[v2] RISC-V: KVM: Fix NULL pointer dereference in SBI v0.1 SEND_IPI handler

[PATCH v2] RISC-V: KVM: Fix NULL pointer dereference in SBI v0.1 SEND_IPI handler

Posted by Jiakai Xu 1 week ago

The SBI v0.1 SEND_IPI handler iterates over the hart mask and calls
kvm_get_vcpu_by_id() to find the target vcpu for each set bit. When a
guest provides a hart mask containing bits for non-existent vcpu_ids,
kvm_get_vcpu_by_id() returns NULL, which is then unconditionally
dereferenced by kvm_riscv_vcpu_set_interrupt(), causing a kernel crash.

Fix this by adding a NULL check before dereferencing the return value.
If the target vcpu is not found, skip it and continue processing the
remaining valid harts.

Fixes: a046c2d8578c ("RISC-V: KVM: Reorganize SBI code by moving SBI v0.1 to its own file")
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Assisted-by: OpenClaw:DeepSeek-V3.2
---
V1 -> V2:
- Changed break to continue when vcpu is not found, as suggested by
  Anup Patel. Non-existent VCPUs in the hart mask should be ignored
  rather than aborting the entire SEND_IPI operation.
---
 arch/riscv/kvm/vcpu_sbi_v01.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/riscv/kvm/vcpu_sbi_v01.c b/arch/riscv/kvm/vcpu_sbi_v01.c
index 188d5ea5b3b85..c9c323d4577a9 100644
--- a/arch/riscv/kvm/vcpu_sbi_v01.c
+++ b/arch/riscv/kvm/vcpu_sbi_v01.c
@@ -55,6 +55,8 @@ static int kvm_sbi_ext_v01_handler(struct kvm_vcpu *vcpu, struct kvm_run *run,
 
 		for_each_set_bit(i, &hmask, BITS_PER_LONG) {
 			rvcpu = kvm_get_vcpu_by_id(vcpu->kvm, i);
+			if (!rvcpu)
+				continue;
 			ret = kvm_riscv_vcpu_set_interrupt(rvcpu, IRQ_VS_SOFT);
 			if (ret < 0)
 				break;
-- 
2.34.1

Re: [PATCH v2] RISC-V: KVM: Fix NULL pointer dereference in SBI v0.1 SEND_IPI handler

Posted by Anup Patel 1 week ago

On Sun, May 17, 2026 at 6:14 PM Jiakai Xu <xujiakai2025@iscas.ac.cn> wrote:
>
> The SBI v0.1 SEND_IPI handler iterates over the hart mask and calls
> kvm_get_vcpu_by_id() to find the target vcpu for each set bit. When a
> guest provides a hart mask containing bits for non-existent vcpu_ids,
> kvm_get_vcpu_by_id() returns NULL, which is then unconditionally
> dereferenced by kvm_riscv_vcpu_set_interrupt(), causing a kernel crash.
>
> Fix this by adding a NULL check before dereferencing the return value.
> If the target vcpu is not found, skip it and continue processing the
> remaining valid harts.
>
> Fixes: a046c2d8578c ("RISC-V: KVM: Reorganize SBI code by moving SBI v0.1 to its own file")
> Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
> Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
> Assisted-by: OpenClaw:DeepSeek-V3.2

LGTM.

Reviewed-by: Anup Patel <anup@brainfault.org>

Queued this as fix for Linux-7.1-rcX

Thanks,
Anup

> ---
> V1 -> V2:
> - Changed break to continue when vcpu is not found, as suggested by
>   Anup Patel. Non-existent VCPUs in the hart mask should be ignored
>   rather than aborting the entire SEND_IPI operation.
> ---
>  arch/riscv/kvm/vcpu_sbi_v01.c | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/arch/riscv/kvm/vcpu_sbi_v01.c b/arch/riscv/kvm/vcpu_sbi_v01.c
> index 188d5ea5b3b85..c9c323d4577a9 100644
> --- a/arch/riscv/kvm/vcpu_sbi_v01.c
> +++ b/arch/riscv/kvm/vcpu_sbi_v01.c
> @@ -55,6 +55,8 @@ static int kvm_sbi_ext_v01_handler(struct kvm_vcpu *vcpu, struct kvm_run *run,
>
>                 for_each_set_bit(i, &hmask, BITS_PER_LONG) {
>                         rvcpu = kvm_get_vcpu_by_id(vcpu->kvm, i);
> +                       if (!rvcpu)
> +                               continue;
>                         ret = kvm_riscv_vcpu_set_interrupt(rvcpu, IRQ_VS_SOFT);
>                         if (ret < 0)
>                                 break;
> --
> 2.34.1
>