From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

The cpufreq_cpu_put() call in update_qos_request() takes place too early
because the latter subsequently calls freq_qos_update_request() that
indirectly accesses the policy object in question through the QoS request
object passed to it.

Fortunately, update_qos_request() is called under intel_pstate_driver_lock,
so this issue does not matter for changing the intel_pstate operation
mode, but it theoretically can cause a crash to occur on CPU device hot
removal (which currently can only happen in virt, but it is formally
supported nevertheless).

Address this issue by modifying update_qos_request() to drop the
reference to the policy later.

Fixes: da5c504c7aae ("cpufreq: intel_pstate: Implement QoS supported freq constraints")
Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
---
 drivers/cpufreq/intel_pstate.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -1708,10 +1708,10 @@ static void update_qos_request(enum freq
 			continue;
 
 		req = policy->driver_data;
-		cpufreq_cpu_put(policy);
-
-		if (!req)
+		if (!req) {
+			cpufreq_cpu_put(policy);
 			continue;
+		}
 
 		if (hwp_active)
 			intel_pstate_get_hwp_cap(cpu);
@@ -1727,6 +1727,8 @@ static void update_qos_request(enum freq
 
 		if (freq_qos_update_request(req, freq) < 0)
 			pr_warn("Failed to update freq constraint: CPU%d\n", i);
+
+		cpufreq_cpu_put(policy);
 	}
 }

在 2025/9/5 21:52, Rafael J. Wysocki 写道:
> From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
>
> The cpufreq_cpu_put() call in update_qos_request() takes place too early
> because the latter subsequently calls freq_qos_update_request() that
> indirectly accesses the policy object in question through the QoS request
> object passed to it.
>
> Fortunately, update_qos_request() is called under intel_pstate_driver_lock,
> so this issue does not matter for changing the intel_pstate operation
> mode, but it theoretically can cause a crash to occur on CPU device hot
> removal (which currently can only happen in virt, but it is formally
> supported nevertheless).
>
> Address this issue by modifying update_qos_request() to drop the
> reference to the policy later.
>
> Fixes: da5c504c7aae ("cpufreq: intel_pstate: Implement QoS supported freq constraints")
> Cc: 5.4+ <stable@vger.kernel.org> # 5.4+
> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
> ---
>   drivers/cpufreq/intel_pstate.c |    8 +++++---
>   1 file changed, 5 insertions(+), 3 deletions(-)
>
> --- a/drivers/cpufreq/intel_pstate.c
> +++ b/drivers/cpufreq/intel_pstate.c
> @@ -1708,10 +1708,10 @@ static void update_qos_request(enum freq
>   			continue;
>   
>   		req = policy->driver_data;
> -		cpufreq_cpu_put(policy);
> -
> -		if (!req)
> +		if (!req) {
> +			cpufreq_cpu_put(policy);
>   			continue;
> +		}
>   
>   		if (hwp_active)
>   			intel_pstate_get_hwp_cap(cpu);
> @@ -1727,6 +1727,8 @@ static void update_qos_request(enum freq
>   
>   		if (freq_qos_update_request(req, freq) < 0)
>   			pr_warn("Failed to update freq constraint: CPU%d\n", i);
> +
> +		cpufreq_cpu_put(policy);
>   	}
>   }
>   
Reviewed-by: Zihuan Zhang <zhangzihuan@kylinos.cn>