diff options
| author | Jiakai Xu <xujiakai2025@iscas.ac.cn> | 2026-05-26 06:15:17 +0300 |
|---|---|---|
| committer | Anup Patel <anup@brainfault.org> | 2026-06-04 08:48:12 +0300 |
| commit | 76ae7c7ee004b3d9d869f4d59b175ab4750db985 (patch) | |
| tree | f1e1188efe5e38f7b156516db7442a52e6acfbcb /scripts/Makefile.thinlto | |
| parent | ce31a1ee2a1ed61f6d42308633f9bed717f5348b (diff) | |
| download | linux-76ae7c7ee004b3d9d869f4d59b175ab4750db985.tar.xz | |
RISC-V: KVM: Fix NULL pointer dereference in AIA IMSIC functions
Fuzzer reported a NULL pointer dereference in
kvm_riscv_vcpu_aia_imsic_put() when a VCPU's imsic_state was NULL while
kvm_riscv_aia_initialized() returned true.
The global initialized flag is set per-VM in aia_init(), but imsic_state
is allocated per-VCPU in kvm_riscv_vcpu_aia_imsic_init(). If a VCPU is
created after aia_init() has already run, its imsic_state remains NULL
while the global flag is true. When this VCPU is preempted, kvm_sched_out()
calls kvm_arch_vcpu_put() -> kvm_riscv_vcpu_aia_put() ->
kvm_riscv_vcpu_aia_imsic_put() which dereferences NULL.
Add NULL pointer guards to kvm_riscv_vcpu_aia_imsic_put(), consistent with
the NULL checks already present in all other functions in the same file.
Also add a NULL guard to kvm_riscv_vcpu_aia_imsic_release() and
kvm_riscv_vcpu_aia_imsic_has_interrupt() for the same reason.
Fixes: 4cec89db80ba ("RISC-V: KVM: Move HGEI[E|P] CSR access to IMSIC virtualization")
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Assisted-by: YuanSheng:DeepSeek-V3.2
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260526031517.1166025-1-xujiakai2025@iscas.ac.cn
Signed-off-by: Anup Patel <anup@brainfault.org>
Diffstat (limited to 'scripts/Makefile.thinlto')
0 files changed, 0 insertions, 0 deletions
