The update_cpu_qos_request() function attempts to initialize the 'freq'
variable by dereferencing 'cpudata' before verifying if the 'policy'
is valid.

This issue occurs on systems booted with the "nosmt" parameter, where
all_cpu_data[cpu] is NULL for the SMT sibling threads. As a result,
any call to update_qos_requests() will result in a NULL pointer
dereference as the code will attempt to access pstate.turbo_freq using
the NULL cpudata pointer.

Fix this by deferring the 'freq' assignment until after the policy and
driver_data have been validated.

Fixes: ae1bdd23b99f ("cpufreq: intel_pstate: Adjust frequency percentage computations")
Reported-by: Jirka Hladky <jhladky@redhat.com>
Closes: https://lore.kernel.org/all/CAE4VaGDfiPvz3AzrwrwM4kWB3SCkMci25nPO8W1JmTBd=xHzZg@mail.gmail.com/
Signed-off-by: David Arcari <darcari@redhat.com>
---
 drivers/cpufreq/intel_pstate.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
index a48af3540c74..bdc37080d319 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -1647,8 +1647,8 @@ static ssize_t store_no_turbo(struct kobject *a, struct kobj_attribute *b,
 static void update_cpu_qos_request(int cpu, enum freq_qos_req_type type)
 {
 	struct cpudata *cpudata = all_cpu_data[cpu];
-	unsigned int freq = cpudata->pstate.turbo_freq;
 	struct freq_qos_request *req;
+	unsigned int freq;
 
 	struct cpufreq_policy *policy __free(put_cpufreq_policy) = cpufreq_cpu_get(cpu);
 	if (!policy)
@@ -1661,6 +1661,8 @@ static void update_cpu_qos_request(int cpu, enum freq_qos_req_type type)
 	if (hwp_active)
 		intel_pstate_get_hwp_cap(cpudata);
 
+	freq = cpudata->pstate.turbo_freq;
+
 	if (type == FREQ_QOS_MIN) {
 		freq = DIV_ROUND_UP(freq * global.min_perf_pct, 100);
 	} else {
-- 
2.52.0

On Tue, Feb 24, 2026 at 1:21 PM David Arcari <darcari@redhat.com> wrote:
>
> The update_cpu_qos_request() function attempts to initialize the 'freq'
> variable by dereferencing 'cpudata' before verifying if the 'policy'
> is valid.
>
> This issue occurs on systems booted with the "nosmt" parameter, where
> all_cpu_data[cpu] is NULL for the SMT sibling threads. As a result,
> any call to update_qos_requests() will result in a NULL pointer
> dereference as the code will attempt to access pstate.turbo_freq using
> the NULL cpudata pointer.
>
> Fix this by deferring the 'freq' assignment until after the policy and
> driver_data have been validated.
>
> Fixes: ae1bdd23b99f ("cpufreq: intel_pstate: Adjust frequency percentage computations")
> Reported-by: Jirka Hladky <jhladky@redhat.com>
> Closes: https://lore.kernel.org/all/CAE4VaGDfiPvz3AzrwrwM4kWB3SCkMci25nPO8W1JmTBd=xHzZg@mail.gmail.com/
> Signed-off-by: David Arcari <darcari@redhat.com>

Applied as 7.0-rc material, thanks!

> ---
>  drivers/cpufreq/intel_pstate.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
> index a48af3540c74..bdc37080d319 100644
> --- a/drivers/cpufreq/intel_pstate.c
> +++ b/drivers/cpufreq/intel_pstate.c
> @@ -1647,8 +1647,8 @@ static ssize_t store_no_turbo(struct kobject *a, struct kobj_attribute *b,
>  static void update_cpu_qos_request(int cpu, enum freq_qos_req_type type)
>  {
>         struct cpudata *cpudata = all_cpu_data[cpu];
> -       unsigned int freq = cpudata->pstate.turbo_freq;
>         struct freq_qos_request *req;
> +       unsigned int freq;
>
>         struct cpufreq_policy *policy __free(put_cpufreq_policy) = cpufreq_cpu_get(cpu);
>         if (!policy)
> @@ -1661,6 +1661,8 @@ static void update_cpu_qos_request(int cpu, enum freq_qos_req_type type)
>         if (hwp_active)
>                 intel_pstate_get_hwp_cap(cpudata);
>
> +       freq = cpudata->pstate.turbo_freq;
> +
>         if (type == FREQ_QOS_MIN) {
>                 freq = DIV_ROUND_UP(freq * global.min_perf_pct, 100);
>         } else {
> --
> 2.52.0
>