[PATCH v2 1/4] perf/arm_pmuv3: Fix NULL pointer dereference in armv8pmu_sched_task()
Usama Arif
usama.arif at linux.dev
Wed Apr 8 05:23:05 PDT 2026
On Wed, 18 Mar 2026 10:16:55 -0700 Puranjay Mohan <puranjay at kernel.org> wrote:
> This is easily triggered with:
>
> perf record -b -e cycles -a -- ls
>
> which crashes on the first context switch with:
>
> Unable to handle kernel NULL pointer dereference at virtual address 00[.]
> PC is at armv8pmu_sched_task+0x14/0x50
> LR is at perf_pmu_sched_task+0xac/0x108
> Call trace:
> armv8pmu_sched_task+0x14/0x50 (P)
> perf_pmu_sched_task+0xac/0x108
> __perf_event_task_sched_out+0x6c/0xe0
> prepare_task_switch+0x120/0x268
> __schedule+0x1e8/0x828
> ...
>
> perf_pmu_sched_task() invokes the PMU sched callback with cpc->task_epc,
> which is NULL when no per-task events exist for this PMU. With CPU-wide
> branch-stack events, armv8pmu_sched_task() is still registered and
> dereferences pmu_ctx->pmu unconditionally, causing the crash.
>
> The bug was introduced by commit fa9d27773873 ("perf: arm_pmu: Kill last
> use of per-CPU cpu_armpmu pointer") which changed the function from
> using the per-CPU cpu_armpmu pointer (always valid) to dereferencing
> pmu_ctx->pmu without adding a NULL check.
>
> Add a NULL check for pmu_ctx to avoid the crash.
>
> Fixes: fa9d27773873 ("perf: arm_pmu: Kill last use of per-CPU cpu_armpmu pointer")
> Signed-off-by: Puranjay Mohan <puranjay at kernel.org>
> ---
> drivers/perf/arm_pmuv3.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
Acked-by: Usama Arif <usama.arif at linux.dev>
More information about the linux-arm-kernel
mailing list