=ct@entry=0x1be2fe4, count=<optimized out>, count@entry=12) at .../linux/lib/string.c:683 #8 0xffffffff81ba2323 in cpuid_base_hypervisor (sig=0xffffffff818f75f0 "XenVMMXenVMM", leaves=2) at .../linux/arch/x86/include/asm/cpuid/api.h:206 #9 xen_cpuid_base () at .../linux/arch/x86/include/asm/xen/hypervisor.h:46 #10 xen_prepare_pvh () at .../linux/arch/x86/platform/pvh/enlighten.c:119 #11 0x0000000001ba2588 in ?? () #12 0x0000000000000000 in ?? () (gdb) Frames #7-#8 show the non-builtin memcmp() (lib/string.c) was called even with __builtin_memcmp() being used in cpuid_base_hypervisor(). Signed-off-by: Mauricio Faria de Oliveira <mfo@xxxxxxxxxx> --- Mauricio Faria de Oliveira (3): x86/asm, x86/boot: Expose inline memcmp x86/cpuid: fix unbootable VMs by really inlining memcmp() in hypervisor_cpuid_base() x86/pvh: fix unbootable VMs by really inlining memset() in xen_prepare_pvh() arch/x86/boot/string.c | 6 ++---- arch/x86/include/asm/cpuid/api.h | 2 +- arch/x86/include/asm/string.h | 11 +++++++++++ arch/x86/platform/pvh/enlighten.c | 3 ++- 4 files changed, 16 insertions(+), 6 deletions(-) --- base-commit: 6596a02b207886e9e00bb0161c7fd59fea53c081 change-id: 20260422-pvh-kasan-inline-6efac77f1b27 Best regards, -- Mauricio Faria de Oliveira <mfo@xxxxxxxxxx>

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.