Re: [BUG] sched_mm_cid_exit+0xe2: page fault on CID bitmap write with nopti on 6.19.0

Next message: Richard Fontana: "Re: [PATCH] sound: drivers: opl4: Add SPDX id lines to files"
Previous message: Namjae Jeon: "Re: [PATCH] smb: server: Remove duplicate include of misc.h"
In reply to: Mathieu Desnoyers: "Re: [BUG] sched_mm_cid_exit+0xe2: page fault on CID bitmap write with nopti on 6.19.0"
Next in thread: Greg Kroah-Hartman: "Re: [BUG] sched_mm_cid_exit+0xe2: page fault on CID bitmap write with nopti on 6.19.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Thomas Gleixner

Date: Thu Feb 12 2026 - 18:22:09 EST

On Thu, Feb 12 2026 at 16:19, Mathieu Desnoyers wrote:
> On 2026-02-12 16:12, root wrote:
>> I'm hitting a repeatable page fault in sched_mm_cid_exit() on 6.19.0
>> when booting with nopti. The crash occurs during process exit
>> (do_exit -> sched_mm_cid_exit) on an atomic bit-clear (lock btr) of
>> the CID bitmap. The faulting address is within a 2MB huge page that
>> returns a permissions violation on supervisor write access.
>>
>> The bug triggered 8 times over ~20 hours on a single boot, hitting
>> multiple unrelated processes (git, gce_workload_ce). Eventually D-Bus
>> died and systemd became non-functional, requiring a hard power-off.
>
> Can you confirm whether the following fix in Linus' tree fixes your issue ?

It's exactly that problem:

2a:* f0 48 0f b3 10 lock btr %rdx,(%rax) <-- trapping instruction

RDX: 0000000020000006

which has the TRANSIT bit set and that's what below fixes:

> commit 1e83ccd5921a ("sched/mmcid: Don't assume CID is CPU owned on mode switch")