Commit fdb69d40 authored May 17, 2026 by Jiakai Xu Committed by Anup Patel May 18, 2026

RISC-V: KVM: Fix NULL pointer dereference in SBI v0.1 SEND_IPI handler



The SBI v0.1 SEND_IPI handler iterates over the hart mask and calls
kvm_get_vcpu_by_id() to find the target vcpu for each set bit. When a
guest provides a hart mask containing bits for non-existent vcpu_ids,
kvm_get_vcpu_by_id() returns NULL, which is then unconditionally
dereferenced by kvm_riscv_vcpu_set_interrupt(), causing a kernel crash.

Fix this by adding a NULL check before dereferencing the return value.
If the target vcpu is not found, skip it and continue processing the
remaining valid harts.

Fixes: a046c2d8 ("RISC-V: KVM: Reorganize SBI code by moving SBI v0.1 to its own file")
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Assisted-by: OpenClaw:DeepSeek-V3.2
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260517124414.420919-1-xujiakai2025@iscas.ac.cn


Signed-off-by: Anup Patel <anup@brainfault.org>

parent 0e9d0e7a

arch/riscv/kvm/vcpu_sbi_v01.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -55,6 +55,8 @@ static int kvm_sbi_ext_v01_handler(struct kvm_vcpu vcpu, struct kvm_run run,

		for_each_set_bit(i, &hmask, BITS_PER_LONG) {
		rvcpu = kvm_get_vcpu_by_id(vcpu->kvm, i);
		if (!rvcpu)
		continue;
		ret = kvm_riscv_vcpu_set_interrupt(rvcpu, IRQ_VS_SOFT);
		if (ret < 0)
		break;