[PATCH] riscv: cpufeature: Validate H extension via CSR_HGATP probe

Wed Jun 3 02:33:01 PDT 2026

The H extension is advertised to S-mode through three channels --
the DT "riscv,isa" string, the DT "riscv,isa-extensions" list, and
the ACPI RHCT ISA string -- all of which converge in
riscv_resolve_isa().  The H entry has no validate callback today,
so the kernel trusts the description unconditionally.

When firmware advertises H but the hardware does not actually
implement it (common during early bring-up, e.g. QEMU), kvm.ko
reaches kvm_riscv_gstage_mode_detect() and oopses on the first
CSR_HGATP access with an illegal instruction.

Add a validate callback for H that probes CSR_HGATP under an
exception-table fixup.  If the read traps, the H bit is cleared
during ISA resolution and the rest of the kernel sees H as
unavailable.  Because the probe runs in riscv_resolve_isa(), it
covers all three advertisement sources.

Signed-off-by: Chen Pei <cp0613 at linux.alibaba.com>
---
 arch/riscv/kernel/cpufeature.c | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/arch/riscv/kernel/cpufeature.c b/arch/riscv/kernel/cpufeature.c
index f46aa5602d74..b34dd789e94e 100644
--- a/arch/riscv/kernel/cpufeature.c
+++ b/arch/riscv/kernel/cpufeature.c
@@ -17,9 +17,11 @@
 #include <linux/of.h>
 #include <asm/acpi.h>
 #include <asm/alternative.h>
+#include <asm/asm-extable.h>
 #include <asm/bugs.h>
 #include <asm/cacheflush.h>
 #include <asm/cpufeature.h>
+#include <asm/csr.h>
 #include <asm/hwcap.h>
 #include <asm/text-patching.h>
 #include <asm/hwprobe.h>
@@ -163,6 +165,32 @@ static int riscv_ext_d_validate(const struct riscv_isa_ext_data *data,
 	return 0;
 }
 
+static int riscv_ext_h_validate(const struct riscv_isa_ext_data *data,
+				const unsigned long *isa_bitmap)
+{
+	unsigned long val, ret = 1;
+
+	/*
+	 * The H extension may be advertised by firmware (DT/ACPI) even
+	 * when the underlying hardware does not implement it, or when
+	 * M-mode firmware has not delegated hypervisor CSR access to
+	 * S-mode.  Probe CSR_HGATP under an exception-table fixup: if
+	 * the read traps with an illegal instruction, ret stays 1.
+	 */
+	asm volatile(
+		"1:	csrr	%0, " __stringify(CSR_HGATP) "\n"
+		"	li	%1, 0\n"
+		"2:\n"
+		_ASM_EXTABLE(1b, 2b)
+		: "=r" (val), "+r" (ret));
+
+	if (ret) {
+		pr_err("H detected in ISA string, disabling as CSR_HGATP is not accessible\n");
+		return -EINVAL;
+	}
+	return 0;
+}
+
 static int riscv_ext_vector_x_validate(const struct riscv_isa_ext_data *data,
 				       const unsigned long *isa_bitmap)
 {
@@ -498,7 +526,7 @@ const struct riscv_isa_ext_data riscv_isa_ext[] = {
 	__RISCV_ISA_EXT_DATA(q, RISCV_ISA_EXT_q),
 	__RISCV_ISA_EXT_SUPERSET(c, RISCV_ISA_EXT_c, riscv_c_exts),
 	__RISCV_ISA_EXT_SUPERSET_VALIDATE(v, RISCV_ISA_EXT_v, riscv_v_exts, riscv_ext_vector_float_validate),
-	__RISCV_ISA_EXT_DATA(h, RISCV_ISA_EXT_h),
+	__RISCV_ISA_EXT_DATA_VALIDATE(h, RISCV_ISA_EXT_h, riscv_ext_h_validate),
 	__RISCV_ISA_EXT_SUPERSET_VALIDATE(zicbom, RISCV_ISA_EXT_ZICBOM, riscv_xlinuxenvcfg_exts, riscv_ext_zicbom_validate),
 	__RISCV_ISA_EXT_DATA_VALIDATE(zicbop, RISCV_ISA_EXT_ZICBOP, riscv_ext_zicbop_validate),
 	__RISCV_ISA_EXT_SUPERSET_VALIDATE(zicboz, RISCV_ISA_EXT_ZICBOZ, riscv_xlinuxenvcfg_exts, riscv_ext_zicboz_validate),
-- 
2.50.1


