From: Jeremie Courreges-Anglas <jca@wxcvbn.org>
Subject: Re: amd64: zero direct map page tables in pmap_bootstrap
To: Chris Cunningham <chris@abditory.io>
Cc: "tech@openbsd.org" <tech@openbsd.org>
Date: Sat, 4 Apr 2026 09:01:15 +0200

On Sat, Apr 04, 2026 at 03:14:07AM +0000, Chris Cunningham wrote:
> Hello!
> 
> It took me a while but I think I've tracked down what was causing
> one of my computers to fail to boot on 7.8. I was hitting an early
> amd64 boot failure in pmap_randomize() on a WRX90 / Ryzen
> Threadripper PRO 9995WX system with 512 GB of RAM.
> 
> I was able to reproduce it with both 7.8 and 7.9-beta install
> kernels. The first explicit failure I captured was:
> 
> panic: pmap_randomize_level: invalid L2[1fc.001.1e0] entry
> 0xe38b0beaefcb0bee
> 
> After instrumenting the walk, the failure narrowed to the direct map
> under L4[1fc]. The direct-map lower-level page-table pages allocated
> from first_avail in pmap_bootstrap() were being partially populated
> without first being zeroed. On this machine, unused entries in those
> pages retained stale present/frame bits, and pmap_randomize() later
> walked them as if they were real lower-level page tables.

Nice find!

> The attached patch zeros those bootstrap direct-map page-table pages
> before they are populated:
> 
> - the initial ndmpdp * PAGE_SIZE block
> - each extra-slot L3 page
> - each extra-slot L2 page

Looks safe and makes sense to me, ok jca@, let's see what others say.

-- 
jca