1. Patchew
  2. linux
  3. View series

[PATCH RFC] PM: EM: Add to em_pd_list only when no failure

Peng Fan posted 1 patch 3 months, 1 week ago 
kernel/power/energy_model.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
[PATCH RFC] PM: EM: Add to em_pd_list only when no failure
Posted by Peng Fan 3 months, 1 week ago 
When em_create_perf_table() returns failure, pd is freed, there dev->em_pd
is not valid. Then accessing dev->em_pd->node will trigger kernel panic
in em_dev_register_pd_no_update(). So return early if 'ret' is non-zero.

Kernel dump:
cpu cpu0: EM: invalid power: 0
Unable to handle kernel NULL pointer dereference at virtual address
0000000000000008
Mem abort info:
pc : em_dev_register_pd_no_update+0xb4/0x79c
lr : em_dev_register_pd_no_update+0x9c/0x79c
Call trace:
 em_dev_register_pd_no_update+0xb4/0x79c (P)
 em_dev_register_perf_domain+0x18/0x58
 scmi_cpufreq_register_em+0x84/0xb8
 cpufreq_online+0x48c/0xb74
 cpufreq_add_dev+0x80/0x98
 subsys_interface_register+0x100/0x11c
 cpufreq_register_driver+0x158/0x278
 scmi_cpufreq_probe+0x1f8/0x2e0
 scmi_dev_probe+0x28/0x3c
 really_probe+0xbc/0x29c
 __driver_probe_device+0x78/0x12c
 driver_probe_device+0x3c/0x15c
 __device_attach_driver+0xb8/0x134
 bus_for_each_drv+0x84/0xe4

Fixes: cbe5aeedecc7 ("PM: EM: Assign a unique ID when creating a performance domain")
Signed-off-by: Peng Fan <peng.fan@nxp.com>
---
 kernel/power/energy_model.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/kernel/power/energy_model.c b/kernel/power/energy_model.c
index e669d5057fca6da9612575a1c626474e60e7f7c4..11af9f64aa8276e47e0a5b2d615b227368af5480 100644
--- a/kernel/power/energy_model.c
+++ b/kernel/power/energy_model.c
@@ -693,13 +693,16 @@ int em_dev_register_pd_no_update(struct device *dev, unsigned int nr_states,
 
 unlock:
 	mutex_unlock(&em_pd_mutex);
+	if (ret)
+		return ret;
 
 	mutex_lock(&em_pd_list_mutex);
 	list_add_tail(&dev->em_pd->node, &em_pd_list);
 	mutex_unlock(&em_pd_list_mutex);
 
 	em_notify_pd_created(dev->em_pd);
-	return ret;
+
+	return 0;
 }
 EXPORT_SYMBOL_GPL(em_dev_register_pd_no_update);
 

---
base-commit: f7d2388eeec24966fc4d5cf32d706f0514f29ac5
change-id: 20251028-fix-energy-6b63b72ae9c6

Best regards,
-- 
Peng Fan <peng.fan@nxp.com>
Re: [PATCH RFC] PM: EM: Add to em_pd_list only when no failure
Posted by Lukasz Luba 3 months, 1 week ago 

On 10/28/25 14:23, Peng Fan wrote:
> When em_create_perf_table() returns failure, pd is freed, there dev->em_pd
> is not valid. Then accessing dev->em_pd->node will trigger kernel panic
> in em_dev_register_pd_no_update(). So return early if 'ret' is non-zero.
> 
> Kernel dump:
> cpu cpu0: EM: invalid power: 0
> Unable to handle kernel NULL pointer dereference at virtual address
> 0000000000000008
> Mem abort info:
> pc : em_dev_register_pd_no_update+0xb4/0x79c
> lr : em_dev_register_pd_no_update+0x9c/0x79c
> Call trace:
>   em_dev_register_pd_no_update+0xb4/0x79c (P)
>   em_dev_register_perf_domain+0x18/0x58
>   scmi_cpufreq_register_em+0x84/0xb8
>   cpufreq_online+0x48c/0xb74
>   cpufreq_add_dev+0x80/0x98
>   subsys_interface_register+0x100/0x11c
>   cpufreq_register_driver+0x158/0x278
>   scmi_cpufreq_probe+0x1f8/0x2e0
>   scmi_dev_probe+0x28/0x3c
>   really_probe+0xbc/0x29c
>   __driver_probe_device+0x78/0x12c
>   driver_probe_device+0x3c/0x15c
>   __device_attach_driver+0xb8/0x134
>   bus_for_each_drv+0x84/0xe4
> 
> Fixes: cbe5aeedecc7 ("PM: EM: Assign a unique ID when creating a performance domain")
> Signed-off-by: Peng Fan <peng.fan@nxp.com>
> ---
>   kernel/power/energy_model.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/power/energy_model.c b/kernel/power/energy_model.c
> index e669d5057fca6da9612575a1c626474e60e7f7c4..11af9f64aa8276e47e0a5b2d615b227368af5480 100644
> --- a/kernel/power/energy_model.c
> +++ b/kernel/power/energy_model.c
> @@ -693,13 +693,16 @@ int em_dev_register_pd_no_update(struct device *dev, unsigned int nr_states,
>   
>   unlock:
>   	mutex_unlock(&em_pd_mutex);
> +	if (ret)
> +		return ret;
>   
>   	mutex_lock(&em_pd_list_mutex);
>   	list_add_tail(&dev->em_pd->node, &em_pd_list);
>   	mutex_unlock(&em_pd_list_mutex);
>   
>   	em_notify_pd_created(dev->em_pd);
> -	return ret;
> +
> +	return 0;
>   }
>   EXPORT_SYMBOL_GPL(em_dev_register_pd_no_update);
>   
> 
> ---
> base-commit: f7d2388eeec24966fc4d5cf32d706f0514f29ac5
> change-id: 20251028-fix-energy-6b63b72ae9c6
> 
> Best regards,


Thank you for the patch!

Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
Re: [PATCH RFC] PM: EM: Add to em_pd_list only when no failure
Posted by Rafael J. Wysocki 3 months, 1 week ago 
On Wed, Oct 29, 2025 at 10:00 AM Lukasz Luba <lukasz.luba@arm.com> wrote:
>
>
>
> On 10/28/25 14:23, Peng Fan wrote:
> > When em_create_perf_table() returns failure, pd is freed, there dev->em_pd
> > is not valid. Then accessing dev->em_pd->node will trigger kernel panic
> > in em_dev_register_pd_no_update(). So return early if 'ret' is non-zero.
> >
> > Kernel dump:
> > cpu cpu0: EM: invalid power: 0
> > Unable to handle kernel NULL pointer dereference at virtual address
> > 0000000000000008
> > Mem abort info:
> > pc : em_dev_register_pd_no_update+0xb4/0x79c
> > lr : em_dev_register_pd_no_update+0x9c/0x79c
> > Call trace:
> >   em_dev_register_pd_no_update+0xb4/0x79c (P)
> >   em_dev_register_perf_domain+0x18/0x58
> >   scmi_cpufreq_register_em+0x84/0xb8
> >   cpufreq_online+0x48c/0xb74
> >   cpufreq_add_dev+0x80/0x98
> >   subsys_interface_register+0x100/0x11c
> >   cpufreq_register_driver+0x158/0x278
> >   scmi_cpufreq_probe+0x1f8/0x2e0
> >   scmi_dev_probe+0x28/0x3c
> >   really_probe+0xbc/0x29c
> >   __driver_probe_device+0x78/0x12c
> >   driver_probe_device+0x3c/0x15c
> >   __device_attach_driver+0xb8/0x134
> >   bus_for_each_drv+0x84/0xe4
> >
> > Fixes: cbe5aeedecc7 ("PM: EM: Assign a unique ID when creating a performance domain")
> > Signed-off-by: Peng Fan <peng.fan@nxp.com>
> > ---
> >   kernel/power/energy_model.c | 5 ++++-
> >   1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/kernel/power/energy_model.c b/kernel/power/energy_model.c
> > index e669d5057fca6da9612575a1c626474e60e7f7c4..11af9f64aa8276e47e0a5b2d615b227368af5480 100644
> > --- a/kernel/power/energy_model.c
> > +++ b/kernel/power/energy_model.c
> > @@ -693,13 +693,16 @@ int em_dev_register_pd_no_update(struct device *dev, unsigned int nr_states,
> >
> >   unlock:
> >       mutex_unlock(&em_pd_mutex);
> > +     if (ret)
> > +             return ret;
> >
> >       mutex_lock(&em_pd_list_mutex);
> >       list_add_tail(&dev->em_pd->node, &em_pd_list);
> >       mutex_unlock(&em_pd_list_mutex);
> >
> >       em_notify_pd_created(dev->em_pd);
> > -     return ret;
> > +
> > +     return 0;
> >   }
> >   EXPORT_SYMBOL_GPL(em_dev_register_pd_no_update);
> >
> >
> > ---
> > base-commit: f7d2388eeec24966fc4d5cf32d706f0514f29ac5
> > change-id: 20251028-fix-energy-6b63b72ae9c6
> >
> > Best regards,
>
>
> Thank you for the patch!
>
> Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>

Applied, thanks!
Re: [PATCH RFC] PM: EM: Add to em_pd_list only when no failure
Posted by Changwoo Min 3 months, 1 week ago 
Thanks, Peng, for catching this. This makes sense.
So, feel free to add:

Reviewed-by: Changwoo Min <changwoo@igalia.com>

On 10/28/25 23:23, Peng Fan wrote:
> When em_create_perf_table() returns failure, pd is freed, there dev->em_pd
> is not valid. Then accessing dev->em_pd->node will trigger kernel panic
> in em_dev_register_pd_no_update(). So return early if 'ret' is non-zero.
> 
> Kernel dump:
> cpu cpu0: EM: invalid power: 0
> Unable to handle kernel NULL pointer dereference at virtual address
> 0000000000000008
> Mem abort info:
> pc : em_dev_register_pd_no_update+0xb4/0x79c
> lr : em_dev_register_pd_no_update+0x9c/0x79c
> Call trace:
>   em_dev_register_pd_no_update+0xb4/0x79c (P)
>   em_dev_register_perf_domain+0x18/0x58
>   scmi_cpufreq_register_em+0x84/0xb8
>   cpufreq_online+0x48c/0xb74
>   cpufreq_add_dev+0x80/0x98
>   subsys_interface_register+0x100/0x11c
>   cpufreq_register_driver+0x158/0x278
>   scmi_cpufreq_probe+0x1f8/0x2e0
>   scmi_dev_probe+0x28/0x3c
>   really_probe+0xbc/0x29c
>   __driver_probe_device+0x78/0x12c
>   driver_probe_device+0x3c/0x15c
>   __device_attach_driver+0xb8/0x134
>   bus_for_each_drv+0x84/0xe4
> 
> Fixes: cbe5aeedecc7 ("PM: EM: Assign a unique ID when creating a performance domain")
> Signed-off-by: Peng Fan <peng.fan@nxp.com>
> ---
>   kernel/power/energy_model.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/power/energy_model.c b/kernel/power/energy_model.c
> index e669d5057fca6da9612575a1c626474e60e7f7c4..11af9f64aa8276e47e0a5b2d615b227368af5480 100644
> --- a/kernel/power/energy_model.c
> +++ b/kernel/power/energy_model.c
> @@ -693,13 +693,16 @@ int em_dev_register_pd_no_update(struct device *dev, unsigned int nr_states,
>   
>   unlock:
>   	mutex_unlock(&em_pd_mutex);
> +	if (ret)
> +		return ret;
>   
>   	mutex_lock(&em_pd_list_mutex);
>   	list_add_tail(&dev->em_pd->node, &em_pd_list);
>   	mutex_unlock(&em_pd_list_mutex);
>   
>   	em_notify_pd_created(dev->em_pd);
> -	return ret;
> +
> +	return 0;
>   }
>   EXPORT_SYMBOL_GPL(em_dev_register_pd_no_update);
>   
> 
> ---
> base-commit: f7d2388eeec24966fc4d5cf32d706f0514f29ac5
> change-id: 20251028-fix-energy-6b63b72ae9c6
> 
> Best regards,

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.