Re: [BUG] sched_mm_cid_exit+0xe2: page fault on CID bitmap write with nopti on 6.19.0

Next message: Andrea Righi: "Re: [PATCH 1/2] sched_ext: Fix ops.dequeue() semantics"
Previous message: Jacob Keller: "Re: [PATCH net 1/6] net/mlx5: Fix multiport device check over light SFs"
In reply to: Mike Fara: "Re: [BUG] sched_mm_cid_exit+0xe2: page fault on CID bitmap write with nopti on 6.19.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Mike Fara

Date: Thu Feb 12 2026 - 17:29:14 EST

To: mathieu.desnoyers@xxxxxxxxxxxx
Cc: peterz@xxxxxxxxxxxxx, mingo@xxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, mjfara@xxxxxxxxx
Subject: Re: [BUG] sched_mm_cid_exit+0xe2: page fault on CID bitmap write with nopti on 6.19.0

Hi Mathieu,

Confirmed. Rebuilt 6.19.0 with commit 1e83ccd5921a cherry-picked,
CONFIG_SCHED_MM_CID=y, and nopti still on the cmdline. Clean boot,
no oopses.

Verified the fix is compiled in by disassembling sched_mm_cid_exit
from the running kernel. The inlined mm_drop_cid_on_cpu() now has
the cid_on_cpu() guard before the lock btr:

mm_drop_cid_on_cpu (inlined at sched_mm_cid_exit+0xc4):

mov (%rcx),%eax # Load pcp->cid
test $0x40000000,%eax # Test ONCPU bit (bit 30)
je <skip> # Not CPU-owned? Skip drop entirely
and $0xbfffffff,%eax # Clear ONCPU: cpu_cid_to_cid()
mov %eax,(%rcx) # Store back
...
lock btr %rax,(%rcx) # mm_drop_cid (bitmap clear)
<skip>:
... # Continue safely

Without the fix, the code would fall through to lock btr with a
garbage bit number derived from the TRANSIT flag (bit 29), causing
the out-of-bounds write we reported.

System info:

# uname -a
6.19.0-gce #2 SMP PREEMPT_DYNAMIC Thu Feb 12 21:42:52 UTC 2026 x86_64

# grep SCHED_MM_CID /boot/config-$(uname -r)
CONFIG_SCHED_MM_CID=y

# Boot cmdline includes: nopti mitigations=off

# dmesg | grep -i 'BUG\|oops\|sched_mm\|page.fault'
(clean - no errors)

Will continue soak testing and report back if anything surfaces.

Tested-by: Mike Fara <mjfara@xxxxxxxxx>

Thanks,
Mike Fara
mjfara@xxxxxxxxx