From nobody Sun Feb 8 21:09:46 2026 Received: from mxhk.zte.com.cn (mxhk.zte.com.cn [160.30.148.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BC0CC2E175F for ; Tue, 13 Jan 2026 03:19:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=160.30.148.34 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768274384; cv=none; b=FHUQY65ATjgHlWfAhr1C70q2/Rg++kqfk7dOXIb90b9KTAYOTR/VIeOUhjeqx5gqzvcsxIcqTaXRdhd/9SdbgGSA1QlJXq+LwA50RUnP/PsQaBQbXJVIB0JNFlyaNFWz1PMrqNmyTLeUNPwze+8gJJNilHQnvcdOgkSyeswdEcE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1768274384; c=relaxed/simple; bh=PWLgRmoqVRnuTfFkpkxqnw+FJYGv7a6Wl2ZVp1RiMRo=; h=Message-ID:Date:Mime-Version:From:To:Cc:Subject:Content-Type; b=m3lRyMmEhC6AXFZuW5OjtY/uPlT6JE5Lrwsd8YWO+maELjL6UsHLhu3XFhr78RV3rQXxtLj7ocMrplEaDr8TraHJ3VYVe4/yv0nEuAzs/sbhjyuGjiXdqvdrJ/Qq41hhyoASXq59Z4pbReyBkPK7U11sAiyYGSNv/DZgn0IGa7M= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zte.com.cn; spf=pass smtp.mailfrom=zte.com.cn; arc=none smtp.client-ip=160.30.148.34 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zte.com.cn Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=zte.com.cn Received: from mse-fl1.zte.com.cn (unknown [10.5.228.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mxhk.zte.com.cn (FangMail) with ESMTPS id 4dqvcW2MFhz5BNRd; Tue, 13 Jan 2026 11:19:39 +0800 (CST) Received: from xaxapp01.zte.com.cn ([10.88.99.176]) by mse-fl1.zte.com.cn with SMTP id 60D3JTKZ083425; Tue, 13 Jan 2026 11:19:29 +0800 (+08) (envelope-from wang.yaxin@zte.com.cn) Received: from mapi (xaxapp01[null]) by mapi (Zmail) with MAPI id mid32; Tue, 13 Jan 2026 11:19:30 +0800 (CST) X-Zmail-TransId: 2af96965b9c20e7-312c3 X-Mailer: Zmail v1.0 Message-ID: <20260113111930821RrC26avITHWSFCN0bYbgI@zte.com.cn> Date: Tue, 13 Jan 2026 11:19:30 +0800 (CST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 From: To: , , , , Cc: , , , , , , Subject: =?UTF-8?B?W1BBVENIIGxpbnV4LW5leHRdIGlycWNoaXAvcmlzY3YtaW1zaWM6IFJldmVydCAiUmVtb3ZlIHJlZHVuZGFudCBpcnFfZGF0YQoKIGxvb2t1cHMi?= X-MAIL: mse-fl1.zte.com.cn 60D3JTKZ083425 X-TLS: YES X-SPF-DOMAIN: zte.com.cn X-ENVELOPE-SENDER: wang.yaxin@zte.com.cn X-SPF: None X-SOURCE-IP: 10.5.228.132 unknown Tue, 13 Jan 2026 11:19:39 +0800 X-Fangmail-Anti-Spam-Filtered: true X-Fangmail-MID-QID: 6965B9CB.000/4dqvcW2MFhz5BNRd Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Luo Haiyang Commit c475c0b71314("irqchip/riscv-imsic: Remove redundant irq_data lookups") leads a NULL pointer deference in imsic_msi_update_msg(). When QEMU is launched with the following additional boot parameters: "-device virtio-blk-pci,drive=3Ddisk1 \ -drive file=3Ddisk.qcow2,if=3Dnone,id=3Ddisk1,format=3Dqcow2 \" Kernel panic with NULL pointer dereference, the log is: [ 1.589509] virtio_blk virtio1: 8/0/0 default/read/poll queues [ 1.594943] Unable to handle kernel NULL pointer dereference at virtual = address 0000000000000000 [ 1.595547] Current kworker/u32:2 pgtable: 4K pagesize, 48-bit VAs, pgdp= =3D0x0000000081c33000 [ 1.595922] [0000000000000000] pgd=3D0000000000000000, p4d=3D00000000000= 00000 [ 1.597399] Oops [#1] [ 1.597560] Modules linked in: [ 1.598071] CPU: 5 UID: 0 PID: 75 Comm: kworker/u32:2 Not tainted 6.19.0= -rc4-next-20260109 #1 NONE [ 1.598607] Hardware name: riscv-virtio,qemu (DT) [ 1.599193] Workqueue: events_unbound deferred_probe_work_func [ 1.600184] epc : 0x0 [ 1.600529] ra : imsic_irq_set_affinity+0x110/0x130 ...... The irq_data pointer parameter of imsic_irq_set_affinity() is associated with the imsic domain and differs from irq_get_irq_data(d->irq) returns. Signed-off-by: Luo Haiyang --- drivers/irqchip/irq-riscv-imsic-platform.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/irqchip/irq-riscv-imsic-platform.c b/drivers/irqchip/i= rq-riscv-imsic-platform.c index 7228a33f6c37..643c8e459611 100644 --- a/drivers/irqchip/irq-riscv-imsic-platform.c +++ b/drivers/irqchip/irq-riscv-imsic-platform.c @@ -158,11 +158,11 @@ static int imsic_irq_set_affinity(struct irq_data *d,= const struct cpumask *mask tmp_vec.local_id =3D new_vec->local_id; /* Point device to the temporary vector */ - imsic_msi_update_msg(d, &tmp_vec); + imsic_msi_update_msg(irq_get_irq_data(d->irq), &tmp_vec); } /* Point device to the new vector */ - imsic_msi_update_msg(d, new_vec); + imsic_msi_update_msg(irq_get_irq_data(d->irq), new_vec); /* Update irq descriptors with the new vector */ d->chip_data =3D new_vec; --=20 2.25.1