1. Patchew
  2. linux
  3. View series

[PATCH linux-next] irqchip/riscv-imsic: Revert "Remove redundant irq_data lookups"

wang.yaxin@zte.com.cn posted 1 patch 3 weeks, 5 days ago 
drivers/irqchip/irq-riscv-imsic-platform.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
[PATCH linux-next] irqchip/riscv-imsic: Revert "Remove redundant irq_data lookups"
Posted by wang.yaxin@zte.com.cn 3 weeks, 5 days ago 
From: Luo Haiyang <luo.haiyang@zte.com.cn>

Commit c475c0b71314("irqchip/riscv-imsic: Remove redundant irq_data
lookups") leads a NULL pointer deference in imsic_msi_update_msg().

When QEMU is launched with the following additional boot parameters:
"-device virtio-blk-pci,drive=disk1 \
 -drive file=disk.qcow2,if=none,id=disk1,format=qcow2 \"

Kernel panic with NULL pointer dereference, the log is:
[    1.589509] virtio_blk virtio1: 8/0/0 default/read/poll queues
[    1.594943] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
[    1.595547] Current kworker/u32:2 pgtable: 4K pagesize, 48-bit VAs, pgdp=0x0000000081c33000
[    1.595922] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
[    1.597399] Oops [#1]
[    1.597560] Modules linked in:
[    1.598071] CPU: 5 UID: 0 PID: 75 Comm: kworker/u32:2 Not tainted 6.19.0-rc4-next-20260109 #1 NONE
[    1.598607] Hardware name: riscv-virtio,qemu (DT)
[    1.599193] Workqueue: events_unbound deferred_probe_work_func
[    1.600184] epc : 0x0
[    1.600529]  ra : imsic_irq_set_affinity+0x110/0x130
    ......

The irq_data pointer parameter of imsic_irq_set_affinity() is associated
with the imsic domain and differs from irq_get_irq_data(d->irq) returns.

Signed-off-by: Luo Haiyang <luo.haiyang@zte.com.cn>
---
 drivers/irqchip/irq-riscv-imsic-platform.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/irqchip/irq-riscv-imsic-platform.c b/drivers/irqchip/irq-riscv-imsic-platform.c
index 7228a33f6c37..643c8e459611 100644
--- a/drivers/irqchip/irq-riscv-imsic-platform.c
+++ b/drivers/irqchip/irq-riscv-imsic-platform.c
@@ -158,11 +158,11 @@ static int imsic_irq_set_affinity(struct irq_data *d, const struct cpumask *mask
 		tmp_vec.local_id = new_vec->local_id;

 		/* Point device to the temporary vector */
-		imsic_msi_update_msg(d, &tmp_vec);
+		imsic_msi_update_msg(irq_get_irq_data(d->irq), &tmp_vec);
 	}

 	/* Point device to the new vector */
-	imsic_msi_update_msg(d, new_vec);
+	imsic_msi_update_msg(irq_get_irq_data(d->irq), new_vec);

 	/* Update irq descriptors with the new vector */
 	d->chip_data = new_vec;
-- 
2.25.1
[tip: irq/urgent] irqchip/riscv-imsic: Revert "Remove redundant irq_data lookups"
Posted by tip-bot2 for Luo Haiyang 3 weeks, 5 days ago 
The following commit has been merged into the irq/urgent branch of tip:

Commit-ID:     f2edf797dab185cce439e5bc5185fe20dd536300
Gitweb:        https://git.kernel.org/tip/f2edf797dab185cce439e5bc5185fe20dd536300
Author:        Luo Haiyang <luo.haiyang@zte.com.cn>
AuthorDate:    Tue, 13 Jan 2026 11:19:30 +08:00
Committer:     Thomas Gleixner <tglx@kernel.org>
CommitterDate: Tue, 13 Jan 2026 09:51:46 +01:00

irqchip/riscv-imsic: Revert "Remove redundant irq_data lookups"

Commit c475c0b71314("irqchip/riscv-imsic: Remove redundant irq_data
lookups") leads to a NULL pointer deference in imsic_msi_update_msg():

 virtio_blk virtio1: 8/0/0 default/read/poll queues
 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
 Current kworker/u32:2 pgtable: 4K pagesize, 48-bit VAs, pgdp=0x0000000081c33000
 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000
 CPU: 5 UID: 0 PID: 75 Comm: kworker/u32:2 Not tainted 6.19.0-rc4-next-20260109 #1 NONE
 epc : 0x0
  ra : imsic_irq_set_affinity+0x110/0x130

The irq_data argument of imsic_irq_set_affinity() is associated with the
imsic domain and not with the top-level MSI domain. As a consequence the
code dereferences the wrong interrupt chip, which has the
irq_write_msi_msg() callback not populated.

Signed-off-by: Luo Haiyang <luo.haiyang@zte.com.cn>
Signed-off-by: Thomas Gleixner <tglx@kernel.org>
Link: https://patch.msgid.link/20260113111930821RrC26avITHWSFCN0bYbgI@zte.com.cn
---
 drivers/irqchip/irq-riscv-imsic-platform.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/irqchip/irq-riscv-imsic-platform.c b/drivers/irqchip/irq-riscv-imsic-platform.c
index 7228a33..643c8e4 100644
--- a/drivers/irqchip/irq-riscv-imsic-platform.c
+++ b/drivers/irqchip/irq-riscv-imsic-platform.c
@@ -158,11 +158,11 @@ static int imsic_irq_set_affinity(struct irq_data *d, const struct cpumask *mask
 		tmp_vec.local_id = new_vec->local_id;
 
 		/* Point device to the temporary vector */
-		imsic_msi_update_msg(d, &tmp_vec);
+		imsic_msi_update_msg(irq_get_irq_data(d->irq), &tmp_vec);
 	}
 
 	/* Point device to the new vector */
-	imsic_msi_update_msg(d, new_vec);
+	imsic_msi_update_msg(irq_get_irq_data(d->irq), new_vec);
 
 	/* Update irq descriptors with the new vector */
 	d->chip_data = new_vec;

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.