Re: [BUG] sched_mm_cid_exit+0xe2: page fault on CID bitmap write with nopti on 6.19.0

Next message: J&#xFC;rgen Gro&#xDF;: "Re: [PATCH net] xen-netback: reject zero-queue configuration from guest"
Previous message: Marcus Folkesson: "[PATCH v5 0/5] I2C Mux per channel bus speed"
In reply to: Thomas Gleixner: "Re: [BUG] sched_mm_cid_exit+0xe2: page fault on CID bitmap write with nopti on 6.19.0"
Next in thread: mjfara: "Re: [BUG] sched_mm_cid_exit+0xe2: page fault on CID bitmap write with nopti on 6.19.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Greg Kroah-Hartman

Date: Fri Feb 13 2026 - 06:16:41 EST

On Fri, Feb 13, 2026 at 12:21:52AM +0100, Thomas Gleixner wrote:
> On Thu, Feb 12 2026 at 16:19, Mathieu Desnoyers wrote:
> > On 2026-02-12 16:12, root wrote:
> >> I'm hitting a repeatable page fault in sched_mm_cid_exit() on 6.19.0
> >> when booting with nopti. The crash occurs during process exit
> >> (do_exit -> sched_mm_cid_exit) on an atomic bit-clear (lock btr) of
> >> the CID bitmap. The faulting address is within a 2MB huge page that
> >> returns a permissions violation on supervisor write access.
> >>
> >> The bug triggered 8 times over ~20 hours on a single boot, hitting
> >> multiple unrelated processes (git, gce_workload_ce). Eventually D-Bus
> >> died and systemd became non-functional, requiring a hard power-off.
> >
> > Can you confirm whether the following fix in Linus' tree fixes your issue ?
>
> It's exactly that problem:
>
> 2a:* f0 48 0f b3 10 lock btr %rdx,(%rax) <-- trapping instruction
>
> RDX: 0000000020000006
>
> which has the TRANSIT bit set and that's what below fixes:
>
> > commit 1e83ccd5921a ("sched/mmcid: Don't assume CID is CPU owned on mode switch")
>

Great, I'll go grab it now.

thanks,

greg k-h