From nobody Sat Feb  7 19:45:47 2026
Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com
 [209.85.210.176])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id CF0404C81
	for <linux-kernel@vger.kernel.org>; Fri, 16 Jan 2026 08:56:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.176
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1768553784; cv=none;
 b=VCU/NNkdLf/F3JKcMpS+gLe/+hAqjn1xFRAAUYf9hyC5U4NisOINtwqHzQ9JZxA3LQyXMEmfHiI/OjBhs84Xko7LtXxCj0cJumddHpBWnW+KU2a/mm1MDQmKFxas2OekfP583uqGO9kunhcxM/5RiZcM2p+eQ4tiki4Qa/xdnBA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1768553784; c=relaxed/simple;
	bh=Pf1mnReIV+Hqnc2NqKdEYOPCP3MU+14U8kpzEUvxKhk=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=EcGmLRjnwEvOYTmWWA1X/2GA1m6eV3qULAs0PIuuoV357W9IUMCdbGNV1V+MuSS1ziChuOrdzFZ3UWiBd28F7HYHl7Uhd7m9cSmV2N0ZWY8tPIFccMY8if6dCavz0BU7bk363/AWlVVOHWQLnDoL/PH9nh0nspTDT+FekzFY4lo=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=B2J6j37r; arc=none smtp.client-ip=209.85.210.176
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="B2J6j37r"
Received: by mail-pf1-f176.google.com with SMTP id
 d2e1a72fcca58-81e8b1bdf0cso1073001b3a.3
        for <linux-kernel@vger.kernel.org>;
 Fri, 16 Jan 2026 00:56:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1768553782; x=1769158582;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=q9qR1RiHPS3u8xAgDhDh1RT9H3gYw8llT9imt6pPpNc=;
        b=B2J6j37r0dhKsTJgDzzVm95yjX/w4IKKsT+bRzY2OoH1tK+2BlbOds1EbH244SMcVd
         TehnS/uqW8KYJTyXCoYt++mMJfy1/Fili2MEtwV4K2/0/4WC6nBw2AYKGcOpN0nfyR8F
         q0YjKjogPoXC25LHgGsAr69NajWrObROL8gj7gpGru5Hd4PTfslAHc2ATkvN0LYWQGWS
         /ILGWKNbcKwNTE1lonh3XgeWmvgAnOXAA4L+my2rxLyI5vpSpAKBiiRGSSigyxuL01Fg
         6MdqiyDyJYXNYf7UhsUAi7LQVSrNG28sVEq2QngRV/8MuUV6rWEQ6JiroOPl2McopBpP
         IrXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1768553782; x=1769158582;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=q9qR1RiHPS3u8xAgDhDh1RT9H3gYw8llT9imt6pPpNc=;
        b=wKssLIKihtbi1chj5dldmuarmYiC/KItDnNFqW9+HARVNHxOGNLiF0FbZMDtVfCWPQ
         BWKvWViLWkalEpgRWYJTmxtxj1S8by66/xnmMO6qGrpY3DUKgF67mYwEfkVbGp9SRg1l
         UMgznaCAAmn2IRl7TuPwvKBcJcCQfOGP71ThppRC/JfkH8Q7OHBDg7wK0h0mac34sRMJ
         KSKZ/AkPLs3lYOIFkSeztuD3Ytu3L0FsC9SpvQsxh5TmkB23U446MDLWpideAHK+iunC
         QNwoTe363HsXFfANl7QlCoeQ3B8MO1C6F5V8CTZxUWsXdPPglY+ZxlxjcBmjj3ORGS5u
         Aelg==
X-Forwarded-Encrypted: i=1;
 AJvYcCX9ChMe06dTYPACtuXDgqh/sLvBJlYWb6MVG/0vR3BI4eGOEAzPtCaEOKZGiNZM7iDosaMHwtXiH+n24xU=@vger.kernel.org
X-Gm-Message-State: AOJu0Yzs6jFzyarMovRVwBdddj6z1Ayd+JoqtgC0f+Z0r4hrmM26CcO8
	uIt6oUAdUv7/xYPqVX3FAZDEbNyIqEh+ruvGa4c6nACr9U1qCe61V4DE
X-Gm-Gg: AY/fxX7LKq5GGNsIQBftVzQpwjYD9LvrspuqwmDf5nifv6YASQbmabaPIOOwj7TzKAa
	QN1HuXf0t05yeQg16KRfKfrMxJerP+sOF/B39duvDwTDRQOdZ6nQXSjapHlB/R0DBCzutqR5Esq
	jgSUT3z+JxgWv+WwCQ5qtT03O/0tGnvvZNsCARJ1gWCLhZioFCtHmCVPKK/0y+sbGDDv2T5hWpu
	lMnESnfhpUQaEqlsk4LDwGbmxYgpKWRIjBby/3fWzQ2nxnbISadpLgPmmYJZtDLGCIE5/G4Xg9/
	cKaIMygvXNjscHlB++OHO8TBzc7K4Ump4IhCqGTYztUdrHDWAbICUtC5duTmPjnn0i6UtYSJo2F
	TZ1XW26KgtLNphRziqq4T643cXREHzWKyuSk3x0EeRuKt5hXBNJI3Z0AlAq037CyodAFWt4JGdd
	cgQOaS
X-Received: by 2002:a05:6a21:6088:b0:2cc:acef:95ee with SMTP id
 adf61e73a8af0-38dfe76b788mr2312800637.52.1768553782060;
        Fri, 16 Jan 2026 00:56:22 -0800 (PST)
Received: from debian ([103.102.6.13])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2a7193fab79sm15296715ad.67.2026.01.16.00.56.19
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 16 Jan 2026 00:56:21 -0800 (PST)
From: Mouse Zhang <mousezhang7@gmail.com>
To: mousezhang7@gmail.com
Cc: bp@alien8.de,
	dave.hansen@linux.intel.com,
	hpa@zytor.com,
	linux-kernel@vger.kernel.org,
	luto@kernel.org,
	mingo@redhat.com,
	peterz@infradead.org,
	tglx@kernel.org,
	x86@kernel.org
Subject: [v2] x86/numa: Initialize __apicid_to_node in dummy_numa_init() to
 prevent OOB
Date: Fri, 16 Jan 2026 16:56:13 +0800
Message-ID: <20260116085613.6347-1-mousezhang7@gmail.com>
X-Mailer: git-send-email 2.51.0
In-Reply-To: <20260116032321.9841-1-mousezhang7@gmail.com>
References: <20260116032321.9841-1-mousezhang7@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

When NUMA is disabled (numa=3Doff) or the BIOS does not provide an SRAT
table, the kernel falls back to dummy_numa_init(). This function fakes
a single node (Node 0) and maps all memory to it, but it leaves the
__apicid_to_node[] mapping table uninitialized (filled with NUMA_NO_NODE).

This leads to a potential out-of-bounds access in srat_detect_node()
and other topology-related code. Specifically, when numa_cpu_node()
returns NUMA_NO_NODE, some code paths attempt to use cpu_llc_id as a
fallback for the node ID. On modern systems with large APIC IDs, the
cpu_llc_id (derived from APIC ID) can exceed MAX_NUMNODES. Using this
invalid ID in functions like node_online(node) causes memory corruption
or kernel panic.

Fix this by explicitly mapping all unassigned APIC IDs to Node 0 in
dummy_numa_init(). This ensures that numa_cpu_node() consistently
returns Node 0 in non-NUMA environments, avoiding dangerous fallbacks
and keeping the mapping consistent with the fake Node 0.

Signed-off-by: Mouse Zhang <mousezhang7@gmail.com>
---
Fix bad format.
 arch/x86/mm/numa.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
index 7a97327140df..f78b3ff7a67e 100644
--- a/arch/x86/mm/numa.c
+++ b/arch/x86/mm/numa.c
@@ -212,6 +212,14 @@ static int __init dummy_numa_init(void)
 	node_set(0, numa_nodes_parsed);
 	numa_add_memblk(0, 0, PFN_PHYS(max_pfn));
=20
+	/* Map all unassociated APIC IDs to the fake node 0 */
+	unsigned int apicid;
+
+	for (apicid =3D 0; apicid < MAX_LOCAL_APIC; apicid++) {
+		if (__apicid_to_node[apicid] =3D=3D NUMA_NO_NODE)
+			__apicid_to_node[apicid] =3D 0;
+	}
+
 	return 0;
 }
=20
--=20
2.51.0