sched_ext: Fix out-of-bounds access in scx_idle_init_masks()

scx_idle_node_masks is allocated with num_possible_nodes() elements but
indexed by NUMA node IDs via for_each_node(). On systems with
non-contiguous NUMA node numbering (e.g. nodes 0 and 4), node IDs can
exceed the array size, causing out-of-bounds memory corruption.

Use nr_node_ids instead, which represents the maximum node ID range and
is the correct size for arrays indexed by node ID.

Fixes: 7c60329e3521 ("sched_ext: Add NUMA-awareness to the default idle selection policy")
Signed-off-by: David Carlier <devnexen@gmail.com>
Signed-off-by: Tejun Heo <tj@kernel.org>

diff --git a/kernel/sched/ext_idle.c b/kernel/sched/ext_idle.c
index 3d9d404d5cd206c196fc51eadd06b74d7334be6c..e2da6c3968a667ec170def37d3bb6557b7f16862 100644 (file)
--- a/kernel/sched/ext_idle.c
+++ b/kernel/sched/ext_idle.c
@@ -663,8 +663,8 @@ void scx_idle_init_masks(void)
        BUG_ON(!alloc_cpumask_var(&scx_idle_global_masks.cpu, GFP_KERNEL));
        BUG_ON(!alloc_cpumask_var(&scx_idle_global_masks.smt, GFP_KERNEL));
 
-       /* Allocate per-node idle cpumasks */
-       scx_idle_node_masks = kcalloc(num_possible_nodes(),
+       /* Allocate per-node idle cpumasks (use nr_node_ids for non-contiguous NUMA nodes) */
+       scx_idle_node_masks = kcalloc(nr_node_ids,
                                      sizeof(*scx_idle_node_masks), GFP_KERNEL);
        BUG_ON(!scx_idle_node_masks);