[PATCH] sched_ext: Fix out-of-bounds access in scx_idle_init_masks()

[PATCH] sched_ext: Fix out-of-bounds access in scx_idle_init_masks()

[David Carlier]

scx_idle_node_masks is allocated with num_possible_nodes() elements but
indexed by NUMA node IDs via for_each_node(). On systems with
non-contiguous NUMA node numbering (e.g. nodes 0 and 4), node IDs can
exceed the array size, causing out-of-bounds memory corruption.

Use nr_node_ids instead, which represents the maximum node ID range and
is the correct size for arrays indexed by node ID.

Fixes: 7c60329e3521 ("sched_ext: Add NUMA-awareness to the default idle selection policy")
Signed-off-by: David Carlier <devnexen@gmail.com>
---
 kernel/sched/ext_idle.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/sched/ext_idle.c b/kernel/sched/ext_idle.c
index 3d9d404d5cd2..2cca09097d82 100644
--- a/kernel/sched/ext_idle.c
+++ b/kernel/sched/ext_idle.c
@@ -663,8 +663,8 @@ void scx_idle_init_masks(void)
 	BUG_ON(!alloc_cpumask_var(&scx_idle_global_masks.cpu, GFP_KERNEL));
 	BUG_ON(!alloc_cpumask_var(&scx_idle_global_masks.smt, GFP_KERNEL));
 
-	/* Allocate per-node idle cpumasks */
-	scx_idle_node_masks = kcalloc(num_possible_nodes(),
+	/* Allocate per-node idle cpumasks, we need to take in account non-contiguous NUMA nodes */
+	scx_idle_node_masks = kcalloc(nr_node_ids,
 				      sizeof(*scx_idle_node_masks), GFP_KERNEL);
 	BUG_ON(!scx_idle_node_masks);
 
-- 
2.51.0

Re: [PATCH] sched_ext: Fix out-of-bounds access in scx_idle_init_masks()

[Tejun Heo]

Hello,

Applied to sched_ext/for-7.0-fixes with a minor comment cleanup.

Also merged into for-7.1 with a conflict resolution against the kcalloc to
kzalloc_objs conversion.

Thanks.
-- 
tejun