lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260113111930821RrC26avITHWSFCN0bYbgI@zte.com.cn>
Date: Tue, 13 Jan 2026 11:19:30 +0800 (CST)
From: <wang.yaxin@....com.cn>
To: <anup@...infault.org>, <tglx@...utronix.de>, <pjw@...nel.org>,
        <palmer@...belt.com>, <aou@...s.berkeley.edu>
Cc: <zhang.run@....com.cn>, <hu.shengming@....com.cn>,
        <zhang.anmeng@....com.cn>, <luo.haiyang@....com.cn>, <alex@...ti.fr>,
        <linux-riscv@...ts.infradead.org>, <linux-kernel@...r.kernel.org>
Subject: [PATCH linux-next] irqchip/riscv-imsic: Revert "Remove redundant irq_data

 lookups"

From: Luo Haiyang <luo.haiyang@....com.cn>

Commit c475c0b71314("irqchip/riscv-imsic: Remove redundant irq_data
lookups") leads a NULL pointer deference in imsic_msi_update_msg().

When QEMU is launched with the following additional boot parameters:
"-device virtio-blk-pci,drive=disk1 \
 -drive file=disk.qcow2,if=none,id=disk1,format=qcow2 \"

Kernel panic with NULL pointer dereference, the log is:
[    1.589509] virtio_blk virtio1: 8/0/0 default/read/poll queues
[    1.594943] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[    1.595547] Current kworker/u32:2 pgtable: 4K pagesize, 48-bit VAs, pgdp=0x0000000081c33000
[    1.595922] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[    1.597399] Oops [#1]
[    1.597560] Modules linked in:
[    1.598071] CPU: 5 UID: 0 PID: 75 Comm: kworker/u32:2 Not tainted 6.19.0-rc4-next-20260109 #1 NONE
[    1.598607] Hardware name: riscv-virtio,qemu (DT)
[    1.599193] Workqueue: events_unbound deferred_probe_work_func
[    1.600184] epc : 0x0
[    1.600529]  ra : imsic_irq_set_affinity+0x110/0x130
    ......

The irq_data pointer parameter of imsic_irq_set_affinity() is associated
with the imsic domain and differs from irq_get_irq_data(d->irq) returns.

Signed-off-by: Luo Haiyang <luo.haiyang@....com.cn>
---
 drivers/irqchip/irq-riscv-imsic-platform.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/irqchip/irq-riscv-imsic-platform.c b/drivers/irqchip/irq-riscv-imsic-platform.c
index 7228a33f6c37..643c8e459611 100644
--- a/drivers/irqchip/irq-riscv-imsic-platform.c
+++ b/drivers/irqchip/irq-riscv-imsic-platform.c
@@ -158,11 +158,11 @@ static int imsic_irq_set_affinity(struct irq_data *d, const struct cpumask *mask
 		tmp_vec.local_id = new_vec->local_id;

 		/* Point device to the temporary vector */
-		imsic_msi_update_msg(d, &tmp_vec);
+		imsic_msi_update_msg(irq_get_irq_data(d->irq), &tmp_vec);
 	}

 	/* Point device to the new vector */
-	imsic_msi_update_msg(d, new_vec);
+	imsic_msi_update_msg(irq_get_irq_data(d->irq), new_vec);

 	/* Update irq descriptors with the new vector */
 	d->chip_data = new_vec;
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ