Re: [patch V2 3/4] sched/mmcid: Drop per CPU CID immediately when switching to per task mode

[Peter Zijlstra]

On Tue, Feb 10, 2026 at 11:51:10AM +0000, Shinichiro Kawasaki wrote:
> On Feb 10, 2026 / 11:44, Thomas Gleixner wrote:
> > On Tue, Feb 10 2026 at 07:33, Shinichiro Kawasaki wrote:
> [...]
> > > [   65.768341] [   T1296] BUG: KASAN: slab-use-after-free in sched_mm_cid_exit+0x298/0x500
> > 
> > Can you please decode these symbols (file/line) so that we actually see
> > which access is flagged by KASAN?
> 
> Sure, faddr2line points to the line the patch touched:
> 
> $ ./scripts/faddr2line vmlinux sched_mm_cid_exit+0x298/0x500
> sched_mm_cid_exit+0x298/0x500:
> arch_clear_bit at arch/x86/include/asm/bitops.h:79
> (inlined by) clear_bit at include/asm-generic/bitops/instrumented-atomic.h:42
> (inlined by) mm_drop_cid at kernel/sched/sched.h:3746
> (inlined by) mm_drop_cid_on_cpu at kernel/sched/sched.h:3762
> (inlined by) sched_mm_cid_exit at kernel/sched/core.c:10737

Could you please reproduce with the below added?

Just to double check that that cid value isn't out of bounds.

---
diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
index bd350e40859d..dadfd6abc1fa 100644
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -3743,6 +3743,7 @@ static __always_inline bool cid_on_task(unsigned int cid)
 
 static __always_inline void mm_drop_cid(struct mm_struct *mm, unsigned int cid)
 {
+	WARN_ONCE(cid >= nr_cpu_ids, "XXX cid(%x) out of range(%x)\n", cid, nr_cpu_ids);
 	clear_bit(cid, mm_cidmask(mm));
 }