arch/x86/mm/numa.c | 7 +++++++ 1 file changed, 7 insertions(+)
When NUMA is disabled (numa=off) or the BIOS does not provide an SRAT
table, the kernel falls back to dummy_numa_init(). This function fakes
a single node (Node 0) and maps all memory to it, but it leaves the
__apicid_to_node[] mapping table uninitialized (filled with NUMA_NO_NODE).
This leads to a potential out-of-bounds access in srat_detect_node()
and other topology-related code. Specifically, when numa_cpu_node()
returns NUMA_NO_NODE, some code paths attempt to use cpu_llc_id as a
fallback for the node ID. On modern systems with large APIC IDs, the
cpu_llc_id (derived from APIC ID) can exceed MAX_NUMNODES. Using this
invalid ID in functions like node_online(node) causes memory corruption
or kernel panic.
Fix this by explicitly mapping all unassigned APIC IDs to Node 0 in
dummy_numa_init(). This ensures that numa_cpu_node() consistently
returns Node 0 in non-NUMA environments, avoiding dangerous fallbacks
and keeping the mapping consistent with the fake Node 0.
Signed-off-by: Mouse Zhang <mousezhang7@gmail.com>
---
arch/x86/mm/numa.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
index 7a97327140df..673815d95974 100644
--- a/arch/x86/mm/numa.c
+++ b/arch/x86/mm/numa.c
@@ -212,6 +212,13 @@ static int __init dummy_numa_init(void)
node_set(0, numa_nodes_parsed);
numa_add_memblk(0, 0, PFN_PHYS(max_pfn));
+ /* Map all unassociated APIC IDs to the fake node 0 */
+ unsigned int apicid;
+ for (apicid = 0; apicid < MAX_LOCAL_APIC; apicid++) {
+ if (__apicid_to_node[apicid] == NUMA_NO_NODE)
+ __apicid_to_node[apicid] = 0;
+ }
+
return 0;
}
--
2.51.0When NUMA is disabled (numa=off) or the BIOS does not provide an SRAT
table, the kernel falls back to dummy_numa_init(). This function fakes
a single node (Node 0) and maps all memory to it, but it leaves the
__apicid_to_node[] mapping table uninitialized (filled with NUMA_NO_NODE).
This leads to a potential out-of-bounds access in srat_detect_node()
and other topology-related code. Specifically, when numa_cpu_node()
returns NUMA_NO_NODE, some code paths attempt to use cpu_llc_id as a
fallback for the node ID. On modern systems with large APIC IDs, the
cpu_llc_id (derived from APIC ID) can exceed MAX_NUMNODES. Using this
invalid ID in functions like node_online(node) causes memory corruption
or kernel panic.
Fix this by explicitly mapping all unassigned APIC IDs to Node 0 in
dummy_numa_init(). This ensures that numa_cpu_node() consistently
returns Node 0 in non-NUMA environments, avoiding dangerous fallbacks
and keeping the mapping consistent with the fake Node 0.
Signed-off-by: Mouse Zhang <mousezhang7@gmail.com>
---
Fix bad format.
arch/x86/mm/numa.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
index 7a97327140df..f78b3ff7a67e 100644
--- a/arch/x86/mm/numa.c
+++ b/arch/x86/mm/numa.c
@@ -212,6 +212,14 @@ static int __init dummy_numa_init(void)
node_set(0, numa_nodes_parsed);
numa_add_memblk(0, 0, PFN_PHYS(max_pfn));
+ /* Map all unassociated APIC IDs to the fake node 0 */
+ unsigned int apicid;
+
+ for (apicid = 0; apicid < MAX_LOCAL_APIC; apicid++) {
+ if (__apicid_to_node[apicid] == NUMA_NO_NODE)
+ __apicid_to_node[apicid] = 0;
+ }
+
return 0;
}
--
2.51.0© 2016 - 2026 Red Hat, Inc.