Re: [PATCH] cpufreq: intel_pstate: Fix NULL pointer dereference in update_cpu_qos_request()
From: Rafael J. Wysocki
Date: Tue Feb 24 2026 - 09:42:10 EST
On Tue, Feb 24, 2026 at 1:21 PM David Arcari <darcari@xxxxxxxxxx> wrote:
>
> The update_cpu_qos_request() function attempts to initialize the 'freq'
> variable by dereferencing 'cpudata' before verifying if the 'policy'
> is valid.
>
> This issue occurs on systems booted with the "nosmt" parameter, where
> all_cpu_data[cpu] is NULL for the SMT sibling threads. As a result,
> any call to update_qos_requests() will result in a NULL pointer
> dereference as the code will attempt to access pstate.turbo_freq using
> the NULL cpudata pointer.
>
> Fix this by deferring the 'freq' assignment until after the policy and
> driver_data have been validated.
>
> Fixes: ae1bdd23b99f ("cpufreq: intel_pstate: Adjust frequency percentage computations")
> Reported-by: Jirka Hladky <jhladky@xxxxxxxxxx>
> Closes: https://lore.kernel.org/all/CAE4VaGDfiPvz3AzrwrwM4kWB3SCkMci25nPO8W1JmTBd=xHzZg@xxxxxxxxxxxxxx/
> Signed-off-by: David Arcari <darcari@xxxxxxxxxx>
Applied as 7.0-rc material, thanks!
> ---
> drivers/cpufreq/intel_pstate.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
> index a48af3540c74..bdc37080d319 100644
> --- a/drivers/cpufreq/intel_pstate.c
> +++ b/drivers/cpufreq/intel_pstate.c
> @@ -1647,8 +1647,8 @@ static ssize_t store_no_turbo(struct kobject *a, struct kobj_attribute *b,
> static void update_cpu_qos_request(int cpu, enum freq_qos_req_type type)
> {
> struct cpudata *cpudata = all_cpu_data[cpu];
> - unsigned int freq = cpudata->pstate.turbo_freq;
> struct freq_qos_request *req;
> + unsigned int freq;
>
> struct cpufreq_policy *policy __free(put_cpufreq_policy) = cpufreq_cpu_get(cpu);
> if (!policy)
> @@ -1661,6 +1661,8 @@ static void update_cpu_qos_request(int cpu, enum freq_qos_req_type type)
> if (hwp_active)
> intel_pstate_get_hwp_cap(cpudata);
>
> + freq = cpudata->pstate.turbo_freq;
> +
> if (type == FREQ_QOS_MIN) {
> freq = DIV_ROUND_UP(freq * global.min_perf_pct, 100);
> } else {
> --
> 2.52.0
>