From nobody Mon Feb  9 15:00:04 2026
Received: from mail-pl1-f177.google.com (mail-pl1-f177.google.com
 [209.85.214.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EE68623E25B
	for <linux-kernel@vger.kernel.org>; Tue, 27 Jan 2026 07:22:27 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1769498549; cv=none;
 b=LLGh5xOoy8fUjAs4BWV8xCwi22EJzz+p3Ib9m+kdooCQf5vtBknXn6qmdjShCCZ6ATe80B38xhkhpwXm6mVXPNkOs9giT3YYEGwjmlqQ/UTTR23g7ge8xWsxD0xdR3ruqRJwYBp/HV6Ci3IMDVF6liksZyzlJI8n5fIZQgzu/ns=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1769498549; c=relaxed/simple;
	bh=g+8Oigk3DYku8CFM6pj2mpmjdntIrEWCjERbGt/i3vQ=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=XotpOaMy9x4SOuIWX4CMcGjn9kaiJ5VwHoe46zcf3KH34cmOK3PFFQcMJVfsN8tE+CwRsE1M7UbiqpwX1QgDQ2uN5DFgUqhxPpeu5yWl5hh1uK65WyZeYXoG1sZ7mV+eD1+VsB9T0Y9xJaVRvY/MYeuxBWR2lnYZVJwZcOD4O7k=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=CLXstaOm; arc=none smtp.client-ip=209.85.214.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="CLXstaOm"
Received: by mail-pl1-f177.google.com with SMTP id
 d9443c01a7336-2a1022dda33so32015535ad.2
        for <linux-kernel@vger.kernel.org>;
 Mon, 26 Jan 2026 23:22:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1769498547; x=1770103347;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=WUonCIx+ZXd3QT2hTb6eW9uVCVHoiU5hLnPWwgxhDNA=;
        b=CLXstaOmBIBw7KrmY0Vy3men7/7/ifjzp4ia5yoaj05bd5zup7qtV6bq7WzLgtLT4m
         qEscNvXABV9JDpWyXIrvroFUybrk50RwiER+OoyUMt0HTHIn0Wh+TUg1cSzr6D4+YDG2
         l6nibmtw3DPq1bbstxChSLBWc3AG5xUsE49d9DzXod01Lp93UwCs/O6aAhQ/YqCA/OZk
         N7mdad3T9yFMSAgmRKYLfrSiX2pi0GdJd+xWrGSnWpRDSrSzBxjZqxZzfA1MxrKvYbJ7
         qQ2d4HcPAelounDUrlg8UneHof8H9qfxjpvE8oprQUm9t+isJUOWrHb55MPrRc2aPyh3
         zeuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1769498547; x=1770103347;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WUonCIx+ZXd3QT2hTb6eW9uVCVHoiU5hLnPWwgxhDNA=;
        b=ZwZkEYZtSR7cihgVIXQJMFuDAvTYHOenTsj4W1j1shf3TH7ReAEwwoSrvKKE36/WZz
         cqekAuJqC3wlBtGAnyL7iYicPGZ0xnRUsOg6VvS339ffx3zxMHQulbBexIgTdza0TpV2
         hVzyjooSUMkFYYq/ZJiCgbecsiAZbC3EZceczQJKoMD/cUCs7bS+Iu0nVaROmeHMA8e3
         W52kaiWf8IeQWj8TT4ZCbXHGVlutaIF5DB5C/74azHsbgs3FnOD7aHSk5o6ydlSO4T85
         NbA41INjZ1+0cGjOekA8jG+ddZAfn5xFN5ATaPciiyTTVqXx8svLR+JsaP8KzD4yeYPB
         bYyg==
X-Gm-Message-State: AOJu0YymMZPlZEi7OmbVgonS4nTJmy+lpoDc/+36CB9txYF4pd3GbmaD
	+M0BoprDkEEfjCXn4Efcv/umE9BOsWSRsou4IPeOI9/3AMZdfbeD5mnH1EpHdg==
X-Gm-Gg: AZuq6aLh/mz+h84Elfu+hSMc6SsHO6EeURifDA8NUe0rUSMbnJVoefMlthIA3e06mPE
	PvdTiB7VKRTQzD63Len6CYsKhtaVkmsaWaT3kjnYLJ9twJJzeCZYDkxviEwTE3TDKyld3QBiYCw
	uw2pdfCd1jRYu5BoKrAW++dwxOvfW/DPxuhAa5HWxiDlhaE+CybXbgcPbfXrN4ROXHdm6WHArQj
	Aj6wUAgQg4mI90FB7MC78ceQK5Pj8RYvkACmnJrCUe0rz3gPINfEYPEz0TEmPrnCyFrm6I6Gv4j
	uF5FfXThWrCCurODuhEXjHGC+CEMDeG3q6GHIiK7UR6zjAq5zmDlNG1qeXhzjcTN/SaiYyO3bgS
	FKOdkc4CWaT2ycGMXrET1RGnQrvn0RZgMCewhd19TDBJ+kD1LBtEmsq6HwG0Ek6I+uQFRG2U0+U
	pXUeF6pcTc0Gq9hXz8aBwIVvlJOaiVBDMVDCYTpgROPheOdrXiifw=
X-Received: by 2002:a17:903:2344:b0:2a0:b461:c883 with SMTP id
 d9443c01a7336-2a870dd56e0mr9555815ad.45.1769498547192;
        Mon, 26 Jan 2026 23:22:27 -0800 (PST)
Received: from fric.. ([210.73.43.101])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2a87842538bsm2505685ad.60.2026.01.26.23.22.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 26 Jan 2026 23:22:26 -0800 (PST)
From: Jiakai Xu <jiakaipeanut@gmail.com>
X-Google-Original-From: Jiakai Xu <xujiakai2025@iscas.ac.cn>
To: linux-kernel@vger.kernel.org,
	linux-riscv@lists.infradead.org,
	kvm-riscv@lists.infradead.org,
	kvm@vger.kernel.org
Cc: Anup Patel <anup@brainfault.org>,
	Atish Patra <atish.patra@linux.dev>,
	Paul Walmsley <pjw@kernel.org>,
	Palmer Dabbelt <palmer@dabbelt.com>,
	Albert Ou <aou@eecs.berkeley.edu>,
	Alexandre Ghiti <alex@ghiti.fr>,
	Jiakai Xu <xujiakai2025@iscas.ac.cn>,
	Jiakai Xu <jiakaiPeanut@gmail.com>
Subject: [PATCH] RISC-V: KVM: Fix null pointer dereference in
 kvm_riscv_aia_imsic_rw_attr()
Date: Tue, 27 Jan 2026 07:22:19 +0000
Message-Id: <20260127072219.3366607-1-xujiakai2025@iscas.ac.cn>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Add a null pointer check for imsic_state before dereferencing it in
kvm_riscv_aia_imsic_rw_attr(). While the function checks that the
vcpu exists, it doesn't verify that the vcpu's imsic_state has been
initialized, leading to a null pointer dereference when accessed.

The crash manifests as:
  Unable to handle kernel paging request at virtual address
  dfffffff00000006
  ...
  kvm_riscv_aia_imsic_rw_attr+0x2d8/0x854 arch/riscv/kvm/aia_imsic.c:958
  aia_set_attr+0x2ee/0x1726 arch/riscv/kvm/aia_device.c:354
  kvm_device_ioctl_attr virt/kvm/kvm_main.c:4744 [inline]
  kvm_device_ioctl+0x296/0x374 virt/kvm/kvm_main.c:4761
  vfs_ioctl fs/ioctl.c:51 [inline]
  ...

The fix adds a check to return -ENODEV if imsic_state is NULL and moves=20
isel assignment after imsic_state NULL check.

Fixes: 5463091a51cfaa ("RISC-V: KVM: Expose IMSIC registers as attributes o=
f AIA irqchip")
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
---
 arch/riscv/kvm/aia_imsic.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/riscv/kvm/aia_imsic.c b/arch/riscv/kvm/aia_imsic.c
index e597e86491c3b..bd7081e70036d 100644
--- a/arch/riscv/kvm/aia_imsic.c
+++ b/arch/riscv/kvm/aia_imsic.c
@@ -952,8 +952,10 @@ int kvm_riscv_aia_imsic_rw_attr(struct kvm *kvm, unsig=
ned long type,
 	if (!vcpu)
 		return -ENODEV;
=20
-	isel =3D KVM_DEV_RISCV_AIA_IMSIC_GET_ISEL(type);
 	imsic =3D vcpu->arch.aia_context.imsic_state;
+	if (!imsic)
+		return -ENODEV;
+	isel =3D KVM_DEV_RISCV_AIA_IMSIC_GET_ISEL(type);
=20
 	read_lock_irqsave(&imsic->vsfile_lock, flags);
=20
--=20
2.34.1