Commit 003b9dae authored Jan 27, 2026 by Jiakai Xu Committed by Anup Patel Feb 06, 2026

RISC-V: KVM: Skip IMSIC update if vCPU IMSIC state is not initialized



kvm_riscv_vcpu_aia_imsic_update() assumes that the vCPU IMSIC state has
already been initialized and unconditionally accesses imsic->vsfile_lock.
However, in fuzzed ioctl sequences, the AIA device may be initialized at
the VM level while the per-vCPU IMSIC state is still NULL.

This leads to invalid access when entering the vCPU run loop before
IMSIC initialization has completed.

The crash manifests as:
  Unable to handle kernel paging request at virtual address
  dfffffff00000006
  ...
  kvm_riscv_vcpu_aia_imsic_update arch/riscv/kvm/aia_imsic.c:801
  kvm_riscv_vcpu_aia_update arch/riscv/kvm/aia_device.c:493
  kvm_arch_vcpu_ioctl_run arch/riscv/kvm/vcpu.c:927
  ...

Add a guard to skip the IMSIC update path when imsic_state is NULL. This
allows the vCPU run loop to continue safely.

This issue was discovered during fuzzing of RISC-V KVM code.

Fixes: db8b7e97 ("RISC-V: KVM: Add in-kernel virtualization of AIA IMSIC")
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260127084313.3496485-1-xujiakai2025@iscas.ac.cn


Signed-off-by: Anup Patel <anup@brainfault.org>

parent aeb1d17d

arch/riscv/kvm/aia_imsic.c

+4 −0

Original line number	Diff line number	Diff line
		@@ -797,6 +797,10 @@ int kvm_riscv_vcpu_aia_imsic_update(struct kvm_vcpu *vcpu)
		if (kvm->arch.aia.mode == KVM_DEV_RISCV_AIA_MODE_EMUL)
		return 1;

		/* IMSIC vCPU state may not be initialized yet */
		if (!imsic)
		return 1;

		/* Read old IMSIC VS-file details */
		read_lock_irqsave(&imsic->vsfile_lock, flags);
		old_vsfile_hgei = imsic->vsfile_hgei;