diff options
| author | Jiakai Xu <xujiakai2025@iscas.ac.cn> | 2026-03-04 08:08:04 +0000 |
|---|---|---|
| committer | Anup Patel <anup@brainfault.org> | 2026-03-06 11:20:30 +0530 |
| commit | 7120a9d9e0232ad3c661a100973c57328f462b80 (patch) | |
| tree | 3f41524c49425448eb23372eaa53ae08b464b0d2 | |
| parent | 721ead7757125d66ec9b4ad98939a13d25e0b473 (diff) | |
| download | lwn-7120a9d9e0232ad3c661a100973c57328f462b80.tar.gz lwn-7120a9d9e0232ad3c661a100973c57328f462b80.zip | |
RISC-V: KVM: Fix potential UAF in kvm_riscv_aia_imsic_has_attr()
The KVM_DEV_RISCV_AIA_GRP_APLIC branch of aia_has_attr() was identified
to have a race condition with concurrent KVM_SET_DEVICE_ATTR ioctls,
leading to a use-after-free bug.
Upon analyzing the code, it was discovered that the
KVM_DEV_RISCV_AIA_GRP_IMSIC branch of aia_has_attr() suffers from the same
lack of synchronization. It invokes kvm_riscv_aia_imsic_has_attr() without
holding dev->kvm->lock.
While aia_has_attr() is running, a concurrent aia_set_attr() could call
aia_init() under the dev->kvm->lock. If aia_init() fails, it may trigger
kvm_riscv_vcpu_aia_imsic_cleanup(), which frees imsic_state. Without proper
locking, kvm_riscv_aia_imsic_has_attr() could attempt to access imsic_state
while it is being deallocated.
Although this specific path has not yet been reported by a fuzzer, it
is logically identical to the APLIC issue. Fix this by acquiring the
dev->kvm->lock before calling kvm_riscv_aia_imsic_has_attr(), ensuring
consistency with the locking pattern used for other AIA attribute groups.
Fixes: 5463091a51cf ("RISC-V: KVM: Expose IMSIC registers as attributes of AIA irqchip")
Signed-off-by: Jiakai Xu <xujiakai2025@iscas.ac.cn>
Signed-off-by: Jiakai Xu <jiakaiPeanut@gmail.com>
Reviewed-by: Anup Patel <anup@brainfault.org>
Link: https://lore.kernel.org/r/20260304080804.2281721-1-xujiakai2025@iscas.ac.cn
Signed-off-by: Anup Patel <anup@brainfault.org>
| -rw-r--r-- | arch/riscv/kvm/aia_device.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/arch/riscv/kvm/aia_device.c b/arch/riscv/kvm/aia_device.c index fb901947aefe..9a45c85239fe 100644 --- a/arch/riscv/kvm/aia_device.c +++ b/arch/riscv/kvm/aia_device.c @@ -471,7 +471,10 @@ static int aia_has_attr(struct kvm_device *dev, struct kvm_device_attr *attr) mutex_unlock(&dev->kvm->lock); break; case KVM_DEV_RISCV_AIA_GRP_IMSIC: - return kvm_riscv_aia_imsic_has_attr(dev->kvm, attr->attr); + mutex_lock(&dev->kvm->lock); + r = kvm_riscv_aia_imsic_has_attr(dev->kvm, attr->attr); + mutex_unlock(&dev->kvm->lock); + break; } return r; |