git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Evan Li <evan.li@linux.alibaba.com>
	Fri, 12 Dec 2025 08:49:43 +0000 (16:49 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 18 Dec 2025 13:00:15 +0000 (14:00 +0100)
commit	740b4330b5452c7474e14ca4e3e6bee91df1ba98
tree	34149e25e3d2e9674a3b24f016f4a58668a363b2	tree \| snapshot
parent	115e0387d42f44b5f0b96e4f2ac2a214643eb98e	commit \| diff

perf/x86/intel: Fix NULL event dereference crash in handle_pmi_common()

[ Upstream commit 9415f749d34b926b9e4853da1462f4d941f89a0d ]

handle_pmi_common() may observe an active bit set in cpuc->active_mask
while the corresponding cpuc->events[] entry has already been cleared,
which leads to a NULL pointer dereference.

This can happen when interrupt throttling stops all events in a group
while PEBS processing is still in progress. perf_event_overflow() can
trigger perf_event_throttle_group(), which stops the group and clears
the cpuc->events[] entry, but the active bit may still be set when
handle_pmi_common() iterates over the events.

The following recent fix:

7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss")

moved the cpuc->events[] clearing from x86_pmu_stop() to x86_pmu_del() and
relied on cpuc->active_mask/pebs_enabled checks. However,
handle_pmi_common() can still encounter a NULL cpuc->events[] entry
despite the active bit being set.

Add an explicit NULL check on the event pointer before using it,
to cover this legitimate scenario and avoid the NULL dereference crash.

Fixes: 7e772a93eb61 ("perf/x86: Fix NULL event access and potential PEBS record loss")
Reported-by: kitta <kitta@linux.alibaba.com>
Co-developed-by: kitta <kitta@linux.alibaba.com>
Signed-off-by: Evan Li <evan.li@linux.alibaba.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://patch.msgid.link/20251212084943.2124787-1-evan.li@linux.alibaba.com
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220855
Signed-off-by: Sasha Levin <sashal@kernel.org>