From: Jiakai Xu Date: Tue, 27 Jan 2026 08:43:13 +0000 (+0000) Subject: RISC-V: KVM: Skip IMSIC update if vCPU IMSIC state is not initialized X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=003b9dae53ae795930c54945e0b0a41bbd527b44;p=thirdparty%2Fkernel%2Fstable.git RISC-V: KVM: Skip IMSIC update if vCPU IMSIC state is not initialized kvm_riscv_vcpu_aia_imsic_update() assumes that the vCPU IMSIC state has already been initialized and unconditionally accesses imsic->vsfile_lock. However, in fuzzed ioctl sequences, the AIA device may be initialized at the VM level while the per-vCPU IMSIC state is still NULL. This leads to invalid access when entering the vCPU run loop before IMSIC initialization has completed. The crash manifests as: Unable to handle kernel paging request at virtual address dfffffff00000006 ... kvm_riscv_vcpu_aia_imsic_update arch/riscv/kvm/aia_imsic.c:801 kvm_riscv_vcpu_aia_update arch/riscv/kvm/aia_device.c:493 kvm_arch_vcpu_ioctl_run arch/riscv/kvm/vcpu.c:927 ... Add a guard to skip the IMSIC update path when imsic_state is NULL. This allows the vCPU run loop to continue safely. This issue was discovered during fuzzing of RISC-V KVM code. Fixes: db8b7e97d6137a ("RISC-V: KVM: Add in-kernel virtualization of AIA IMSIC") Signed-off-by: Jiakai Xu Signed-off-by: Jiakai Xu Reviewed-by: Anup Patel Link: https://lore.kernel.org/r/20260127084313.3496485-1-xujiakai2025@iscas.ac.cn Signed-off-by: Anup Patel --- diff --git a/arch/riscv/kvm/aia_imsic.c b/arch/riscv/kvm/aia_imsic.c index 7edfd129242f..60da5fa155a6 100644 --- a/arch/riscv/kvm/aia_imsic.c +++ b/arch/riscv/kvm/aia_imsic.c @@ -797,6 +797,10 @@ int kvm_riscv_vcpu_aia_imsic_update(struct kvm_vcpu *vcpu) if (kvm->arch.aia.mode == KVM_DEV_RISCV_AIA_MODE_EMUL) return 1; + /* IMSIC vCPU state may not be initialized yet */ + if (!imsic) + return 1; + /* Read old IMSIC VS-file details */ read_lock_irqsave(&imsic->vsfile_lock, flags); old_vsfile_hgei = imsic->vsfile_hgei;