From nobody Sat Feb 7 05:30:09 2026 Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A72AE1C84A2 for ; Sun, 25 Jan 2026 11:58:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.175 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769342287; cv=none; b=udzDRck/SfyXLsZ6Odb8fRIXlKX9jAyuLG5R37/eNTdZkyZOsRiyY+Ft9PbpuPJ0ibReqCb0W743vS9HJgZ/Ft0jogQw7l9Y1CszZsmJ0gjdFgAMMDr331M0UpRtP57NzLRGMSOGR66sA2VtIdnNDu8w4Iw8qAMuifpOnC6WkFw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769342287; c=relaxed/simple; bh=ivxz3DF061Ns2hoVLC+O3DNyOgG8pHNriUPvybXuBoc=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=nILgYUDoPyGa3jPe+5HB/ZeqKtEc5HUuWn8EHeRpufCQ6FheNVLQ3QMlHv/eX0wSC/s3dDdwOmN9xwJkSGaAZdVes93wCZJ1HGM1+g34dZNnu3ukV76iQJElF7eCsBH7gmxWhZZqThv+fNmIvDNezLkM+CH7Nxh3H18wWc9TpSc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=V0hA1JJb; arc=none smtp.client-ip=209.85.214.175 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="V0hA1JJb" Received: by mail-pl1-f175.google.com with SMTP id d9443c01a7336-2a76f90872cso18785935ad.3 for ; Sun, 25 Jan 2026 03:58:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769342286; x=1769947086; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=zGmrDbJpv9Mnf4OlN/zRFu5G/nsgDAKHAOEKObolTbA=; b=V0hA1JJbRe8hz6kpVzjhndMnhuFNVphmzUYK36k8mVS7CpKu/rrQb6X2Jh7k7O60L+ Jemy9QK7YDfU6+/JmHLj5Vl6MyyMWPm80BPR4mjepN5wZCRP2BygYWxfa14R2zX2FEiq 3jeh6DNqpBYel9XZrY+9AGxKlpi+OX+ojhNsyfkqX+zA44lytyrLT+r2cvrJY0Hub73X 8Kfhzp6evNn5k8x0whpaLdE/Kljwkm3eP5mF40+lzib920H/1Hfat86lj773VAhdg6DA QQ6+NRXsAsH+7958c3JXGHnQuQxmEbeiSJqiGG1hfJhWnDWwZYawkNICPekMMvnGFesY FuyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769342286; x=1769947086; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=zGmrDbJpv9Mnf4OlN/zRFu5G/nsgDAKHAOEKObolTbA=; b=DSpyQshqZ8Rou3H91xBpE14XXQ6DeHblxj+p2D3pqETVIjWpHOnwWz+BlFe0BK9qW6 okuMBltCwtCcYXRq4EuhDCzf4Axm3TMlHf9yayVMLUtqKefIys3a3JcZtZGB6nrX7Ld5 EptLH8zRigApAWfLgLY7IBagQ5L0O9PDDHK+ERLGKgHlUl8AKUaGXs1N23aswbMxCUP3 rOap91UQKwaLHc+xGjvI8EvX0O8nzhZFFIfw9vr0txawiQg6MeHMcVtntEfOH+hWfDHN JTS2AJ9slVAgg0t0MH+Tc3UET9pI2Nwh7A3dkdP4woaQQQhtXbhKo3AJnjPERY98vmUa OaQw== X-Gm-Message-State: AOJu0YxUjZEh9oC4Jk38YZA3L3bF5qLLLd99HbF45E5wLBAHyI4JGkwO rxhRmfAZEwSWkiiJg/1Wn1WYUkvpw10aJCa+q8OljKyMqvt+4DVlBn3YRHaQOzAwgM4= X-Gm-Gg: AZuq6aJIoY7iaKD3Z+DzBL7H4+sLy8kqMoniifBQ/LQi7HeW0BamNsFueKCjxw4AEoE bh5Ty9/DpDP4TN3A0elrIAtMS39JJdgcHXg7h4fP5JfyRrTtLlveo8et9MtQ6bip/kLgv5qvMFd HhaM9hEYgZufC94uPwviePpqxne510dewqh8kez2+D2E3NQPfUYFQoww+34Jpz633HKkjMjLV8k DE5w178jg3qe0p/G1O5Rvzi9kc4aEaI8ZmMvA9bOGgcWnHu7YqhdCEkNUBnRYBMYv56c+gAJjq/ bX4Nue0vn9GiG1ndhTltDUHWdGMVCUd42D6Fui1+CKspscLURG8n7g+0OLRYUjYhItuJi4IzCBk 16gQvVzH+A0ALa73JJAcM98OmZBXenXzASaMDUCXKZqR7dcRHGCTwEzwrzRlLZivOROjWaLhgwG X2y/yTyaK8IkAAn5gZ3a054YT03nDeBnqThStoE8aTe4V77tliChw= X-Received: by 2002:a17:902:ce8e:b0:295:9e4e:4090 with SMTP id d9443c01a7336-2a845307823mr12548625ad.52.1769342285789; Sun, 25 Jan 2026 03:58:05 -0800 (PST) Received: from fric.. ([210.73.43.101]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a802daa675sm66792385ad.15.2026.01.25.03.58.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 25 Jan 2026 03:58:05 -0800 (PST) From: Jiakai Xu X-Google-Original-From: Jiakai Xu To: linux-kernel@vger.kernel.org, linux-riscv@lists.infradead.org, kvm-riscv@lists.infradead.org, kvm@vger.kernel.org Cc: Alexandre Ghiti , Albert Ou , Palmer Dabbelt , Paul Walmsley , Atish Patra , Anup Patel , Jiakai Xu , Jiakai Xu Subject: [PATCH v3] RISC-V: KVM: Fix null pointer dereference in kvm_riscv_aia_imsic_has_attr() Date: Sun, 25 Jan 2026 11:57:58 +0000 Message-Id: <20260125115758.2486687-1-xujiakai2025@iscas.ac.cn> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Add a null pointer check for imsic_state before dereferencing it in kvm_riscv_aia_imsic_has_attr(). While the function checks that the vcpu exists, it doesn't verify that the vcpu's imsic_state has been initialized, leading to a null pointer dereference when accessed. This issue was discovered during fuzzing of RISC-V KVM code. The crash occurs when userspace calls KVM_HAS_DEVICE_ATTR ioctl on an AIA IMSIC device before the IMSIC state has been fully initialized for a vcpu. The crash manifests as: Unable to handle kernel paging request at virtual address dfffffff00000001 ... epc : kvm_riscv_aia_imsic_has_attr+0x464/0x50e arch/riscv/kvm/aia_imsic.c:998 ... kvm_riscv_aia_imsic_has_attr+0x464/0x50e arch/riscv/kvm/aia_imsic.c:998 aia_has_attr+0x128/0x2bc arch/riscv/kvm/aia_device.c:471 kvm_device_ioctl_attr virt/kvm/kvm_main.c:4722 [inline] kvm_device_ioctl+0x296/0x374 virt/kvm/kvm_main.c:4739 ... The fix adds a check to return -ENODEV if imsic_state is NULL, which is consistent with other error handling in the function and prevents the null pointer dereference. Fixes: 5463091a51cf ("RISC-V: KVM: Expose IMSIC registers as attributes of = AIA irqchip") Signed-off-by: Jiakai Xu Signed-off-by: Jiakai Xu --- V2 -> V3: Moved isel assignment after imsic_state NULL check. Placed patch version history after '---' separator. Added parentheses to function name in subject. V1 -> V2: Added Fixes tag and drop external link as suggested. arch/riscv/kvm/aia_imsic.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/riscv/kvm/aia_imsic.c b/arch/riscv/kvm/aia_imsic.c index e597e86491c3b..cd070d83663a9 100644 --- a/arch/riscv/kvm/aia_imsic.c +++ b/arch/riscv/kvm/aia_imsic.c @@ -993,8 +993,11 @@ int kvm_riscv_aia_imsic_has_attr(struct kvm *kvm, unsi= gned long type) if (!vcpu) return -ENODEV; =20 - isel =3D KVM_DEV_RISCV_AIA_IMSIC_GET_ISEL(type); imsic =3D vcpu->arch.aia_context.imsic_state; + if (!imsic) + return -ENODEV; + + isel =3D KVM_DEV_RISCV_AIA_IMSIC_GET_ISEL(type); return imsic_mrif_isel_check(imsic->nr_eix, isel); } =20 --=20 2.34.1