[PATCH v5.10] cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get

Linux-ARM-Kernel Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v5.10] cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()
@ 2026-01-05  9:57 Shivani Agarwal
  2026-01-08 16:27 ` Patch "cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()" has been added to the 5.10-stable tree gregkh
  0 siblings, 1 reply; 2+ messages in thread
From: Shivani Agarwal @ 2026-01-05  9:57 UTC (permalink / raw)
  To: stable, gregkh
  Cc: sudeep.holla, cristian.marussi, rafael, viresh.kumar, arm-scmi,
	linux-arm-kernel, linux-pm, linux-kernel, ajay.kaher,
	alexey.makhalov, vamsi-krishna.brahmajosyula, yin.ding,
	tapas.kundu, Henry Martin, Sasha Levin, Shivani Agarwal

From: Henry Martin <bsdhenrymartin@gmail.com>

[ Upstream commit 484d3f15cc6cbaa52541d6259778e715b2c83c54 ]

cpufreq_cpu_get_raw() can return NULL when the target CPU is not present
in the policy->cpus mask. scmi_cpufreq_get_rate() does not check for
this case, which results in a NULL pointer dereference.

Add NULL check after cpufreq_cpu_get_raw() to prevent this issue.

Fixes: 99d6bdf33877 ("cpufreq: add support for CPU DVFS based on SCMI message protocol")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Acked-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[Shivani: Modified to apply on 5.10.y]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
---
 drivers/cpufreq/scmi-cpufreq.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/drivers/cpufreq/scmi-cpufreq.c b/drivers/cpufreq/scmi-cpufreq.c
index bb1389f27..6b65d537c 100644
--- a/drivers/cpufreq/scmi-cpufreq.c
+++ b/drivers/cpufreq/scmi-cpufreq.c
@@ -29,12 +29,18 @@ static const struct scmi_handle *handle;
 
 static unsigned int scmi_cpufreq_get_rate(unsigned int cpu)
 {
-	struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu);
+	struct cpufreq_policy *policy;
+	struct scmi_data *priv;
 	const struct scmi_perf_ops *perf_ops = handle->perf_ops;
-	struct scmi_data *priv = policy->driver_data;
 	unsigned long rate;
 	int ret;
 
+	policy = cpufreq_cpu_get_raw(cpu);
+	if (unlikely(!policy))
+		return 0;
+
+	priv = policy->driver_data;
+
 	ret = perf_ops->freq_get(handle, priv->domain_id, &rate, false);
 	if (ret)
 		return 0;
-- 
2.40.4



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Patch "cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()" has been added to the 5.10-stable tree
  2026-01-05  9:57 [PATCH v5.10] cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() Shivani Agarwal
@ 2026-01-08 16:27 ` gregkh
  0 siblings, 0 replies; 2+ messages in thread
From: gregkh @ 2026-01-08 16:27 UTC (permalink / raw)
  To: ajay.kaher, alexey.makhalov, bsdhenrymartin, cristian.marussi,
	gregkh, linux-arm-kernel, rafael, sashal, shivani.agarwal,
	sudeep.holla, tapas.kundu, vamsi-krishna.brahmajosyula,
	viresh.kumar, yin.ding
  Cc: stable-commits


This is a note to let you know that I've just added the patch titled

    cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


From stable+bounces-204627-greg=kroah.com@vger.kernel.org Mon Jan  5 11:19:06 2026
From: Shivani Agarwal <shivani.agarwal@broadcom.com>
Date: Mon,  5 Jan 2026 01:57:01 -0800
Subject: cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()
To: stable@vger.kernel.org, gregkh@linuxfoundation.org
Cc: sudeep.holla@arm.com, cristian.marussi@arm.com, rafael@kernel.org, viresh.kumar@linaro.org, arm-scmi@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-pm@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Henry Martin <bsdhenrymartin@gmail.com>, Sasha Levin <sashal@kernel.org>, Shivani Agarwal <shivani.agarwal@broadcom.com>
Message-ID: <20260105095701.659420-1-shivani.agarwal@broadcom.com>

From: Henry Martin <bsdhenrymartin@gmail.com>

[ Upstream commit 484d3f15cc6cbaa52541d6259778e715b2c83c54 ]

cpufreq_cpu_get_raw() can return NULL when the target CPU is not present
in the policy->cpus mask. scmi_cpufreq_get_rate() does not check for
this case, which results in a NULL pointer dereference.

Add NULL check after cpufreq_cpu_get_raw() to prevent this issue.

Fixes: 99d6bdf33877 ("cpufreq: add support for CPU DVFS based on SCMI message protocol")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Acked-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[Shivani: Modified to apply on 5.10.y]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/cpufreq/scmi-cpufreq.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

--- a/drivers/cpufreq/scmi-cpufreq.c
+++ b/drivers/cpufreq/scmi-cpufreq.c
@@ -29,12 +29,18 @@ static const struct scmi_handle *handle;
 
 static unsigned int scmi_cpufreq_get_rate(unsigned int cpu)
 {
-	struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu);
+	struct cpufreq_policy *policy;
+	struct scmi_data *priv;
 	const struct scmi_perf_ops *perf_ops = handle->perf_ops;
-	struct scmi_data *priv = policy->driver_data;
 	unsigned long rate;
 	int ret;
 
+	policy = cpufreq_cpu_get_raw(cpu);
+	if (unlikely(!policy))
+		return 0;
+
+	priv = policy->driver_data;
+
 	ret = perf_ops->freq_get(handle, priv->domain_id, &rate, false);
 	if (ret)
 		return 0;


Patches currently in stable-queue which might be from shivani.agarwal@broadcom.com are

queue-5.10/usb-xhci-move-link-chain-bit-quirk-checks-into-one-helper-function.patch
queue-5.10/crypto-af_alg-zero-initialize-memory-allocated-via-sock_kmalloc.patch
queue-5.10/rdma-core-fix-kasan-slab-use-after-free-read-in-ib_register_device-problem.patch
queue-5.10/ovl-use-buf-flexible-array-for-memcpy-destination.patch
queue-5.10/cpufreq-scmi-fix-null-ptr-deref-in-scmi_cpufreq_get_rate.patch
queue-5.10/drm-vmwgfx-fix-a-null-ptr-access-in-the-cursor-snooper.patch
queue-5.10/scsi-iscsi_tcp-fix-uaf-during-logout-when-accessing-the-shost-ipaddress.patch
queue-5.10/usb-xhci-apply-the-link-chain-quirk-on-nec-isoc-endpoints.patch
queue-5.10/scsi-iscsi-move-pool-freeing.patch


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-01-08 16:28 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-05  9:57 [PATCH v5.10] cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate() Shivani Agarwal
2026-01-08 16:27 ` Patch "cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()" has been added to the 5.10-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox