1. Patchew
  2. linux
  3. View series

[PATCH 5.10.y] cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()

Sergey Shtylyov posted 1 patch 2 weeks, 5 days ago 
drivers/cpufreq/scmi-cpufreq.c |   10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
[PATCH 5.10.y] cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()
Posted by Sergey Shtylyov 2 weeks, 5 days ago 
From: Henry Martin <bsdhenrymartin@gmail.com>

[ Upstream commit 484d3f15cc6cbaa52541d6259778e715b2c83c54 ]

cpufreq_cpu_get_raw() can return NULL when the target CPU is not present
in the policy->cpus mask. scmi_cpufreq_get_rate() does not check for
this case, which results in a NULL pointer dereference.

Add NULL check after cpufreq_cpu_get_raw() to prevent this issue.

[Sergey: resolved reject (reordering the local variables).]

Fixes: 99d6bdf33877 ("cpufreq: add support for CPU DVFS based on SCMI message protocol")
Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
Acked-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>

---
 drivers/cpufreq/scmi-cpufreq.c |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

Index: linux-stable/drivers/cpufreq/scmi-cpufreq.c
===================================================================
--- linux-stable.orig/drivers/cpufreq/scmi-cpufreq.c
+++ linux-stable/drivers/cpufreq/scmi-cpufreq.c
@@ -29,12 +29,18 @@ static const struct scmi_handle *handle;
 
 static unsigned int scmi_cpufreq_get_rate(unsigned int cpu)
 {
-	struct cpufreq_policy *policy = cpufreq_cpu_get_raw(cpu);
 	const struct scmi_perf_ops *perf_ops = handle->perf_ops;
-	struct scmi_data *priv = policy->driver_data;
+	struct cpufreq_policy *policy;
+	struct scmi_data *priv;
 	unsigned long rate;
 	int ret;
 
+	policy = cpufreq_cpu_get_raw(cpu);
+	if (unlikely(!policy))
+		return 0;
+
+	priv = policy->driver_data;
+
 	ret = perf_ops->freq_get(handle, priv->domain_id, &rate, false);
 	if (ret)
 		return 0;
Re: [PATCH 5.10.y] cpufreq: scmi: Fix null-ptr-deref in scmi_cpufreq_get_rate()
Posted by Sergey Shtylyov 2 weeks, 1 day ago 
On 9/12/25 11:35 PM, Sergey Shtylyov wrote:

> From: Henry Martin <bsdhenrymartin@gmail.com>
> 
> [ Upstream commit 484d3f15cc6cbaa52541d6259778e715b2c83c54 ]
> 
> cpufreq_cpu_get_raw() can return NULL when the target CPU is not present
> in the policy->cpus mask. scmi_cpufreq_get_rate() does not check for
> this case, which results in a NULL pointer dereference.
> 
> Add NULL check after cpufreq_cpu_get_raw() to prevent this issue.
> 
> [Sergey: resolved reject (reordering the local variables).]
> 
> Fixes: 99d6bdf33877 ("cpufreq: add support for CPU DVFS based on SCMI message protocol")
> Signed-off-by: Henry Martin <bsdhenrymartin@gmail.com>
> Acked-by: Sudeep Holla <sudeep.holla@arm.com>
> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
> Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>

   Probably should have noted that this patch fixes CVE-2025-37830:

https://marc.info/?l=linux-cve-announce&m=174668615621702

   (Sorry, lore doesn't work for me anymre...]

MBR, Sergey

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.